karta
Sign in Join the waitlist
// privacy

Privacy Policy.

Operator: LifeSage LLC, a Washington limited liability company, operating the Karta service under the Karta brand.

Last updated: 2026-06-25

This Privacy Policy explains how Karta collects, uses, discloses, and protects personal information when Karta acts as a controller. It covers Karta account holders, organization members, website visitors, billing contacts, support contacts, security/abuse reporters, and other people who interact directly with Karta.

1. Scope

Karta is a business-to-business-to-consumer platform. We host AI agent applications that our customers build and operate for their own end users.

This Policy applies to personal information Karta controls, such as account, billing, website, support, marketing, and platform-administration data.

This Policy does not govern End-User Data that Karta processes on behalf of a customer through that customer's Agent. For that data, the customer is the controller and Karta is the processor/service provider under the Data Processing Addendum (the "DPA"). If you are an end user of an agent built on Karta, contact the business that operates that agent to exercise privacy rights; Karta is not a party to the relationship between a customer and its end users and is not responsible for the privacy practices of customers or their Agents.

The Services are offered for business and developer use only. They are not directed to consumers acting in a personal, family, or household capacity, and they are not intended for or directed to children. We treat the personal information covered by this Policy as relating to individuals acting in a business or professional capacity.

2. Personal Information We Collect

We collect the following categories:

  • Identity and account data: name, email, organization, role, OAuth identifiers, account settings, team membership, and authentication information.
  • Security credentials and metadata: API key prefixes/digests, encrypted BYOK key material, MFA/passkey enrollment metadata, login events, IP address, user agent, and audit logs.
  • Billing data: billing email, Stripe customer and payment identifiers, last four card digits, plan, invoices/receipts, subscription status, credit purchases, credit grants, drawdowns, expiries, refunds, chargebacks, and tax records.
  • Usage and operational data: deployment events, session metadata, token usage, rate limits, errors, performance data, logs, and product telemetry needed to operate, secure, debug, meter, and improve the Services.
  • Support, legal, security, and abuse communications: messages, attachments, report metadata, investigation notes, and related correspondence.
  • Website data: pages visited, referral information, browser/device data, and strictly necessary cookie/session information.
  • Third-party source data: limited information from OAuth providers, Stripe, security vendors, and other services you choose to connect.

End-user prompts, responses, files, transcripts, tool calls, and durable workspace content are Customer-controlled processor data and are governed by the DPA, not this controller notice, except where Karta must process them for security, abuse, support, legal, or platform operations under the customer agreement.

Sources. We collect the information above (a) directly from you when you create an account, configure or operate an agent, contact us, or make a purchase; (b) automatically from your devices and your use of the Services, including logs, telemetry, and cookies; and (c) from third parties you choose to connect or that help us operate, including OAuth providers, Stripe, and security/abuse-prevention vendors.

We do not knowingly collect or process "sensitive personal information" (as defined under the California Privacy Rights Act and similar laws) in our controller capacity, and we ask that you not submit it. Where any element of the information above is treated as sensitive personal information, we use it only for the limited, business-purpose functions described in this Policy (such as security, authentication, and fraud prevention) and not to infer characteristics about you, and we do not "sell" or "share" it.

3. How We Use Personal Information

We use personal information to:

  • provide, operate, secure, and maintain the Services;
  • create and administer accounts and organizations;
  • authenticate users and enforce role-based access control;
  • process payments, maintain the credit ledger, collect taxes, and manage billing;
  • provide support and respond to security, privacy, legal, abuse, and DMCA requests;
  • monitor reliability, debug errors, prevent fraud, detect abuse, and protect platform isolation;
  • communicate about the Services, including transactional notices and product updates;
  • comply with law, legal process, sanctions/export obligations, accounting, and tax requirements;
  • enforce our agreements and policies; and
  • improve Karta's platform using operational data, not by training models on Customer Content or End-User Data.

Legal bases (EEA, UK, and Switzerland). Where data protection law requires a legal basis, we rely on: performance of a contract with you or your organization, or steps taken at your request before entering into a contract (to provide, administer, and bill for the Services); our legitimate interests or those of a third party (to secure, operate, debug, meter, and improve the Services, prevent fraud and abuse, run our business, and effect corporate transactions), where not overridden by your interests or fundamental rights; compliance with a legal obligation (for tax, accounting, sanctions, and lawful-request purposes); and, where applicable, your consent, which you may withdraw at any time without affecting prior processing. Where we rely on legitimate interests, you may obtain further information about that balancing by contacting privacy@karta.sh. Providing certain personal information (such as identity, account, and billing data) is necessary to enter into and perform our agreement and to provide the Services; if you do not provide it, we cannot create or maintain your account or provide the Services.

