U.S. State Privacy Notice.
Last updated: 2026-06-25
This Notice supplements the Karta Privacy Policy for residents of U.S. states that have enacted comprehensive consumer privacy laws, including California (CCPA/CPRA) and other states whose laws grant comparable rights. Capitalized terms used but not defined here have the meanings given in the Privacy Policy. To the extent of any conflict between this Notice and the Privacy Policy on a state-law matter, this Notice controls for residents of the applicable state.
This Notice applies only where Karta acts as a business/controller with respect to personal information, as described in the Privacy Policy. The Services are intended for business and developer use by authorized personnel 18 and older; they are not directed to consumers, households, or children. For End-User Data processed through a customer's Agent, the customer is the business/controller and Karta is the service provider/processor; that data is governed by the Data Processing Addendum ("DPA") and the customer's own privacy notice, not by this Notice (see Section 5).
1. No Sale, Sharing, or Targeted Advertising
Karta does not sell personal information, does not share personal information for cross-context behavioral advertising, does not process personal information for targeted advertising, and does not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, in each case as those terms are defined under applicable state privacy laws.
Because the Services are restricted to authorized users 18 and older, Karta does not knowingly collect personal information from any consumer under 18 in its controller capacity and therefore does not knowingly sell or share, or process for targeted advertising, the personal information of any minor.
Karta does not use or disclose sensitive personal information for purposes that require an offer to limit such use under applicable law (see Section 7).
2. Categories of Personal Information
The following table describes the categories of personal information Karta collects in its controller capacity, the sources of that information, the business or commercial purposes for which it is used, the categories of third parties to which it may be disclosed for a business purpose, and the retention period or the criteria used to determine it. Karta has collected these categories within the preceding 12 months.
| Category | Examples | Sources | Purposes | Disclosed to | Retention |
|---|---|---|---|---|---|
| Identifiers | name, email, account ID, organization ID, IP address | you; your use of the Services; your organization | account, authentication, support, security | service providers; hosting and email providers; advisors; authorities where required | for the life of the account and a reasonable period thereafter, then as required by security, audit, or legal-hold needs |
| Security credentials | account log-in credentials; API key digests; encrypted BYOK provider keys; MFA/passkey data | you; your use of the Services | account and service security and authentication only | hosting and infrastructure providers (in encrypted or hashed form) | for so long as the credential is active, then deleted, rotated, or retained as required for security or legal-hold needs |
| Commercial information | plan, invoices, credit ledger, purchases | you; payment processor | billing, credits, tax, accounting | payment processor; service providers; authorities where required | as required by tax, accounting, and audit obligations |
| Financial information | card last four, billing metadata held by the payment processor | payment processor | payments and fraud prevention | payment processor; authorities where required | as required by tax, accounting, and fraud-prevention obligations |
| Internet/network activity | login events, device/browser data, audit and access logs | your use of the Services | security, debugging, abuse prevention, service operation | hosting and infrastructure providers; service providers | as required by security, audit, and abuse-prevention needs |
| Professional information | organization, role, team membership | you; your organization | account administration | service providers; authorities where required | for the life of the account and a reasonable period thereafter |
| Sensitive personal information | account log-in credentials in combination with credentials permitting access to the account | you; your use of the Services | account and service security only | hosting and infrastructure providers (in encrypted or hashed form) | for so long as the credential is active, then deleted, rotated, or retained as required for security or legal-hold needs |
| Support and legal content | reports, messages, attachments you submit | you | respond to requests; enforce policies; resolve disputes | service providers; advisors; authorities where required | for the period needed to resolve the matter and any related dispute or legal hold |
End-user prompts, files, transcripts, Outputs, tool input/output, and durable workspace content are controlled by the customer operating the Agent and are processed by Karta as a service provider/processor under the DPA, not as a business/controller. Such data is not described in the table above.
Karta does not collect personal information for the purpose of selling it or sharing it for cross-context behavioral advertising, and does not collect the categories of sensitive personal information for the purpose of inferring characteristics about a consumer.
3. Disclosures of Personal Information
Karta discloses personal information for the business purposes described above to: service providers and subprocessors that process personal information on Karta's behalf under written contract; payment processors; hosting and infrastructure providers; transactional email providers; professional advisors (such as auditors and legal counsel); governmental authorities, regulators, and parties to legal process where Karta reasonably believes disclosure is legally required or permitted; successors and their advisors in connection with a merger, acquisition, financing, reorganization, or sale of assets; and other parties at your direction or with your consent.
Karta's current subprocessors and the categories of personal information each receives are described in the Karta Sub-processor List. Professional advisors and governmental authorities are recipients to whom Karta may disclose personal information as described above; they are not subprocessors. Disclosure to a service provider or subprocessor under written contract for a business purpose is not a "sale" or "share."
