Version 1.3 — Effective date: 9 April 2026
Karro Intelligence Ltd ("Karro", "we", "us") is committed to protecting your personal data. This policy explains what we collect, why we collect it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Karro Intelligence Ltd is the data controller for personal data processed through the Karro platform. Contact: hello@karro.io.
We collect the following categories of personal data: • Account data: your name, email address, and password (stored as a hash). • CV data: the text content of CVs you upload, used solely to generate career analysis. • Usage data: how you interact with the platform, for product improvement purposes. • Payment data: billing details processed by Stripe — we do not store your card details directly. • Consent records: a timestamped log of the preferences you have agreed to.
We process your data under the following legal bases: • Contract: to deliver the service you signed up for. • Consent: for optional purposes such as marketing emails, recruiter visibility, and AI training data — each recorded separately with a timestamp. You may withdraw consent at any time. • Legitimate interests: for platform security, fraud prevention, and service improvement where this does not override your rights.
• To analyse your CV and produce career intelligence reports. • To match you with relevant job opportunities via our partner job boards. • To make your anonymised profile discoverable by recruiters (only if you opt in). • To send you service-related emails (e.g. email confirmation, password reset). • To send you marketing communications (only if you opt in, and you can unsubscribe at any time). • To improve our AI models using anonymised data (only if you opt in).
Karro uses automated algorithms to analyse your CV and produce a career archetype, scores (depth, breadth, reach), and role recommendations. This constitutes automated processing, including profiling, under UK GDPR Article 22. These outputs are informational only. They do not produce legal effects or similarly significant decisions about you — no employer is directed to hire or reject you based on them, and you are not bound by any output Karro produces. You have the right to request human review of any output you disagree with, to express your point of view, and to contest a result. To do so, contact us at hello@karro.io. You can also re-upload an updated CV or adjust your preferences in Settings at any time. We do not use solely automated processing to make any decision that produces a legal or similarly significant effect on you.
Karro offers two separate, opt-in visibility tiers. Both are off by default and can be withdrawn at any time from your CV Visibility settings. Tier 1 — Anonymous profile: If you opt in, an anonymised snapshot of your profile — including your Karro scores, career archetype, sector, skills, and approximate location — is made searchable to subscribed partner recruitment agencies. Your name, email address, and full CV text are not shared under this tier. Tier 2 — Full contact visibility: If you choose to also enable full contact visibility for a specific CV, your name, email address, and the full text of that CV will additionally be visible to subscribed recruiters. This is a separate, explicit consent step. Enabling Tier 1 does not automatically enable Tier 2. When either tier is active, recruiter agencies who view your profile are logged with a timestamp. You can see the number of recruiter views for each CV in your settings. Recruiters must accept our Recruiter Terms of Use before accessing the platform; these terms prohibit contacting candidates for purposes other than genuine recruitment, sharing candidate data with third parties, or retaining data after a candidate withdraws consent. Once a recruiter has viewed your contact details outside the platform, we cannot compel deletion of any notes they may have taken — we recommend withdrawing visibility if you no longer wish to be discoverable.
We share data with the following categories of third parties only as necessary to operate the service: • Supabase (database and authentication infrastructure) — hosted in the EU. • Stripe (payment processing). • Anthropic (AI analysis) — CV text is sent to their API; it is not used to train their models under our enterprise agreement. • Adzuna (job matching) — anonymised search queries only. • Vercel (hosting) — EU region. We do not sell personal data to any third party.
We retain data only for as long as necessary for the purpose it was collected. Our retention periods by category are: • CV text and analysis results: retained while your account is active; deleted within 30 days of account deletion. • Account profile and preferences: retained while active; deleted within 30 days of account deletion. • Consent records: retained for 6 years from the date consent was given or withdrawn, to demonstrate compliance. • Payment records: retained for 7 years as required by financial regulations. • Anonymised, aggregated analytics (no personal data): retained indefinitely. If you delete your account, your personal data will be purged within 30 days. You can request early deletion at any time by contacting hello@karro.io.
Under UK GDPR you have the right to: • Access the personal data we hold about you. • Correct inaccurate data. • Erasure ("right to be forgotten") — contact hello@karro.io to request deletion. • Restrict or object to processing. • Data portability — receive your data in a machine-readable format. • Withdraw consent at any time without affecting prior processing. To exercise any of these rights, contact hello@karro.io. You also have the right to lodge a complaint with the ICO (ico.org.uk).
Karro uses only essential cookies required for authentication and session management. We do not use tracking or advertising cookies.
Some of our service providers (including Anthropic) are based in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required.
Karro is not directed at children under 18. We do not knowingly collect data from anyone under 18. If you believe we have done so in error, contact us immediately.
We will notify you by email and in-app notice before making material changes to this policy. The effective date at the top of this page reflects the current version.
Data protection queries: hello@karro.io. We aim to respond within 30 days.
Karro Intelligence Ltd · Registered in England and Wales · hello@karro.io