Prohibited and regulated data. The Services are not designed for, and you must not submit through your account in our controller capacity, special categories of personal data, protected health information, payment card data subject to PCI DSS (beyond what Stripe processes for billing), Social Security or government-issued identifiers, financial-account data regulated under the GLBA, or other regulated data, unless Karta has expressly agreed in writing to support it. Karta does not collect or process "consumer health data" within the meaning of the Washington My Health My Data Act or similar state consumer-health-privacy laws in its controller capacity, and such data must not be submitted to Karta. You are responsible for excluding such data from information you provide to Karta as a controller.

4. AI and Model Training

Karta does not use Customer Content or End-User Data to train or fine-tune Karta or third-party models unless the customer expressly opts in.

For Karta-managed model access, prompts and responses may be sent to Karta's listed Model Provider subprocessors to perform inference. For BYOK, prompts and responses are sent to the customer's chosen Model Provider under the customer's own provider account and terms.

Operational metadata such as token counts, latency, routing, error rates, and billing events may be used to provide, secure, debug, meter, and improve the Services.

Nothing in this Section limits Karta's right to (a) create and use aggregated, de-identified, or anonymized data that does not identify and cannot reasonably be linked to any individual, customer, or end user, for any lawful business purpose including service improvement, analytics, benchmarking, and security research, provided Karta does not attempt to re-identify it; or (b) process inputs and outputs as needed to detect, prevent, and respond to fraud, abuse, security incidents, and policy or legal violations, including automated classification for those purposes. These activities are not "model training" subject to the opt-in above.

5. How We Disclose Personal Information

We disclose personal information to:

  • Subprocessors and service providers that help operate Karta, each engaged under a written agreement and limited to processing for Karta's purposes. Karta's current subprocessors are: Stripe (payments and subscription billing); Anthropic (LLM inference for Karta-managed, non-BYOK requests); Hetzner Online GmbH (control-plane hosting and primary database, processing in the United States); Amazon Web Services (data-plane compute in us-east-1, including workspace/merge storage and the session/transcript database); Postmark (transactional email); and Sentry (application error monitoring and performance telemetry). The current, authoritative list (with the "as of" date for each subprocessor) is maintained in the Sub-processor List, which controls if it conflicts with the enumeration above. Advance notice of, and any right to object to, new or replacement subprocessors for processor-side End-User Data is governed by the DPA.
  • Model Providers for Karta-managed inference, where needed to provide the Services. For BYOK access, prompts and responses are sent to the customer's chosen Model Provider under the customer's own provider account and terms; that Model Provider is not a Karta subprocessor, and Karta is not responsible for its processing.
  • Professional advisors, such as lawyers, accountants, auditors, bankers, and insurers, under confidentiality.
  • Authorities, courts, or third parties when we believe in good faith that disclosure is necessary or appropriate to comply with law, legal process, sanctions or export obligations, or to protect the safety, security, rights, or property of Karta, our customers, users, or others, or to enforce our agreements and policies.
  • Successors and prospective successors, together with their advisors, in connection with a merger, financing, due diligence, acquisition, reorganization, bankruptcy, or sale of all or part of our business or assets, subject to customary confidentiality protections.
  • Affiliates within Karta's corporate group, for the purposes described in this Policy and for their own internal business and administrative operations consistent with this Policy.
  • Third parties you direct or authorize, including OAuth providers, integrations, and tools you choose to connect. Karta is not responsible for the practices of third parties you direct us to share information with.

We do not sell personal information, share it for cross-context behavioral advertising, or use it for targeted advertising, and we have not done so in the preceding twelve months. The categories of personal information described in Section 2 are disclosed only to the categories of recipients listed in this Section, and only for the business and operational purposes described in this Policy.

Collection-and-disclosure summary. The following table maps each category of personal information we collect to its sources, the business or commercial purposes for which we use it, the categories of recipients to which we disclose it, and the criterion we use to determine how long we keep it. We disclose each category only to the recipient categories above (subprocessors/service providers, professional advisors, authorities, successors, affiliates, and third parties you direct); we do not sell or share any category.

