← Karro

Privacy Policy

Version 1.6, effective date: 5 July 2026

Karro Intelligence Ltd ("Karro", "we", "us") is committed to protecting your personal data. This policy explains what we collect, why we collect it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Karro Intelligence Ltd is the data controller for personal data processed through the Karro platform. Contact: hello@karro.io.

2. What Data We Collect

We collect the following categories of personal data: • Account data: your name, email address, and password (stored as a hash). • CV data: the text content of CVs you upload after creating an account, used solely to generate career analysis. (See Section 3 for CVs uploaded via the free anonymous scan, which are handled differently and are not stored.) • Usage data: how you interact with the platform, for product improvement purposes. • Payment data: billing details processed by Stripe; we do not store your card details directly. • Consent records: a timestamped log of the preferences you have agreed to.

3. Anonymous CV Scan (Before You Create an Account)

Karro offers a free, instant CV scan on certain marketing pages that does not require you to create an account first. If you use this feature: • The CV file or text you upload is sent to our AI provider (Anthropic) solely to generate the on-screen result: an ATS compatibility score and platform-by-platform feedback. • Your CV, the text extracted from it, and the analysis result exist only in memory for the duration of that single request. None of it is written to our database or any other store, and none of it is retained after your result is shown to you. • We do not require your name or email address to use this feature. • A separate, minimal record — your IP address and a timestamp only, never linked to any CV content — is kept only for as long as necessary to prevent abuse of this free feature. • If you later create an account, you will be asked to upload your CV again. Nothing from the anonymous scan is carried over or linked to your new account. We rely on legitimate interests as the legal basis for this processing (see Section 4): it is limited to exactly the service you are actively requesting, is minimal and transient, and is disclosed to you before you upload.

4. Legal Basis for Processing

We process your data under the following legal bases: • Contract: to deliver the service you signed up for. • Consent: for optional purposes such as marketing emails, recruiter visibility, and AI training data, each recorded separately with a timestamp. You may withdraw consent at any time. • Legitimate interests: for platform security, fraud prevention, service improvement, and to provide the free anonymous CV scan described in Section 3, where this does not override your rights.

5. How We Use Your Data

• To analyse your CV and produce career intelligence reports. • To generate an instant, free ATS compatibility scan when you upload a CV before creating an account (see Section 3). • To match you with relevant job opportunities via our partner job boards. • To make your anonymised profile discoverable by recruiters (only if you opt in). • To send you service-related emails (e.g. email confirmation, password reset). • To send you marketing communications (only if you opt in, and you can unsubscribe at any time). • To improve our AI models using anonymised data (only if you opt in).

6. Automated Decision-Making and Profiling

Karro uses automated algorithms to analyse your CV and produce a career archetype, scores (depth, breadth, reach), and role recommendations, whether or not you have created an account. This constitutes automated processing, including profiling, under UK GDPR Article 22. These outputs are informational only. They do not produce legal effects or similarly significant decisions about you; no employer is directed to hire or reject you based on them, and you are not bound by any output Karro produces. You have the right to request human review of any output you disagree with, to express your point of view, and to contest a result. To do so, contact us at hello@karro.io. You can also re-upload an updated CV or adjust your preferences in Settings at any time. We do not use solely automated processing to make any decision that produces a legal or similarly significant effect on you.

7. Recruiter Visibility

Karro offers two separate, opt-in visibility tiers. Both are off by default and can be withdrawn at any time from your CV Visibility settings. Tier 1 (Anonymous profile): If you opt in, an anonymised snapshot of your profile, including your Karro scores, career archetype, sector, skills, and approximate location, is made searchable to subscribed partner recruitment agencies. Your name, email address, and full CV text are not shared under this tier. Tier 2 (Full contact visibility): If you choose to also enable full contact visibility for a specific CV, your name, email address, and the full text of that CV will additionally be visible to subscribed recruiters. This is a separate, explicit consent step. Enabling Tier 1 does not automatically enable Tier 2. When either tier is active, recruiter agencies who view your profile are logged with a timestamp. You can see the number of recruiter views for each CV in your settings. Recruiters must accept our Recruiter Terms of Use before accessing the platform; these terms prohibit contacting candidates for purposes other than genuine recruitment, sharing candidate data with third parties, or retaining data after a candidate withdraws consent. Once a recruiter has viewed your contact details outside the platform, we cannot compel deletion of any notes they may have taken; we recommend withdrawing visibility if you no longer wish to be discoverable.

