Privacy Policy

Legal Ownership and Compliance Statement:

This product is owned and operated by KARSAAZ EBS LTD (UK), Company No. 15735349, registered at 85 Great Portland Street, First Floor, London W1W 7LT, United Kingdom. KARSAAZ EBS LTD (UK) is the Data Controller and is registered with the UK Information Commissioner’s Office (ICO ZB891350). Processing is conducted under the Karsaaz Group’s ISO/IEC 27001 (Information Security), ISO 9001 (Quality), and ISO 20000-1 (IT Service Management) frameworks, in compliance with GDPR and the UK Data Protection Act 2018. Contact: [email protected]

Effective Date: 1 May 2025 | Last Updated: 1 May 2025 (Version 1.0)

1 · Overview

Karsaaz AI (owned by Karsaaz EBS Ltd, UK) provides multilingual AI assistance across health, legal, trade, education, security, and productivity domains. This Privacy Policy explains how we collect, use, protect, and share your information. By accessing or using Karsaaz AI (the “Services”), you consent to the practices described here.

2 · App Permissions Disclosure

To deliver core functionality Karsaaz AI may request:

• Camera – For OCR scans, document ID verification, and QR code scanning.
• Microphone – Activated only when you tap “Voice Input.” Audio is converted to text and deleted immediately after transcription (≤ 60 seconds).
• Photos / Media (Gallery) – Limited system photo-picker access to selected files only.
• Storage – Upload/download of documents, images, and AI outputs.

We do not request Location, Contacts, or device identifiers (IMEI/Advertising ID). All permissions are requested contextually and governed by PECA 2025 and GDPR.

3 · How We Use Your Data

We process data to:

• Operate and improve the Services. This includes data processed during automatic Free Trial activation at the time of account creation. No billing information is collected or stored until the user upgrades to a paid plan.
• Personalize your experience.
• Provide customer support and communications.
• Process subscriptions, payments, and billing.
• Comply with legal obligations and defend legitimate interests.

This includes data collected during in-app account creation, which mirrors the web registration process and uses secure authentication (Google OAuth 2.0 or email/password).

4 · Third-Party APIs & Disclaimers

We integrate with trusted third-party APIs. While we do not guarantee the completeness of external sources, all disclaimers are now actively displayed inside the app at the point of use.

Examples:

• Health AI: Not a substitute for medical advice.
• Legal AI: Not legal counsel.
• Scam Protection: Informational only.

These disclaimers are part of our GDPR transparency obligation (Recital 39) and PECA 2025 compliance for user awareness.

5 · Data Protection & Security Measures

• ISO/IEC 27001:2022 certified information-security controls.
• ISO 9001:2015 certified quality-management system (Karsaaz EBS).
• ISO 20000-1 (IT Service Management) frameworks.
• AES-256 encryption in transit and at rest.
• Role-based access control (RBAC).
• Quarterly penetration testing.
• Annual audits under GDPR, UK-DPA 2018, PECA 2025, and PDPL (KSA).

6 · Data Breach Notification (72-Hour Rule)

If we become aware of a breach:

• Notify relevant authorities within 72 hours.
• Inform affected users without undue delay via email and in-app notice.
• Provide a dedicated DPO contact.

7 · International Data Transfers

• Primary hosting in the EEA.
• Cross-border transfers rely on:
  • Standard Contractual Clauses (SCCs).
  • UK International Data Transfer Addendum (IDTA).
  • Saudi PDPL adequacy/authorization for KSA users.
  • Supplementary encryption and access controls.

8 · Data Retention

9 · Referral & Affiliate Data (New)

When you participate in our Affiliate Program:

• Data Collected: referral code, inviter ID/email (hashed for display), attribution timestamp, conversion events, payout ledger.
• Purpose & Legal Basis:
  • Contract performance (apply discounts, attribute rewards).
  • Legitimate interests (fraud prevention, program operation).
  • Consent (for invite-based marketing).
• Sharing: limited to payout processors (Stripe/PayPal), fraud-prevention partners, and internal audit teams.
• Retention: payout/tax records = 7 years; attribution logs = 12–24 months; promotional credits = until program audit closure.
• User Rights: affiliates and referees may request erasure of referral linkage after cooling-off, except where records must be retained for tax/legal compliance.

10 · Your Legal Rights

You may:

• Access, correct, or delete your data.
• Object to processing or request restriction.
• Withdraw consent anytime.
• Receive an export of your data (portability).
• Opt out of referral tracking cookies via Cookie Settings.

We respond to all valid requests within 30 days.

11 · Tracking Technologies & Cookies

• We use Essential, Analytics, and Marketing cookies (see Cookie Policy).
• Affiliate tracking uses first-party identifiers (e.g., affiliate_id, ref_code, utm_*).
• Typical retention = 30–90 days.

You can withdraw consent in Cookie Settings or disable tracking in your browser.

12 · Privacy of Children

The Services are not intended for individuals under 18. We do not knowingly collect data from children.

13 · Updates to This Policy

Material changes will be announced via email or in-app notice at least 7 days in advance. Previous versions remain archived for audit.

14 · Governing Law & Jurisdiction

• Business users: ICC Arbitration, seat London (save for mandatory consumer rights).
• Consumers: may litigate in the courts of their habitual residence.
• US users: waive class or representative actions.

15 · Contact & Data Protection Officer

• DPO: [email protected]
• Support: [email protected]
• Legal: [email protected]
• Postal: Karsaaz EBS Ltd, 85 Great Portland Street, First Floor, London, W1W 7LT, UK