Category (Section 2) Sources Business/commercial purpose Disclosed to Retention criterion
Identity and account data You; OAuth providers Account creation, authentication, access control, support, communications Subprocessors; advisors; affiliates; third parties you direct Life of account + period in Section 9
Security credentials and metadata You; automatic; security vendors Authentication, security, fraud/abuse prevention, audit Subprocessors; advisors; authorities As needed for security/audit per Section 9
Billing data You; Stripe Payments, credit ledger, tax, billing, dispute resolution Stripe; advisors; authorities Tax/accounting/audit minimums per Section 9
Usage and operational data Automatic Operate, secure, debug, meter, and improve the Services Subprocessors; advisors As needed to operate/secure the Services
Support, legal, security, and abuse communications You; security vendors Support, investigations, legal/DMCA response, protecting rights Advisors; authorities; subprocessors As needed to resolve and protect rights
Website data Automatic Operate and secure the website; fraud prevention Subprocessors As needed for operation/security
Third-party source data OAuth providers; Stripe; security vendors Account linking, billing, security Subprocessors; advisors Per the underlying category above

6. Cookies and Tracking

Karta uses strictly necessary cookies and similar technologies for authentication, session security, fraud prevention, and platform operation. Karta does not use advertising cookies or cross-site tracking cookies. See the Cookie & Tracking Notice for details.

Because Karta does not sell or share personal information or use it for targeted advertising, there is no related opt-out to exercise, and Karta currently does not use technologies that require an opt-out preference signal such as Global Privacy Control. If Karta later adds analytics, marketing, or other technologies requiring consent, opt-out, or recognition of an opt-out preference signal, we will update this notice and the Cookie & Tracking Notice and provide appropriate controls before enabling them.

"Do Not Track." Some browsers offer a "Do Not Track" ("DNT") setting. There is no common industry standard for how to interpret DNT signals, and Karta does not currently respond to them. Where Karta is obligated to honor a legally recognized opt-out preference signal, Karta's good-faith determination of whether a particular signal is validly formatted and legally effective is final.

7. Data Location and International Transfers

Karta currently uses a two-cloud architecture:

  • Control-plane data such as account, billing, organizations, authentication, and audit logs is hosted in the United States (Hillsboro, Oregon) on Hetzner.
  • Data-plane content such as agent session state, durable workspaces, and hosted-chat transcripts is hosted on AWS in us-east-1. This data-plane content is Customer-controlled processor data governed by the DPA, not controller data covered by this Policy; its location is described here for transparency only.

Operating the Services involves transferring personal information across borders, including to the United States. Where personal information of individuals in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country without an adequacy determination, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum for transfers subject to UK law, and the Standard Contractual Clauses with the adaptations required by the Swiss Federal Act on Data Protection for transfers subject to Swiss law. You may request a copy of the relevant safeguards by contacting privacy@karta.sh. Karta is not currently certified under the EU-U.S. Data Privacy Framework and does not rely on it as a transfer mechanism.

8. Security

Karta uses administrative, technical, and organizational measures designed to protect personal information, including TLS in transit; encryption at rest for designated stores together with provider-managed encryption for cloud storage; AES-256-GCM encryption for BYOK provider keys; bcrypt hashing for API keys; MFA/passkeys with step-up authentication for sensitive actions; RBAC and scoped keys; per-session isolated runtime (microVM) with tenant and workspace partitioning; audit logging for account and operator actions; vulnerability management and dependency review; and backup and recovery. These measures are designed to protect personal information but are not a guarantee.

Karta operator access is least-privilege, restricted, and logged. Karta is not currently SOC 2 certified and has not yet begun a SOC 2 examination; Karta intends to begin pursuing SOC 2 Type I in Q4 2026.

No method of transmission or storage is perfectly secure. If a security incident affecting personal information for which Karta is the controller occurs, Karta will notify affected individuals and authorities to the extent and in the manner required by applicable law.

9. Retention

We retain personal information for as long as needed for the purposes described in this Policy, including account operation, billing, tax, accounting, legal, security, fraud prevention, dispute resolution, and audit obligations.