8. Third-Party Sharing

We share data with the following categories of third parties only as necessary to operate the service: • Supabase (database and authentication infrastructure), hosted in the EU. • Stripe (payment processing): Stripe is the system of record for payment transactions (see section 9). See stripe.com/privacy. • Anthropic (AI analysis): CV text is sent to their API, including for the anonymous CV scan described in Section 3; under Anthropic's commercial API terms, our data is not used to train their models. • Adzuna (job matching): anonymised search queries only. • Reed.co.uk (job matching, UK fallback): anonymised search queries only. • Vercel (hosting): EU region. • Cloudflare (network security and content delivery): traffic to karro.io passes through Cloudflare's network for security and performance. • PostHog (analytics): anonymised usage events (pages visited, features used) are sent to PostHog only if you accept analytics cookies. PostHog is hosted in the EU. See posthog.com/privacy. • Loops (email delivery): your email address, account identifier, subscription status, and sign-in activity are processed by Loops to send service emails such as confirmations and account updates. Loops is based in the United States (see section 12). We do not sell personal data to any third party.

9. Data Retention

We retain data only for as long as necessary for the purpose it was collected. Our retention periods by category are: • CV text and analysis results (account holders): retained while your account is active; deleted within 30 days of account deletion. • Anonymous CV scan (no account, see Section 3): CV text and analysis results are never stored — processed in memory for the duration of the request only. A minimal IP address and timestamp record is kept only as long as necessary to prevent abuse of this feature. • Account profile and preferences: retained while active; deleted within 30 days of account deletion. • Consent records: retained for 6 years from the date consent was given or withdrawn, to demonstrate compliance. • Payment records: Stripe, our payment processor, is the system of record for payment transactions and retains transaction records as required by financial regulations (around 6 years under UK law). Payment records held in Karro's own database are deleted when your account is deleted. • Anonymised, aggregated analytics (no personal data): retained indefinitely. If you delete your account, your personal data will be purged within 30 days. You can request early deletion at any time by contacting hello@karro.io.

10. Your Rights

Under UK GDPR you have the right to: • Access the personal data we hold about you. • Correct inaccurate data. • Erasure ("right to be forgotten"): contact hello@karro.io to request deletion. • Restrict or object to processing. • Data portability: receive your data in a machine-readable format. • Withdraw consent at any time without affecting prior processing. To exercise any of these rights, contact hello@karro.io. You also have the right to lodge a complaint with the ICO (ico.org.uk).

11. Cookies

Karro uses cookies in accordance with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR. A cookie is a small file stored on your device that helps us operate the platform and, with your consent, understand how it is used.

Essential cookies

Necessary for the platform to function. No consent is required for these:

PurposeProviderDuration
Keeps you logged in during your sessionSupabaseSession
Remembers your cookie consent preferenceKarro12 months

Analytics cookies

Only set if you click "Accept cookies" on the banner. If you decline, no analytics cookies are written and no data is retained between sessions:

PurposeProviderDuration
Records page views and feature interactions to help us improve the productPostHog (EU)12 months

When you are logged in, analytics events are linked to your Karro account. When you are not logged in, events are linked to an anonymous device identifier only. No data collected via analytics cookies is used for advertising or retargeting.

You can withdraw consent at any time by clearing your browser cookies. The consent banner will reappear on your next visit. You can also block or delete cookies via your browser settings, though this may affect how the platform works. PostHog's privacy policy is available at posthog.com/privacy.

12. International Transfers

Some of our service providers (including Anthropic and Loops) are based in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement or Standard Contractual Clauses with the UK Addendum where required.

13. Children

Karro is not directed at children under 18. We do not knowingly collect data from anyone under 18. If you believe we have done so in error, contact us immediately.

14. Changes to This Policy

We will notify you by email and in-app notice before making material changes to this policy. The effective date at the top of this page reflects the current version.

15. Contact

Data protection queries: hello@karro.io. We aim to respond within 30 days.

Karro Intelligence Ltd · Registered in England and Wales · hello@karro.io