Typical retention anchors:

  • account records: for the life of the account and, after closure, generally deleted or anonymized within 24 months, except records we are required or permitted to retain for tax, accounting, legal-hold, dispute, security, or audit purposes;
  • billing and credit-ledger records: as needed for tax, accounting, dispute, and audit obligations;
  • audit logs: as needed for security and audit purposes, generally up to a period determined by Karta consistent with applicable law; Karta may delete them earlier;
  • support/legal/security/abuse records: as needed to resolve the issue and protect rights, safety, and the Services;
  • End-User Data: governed by the DPA and customer instructions.

Backups and legal holds may extend deletion timing.

10. Privacy Rights

Depending on where you live, you may have rights to access, correct, delete, port, restrict, object to, or appeal decisions about personal information. You may also have rights to opt out of sale, sharing, targeted advertising, or certain profiling. Karta does not sell or share personal information or use it for targeted advertising.

To exercise rights over Karta-controller data, you may submit a request by email to privacy@karta.sh or through any request form or in-product mechanism Karta makes available for this purpose. We will take reasonable steps to verify your identity (and an authorized agent's authority) before acting, and will respond within the timeframes required by applicable law. We will not discriminate against you for exercising these rights. We may decline or limit a request where an exception applies, including where we are required or permitted to retain the information. Where applicable law gives you the right to appeal a denial, you may appeal by replying to our response, and we will explain our decision as required.

United States state privacy rights. Depending on your state of residence, you may have rights to know or access the personal information we have collected, to delete it, to correct inaccuracies, to obtain a portable copy, to opt out of "sale," "sharing," or targeted advertising, and to limit the use of sensitive personal information, in each case subject to the exceptions in applicable law. Because Karta does not sell or share personal information, does not use it for targeted advertising, and does not use sensitive personal information for purposes that trigger a right to limit, there is no related opt-out or limitation to exercise. California residents: the rights to know, delete, correct, and opt out of sale/sharing, the right to limit the use of sensitive personal information, and the right to non-discrimination apply as described above; you may submit a request through the two methods identified above (email and any request form or in-product mechanism we make available), and we will respond within the time period required by the California Privacy Rights Act. You may use an authorized agent to submit a request on your behalf, subject to verification.

If you are in the EEA, the UK, or Switzerland, you also have the right to lodge a complaint with your local supervisory or data protection authority. We ask that you contact us first so we can try to resolve your concern.

Automated decision-making. Karta does not make decisions that produce legal or similarly significant effects concerning you based solely on automated processing, including profiling. Karta uses automated tools to help detect and prevent fraud, abuse, and security threats, but such tools do not, on their own, produce legal or similarly significant effects without human involvement.

Accessibility. If you need this Policy in an alternative accessible format, contact privacy@karta.sh and we will work with you to provide it.

This Section applies to personal information for which Karta is the controller. If you are an end user of a customer agent, your rights run against that customer as controller; contact the customer that operates the agent. If you send such a request to Karta and we can identify the relevant customer, we may route the request to them or direct you to them, and we will assist the customer as its processor under the DPA.

11. Children's Privacy

The Services are intended for business customers and their authorized personnel, who must be at least 18 years old, and are not directed to children. Karta does not knowingly collect personal information from anyone under 18 in its controller capacity, and will delete such information if we learn we have collected it without appropriate authorization. Customers are solely responsible for age gates, notices, consents, and children's privacy compliance for their own Agents and end users.

12. Government and Legal Requests

Karta reviews legal requests for validity and scope and discloses only what Karta reasonably determines is legally required. Where legally permitted and operationally feasible, Karta may notify the affected customer before disclosing data so the customer can seek protective relief; Karta is under no obligation to do so where notice is prohibited by law or court order. For End-User Data, Karta generally directs requesters to the customer/controller where lawful.

13. Changes

We may update this Policy from time to time. We will post the updated version with a new last-updated date. Non-material or clarifying changes take effect when posted. For material changes that affect how we use personal information we have already collected, we will provide additional notice before the change takes effect where required by law, such as by email or in-product notice, and, where the law requires a renewed legal basis or consent for the new processing, we will obtain it before applying the change to that data. This Policy is a notice describing our practices; it is not a contract, and your rights and obligations regarding the Services are governed by the applicable Terms.

14. Contact

Privacy requests: privacy@karta.sh

Legal notices: legal@karta.sh

Security: security@karta.sh

Copyright/DMCA: dmca@karta.sh

Operator and controller: LifeSage LLC, a Washington limited liability company, operating under the Karta brand, 600 1st Ave Ste 102, PMB 2132, Seattle, WA 98104, United States.