In the preceding 12 months, Karta has disclosed the following categories of personal information for a business purpose: identifiers; security credentials; commercial information; financial information; internet/network activity; professional information; sensitive personal information; and support and legal content. Karta has sold no categories of personal information and has shared no categories of personal information for cross-context behavioral advertising, and has not disclosed sensitive personal information for any purpose other than those described in Section 7, within the preceding 12 months.
4. Your Rights
Depending on your state of residence and subject to the exceptions, limitations, and verification requirements in applicable law, you may have the right to:
- confirm whether Karta processes your personal information and to access or know that information;
- correct inaccurate personal information, taking into account the nature and purpose of the processing;
- delete personal information Karta has collected from you;
- obtain a portable copy of personal information you provided, in a usable format, where technically feasible;
- opt out of the sale or sharing of personal information, targeted advertising, and certain profiling that produces legal or similarly significant effects (Karta does not engage in these activities — see Section 1);
- limit the use and disclosure of sensitive personal information (see Section 7);
- appeal a denied request (see Section 6); and
- not be subject to discrimination or retaliation for exercising these rights (see Section 8).
Each right is subject to the exemptions and limitations of the applicable state law, including exemptions for information Karta must retain to complete a transaction, secure its systems, detect or prevent fraud or abuse, comply with legal obligations, exercise or defend legal claims, or for other internal uses reasonably aligned with your expectations. Where Karta cannot verify a request or an exemption applies, Karta may decline the request in whole or in part and will explain the basis for any denial to the extent required by law. To the extent permitted by applicable law, Karta may charge a reasonable fee or decline to act on a request that is manifestly unfounded, excessive, or repetitive.
Karta extends a substantially similar rights process to residents of all U.S. states where feasible, but doing so does not waive any exemption, threshold, or applicability limitation available to Karta under the law of any particular state, and does not constitute an admission that any particular state law applies to Karta or to any given processing activity.
5. How To Exercise Rights; End-User Requests
To exercise rights over personal information for which Karta is the business/controller, email privacy@karta.sh. Karta operates the Services exclusively online and has a direct relationship with its authorized users; accordingly, email is the designated method for submitting requests, and Karta does not maintain a toll-free telephone line. Karta will take reasonable steps to verify your identity (and, for an authorized agent, the agent's authority) before acting, and may decline or limit a request that it cannot reasonably verify. The level of verification will be proportionate to the sensitivity of the personal information and the risk of harm from improper access, deletion, or disclosure.
This Notice is available in a format accessible to consumers with disabilities. If you need this Notice or assistance exercising your rights in an alternative accessible format, contact privacy@karta.sh.
An authorized agent may submit a request on your behalf where permitted by law, provided the agent supplies proof of valid written authorization signed by you or a power of attorney. For requests to opt out of the sale or sharing of personal information submitted by an authorized agent, Karta may, to the extent permitted by law, require written permission signed by you. Karta may still require you to verify your own identity directly with Karta and to confirm that you authorized the request.
If your request concerns an Agent operated by a Karta customer, Karta is the service provider/processor and not the business/controller for that data. You must direct the request to the customer that operates the Agent, which is responsible for responding. Where a request is misdirected to Karta and the relevant customer is identifiable, Karta may, without obligation, route the request to that customer or direct you to it; Karta will not respond to such requests on the customer's behalf except as instructed by the customer under the DPA.
Karta does not currently sell or share personal information or engage in targeted advertising, and therefore does not act on opt-out preference signals (such as Global Privacy Control) as opt-outs of sale, sharing, or targeted advertising. If Karta begins to sell or share personal information or to process it for targeted advertising, Karta will recognize applicable universal opt-out mechanisms and opt-out preference signals as required by law before doing so. Any such recognition would apply only to the extent legally required, only as to the specific browser or device from which a conforming signal originates, and Karta may treat ambiguous, non-conforming, or unverifiable signals as not validly submitted.
6. Response Timing and Appeals
Karta will respond to a verifiable request within the timeframe required by applicable law, generally within 45 days of receipt where that standard applies, subject to any extension permitted by law (for example, one additional 45-day period where reasonably necessary, with notice to you).
If Karta denies your request and your state provides an appeal right, you may appeal within the time allowed by law by replying to the denial or by emailing privacy@karta.sh with "Appeal" in the subject line and a description of the basis for your appeal. Karta will respond to your appeal within the period required by applicable law and will explain the reasons for its decision. Where your state requires it and your appeal is denied, Karta will provide a method to contact the applicable state Attorney General or regulator.
7. Sensitive Personal Information
To the extent any information Karta processes constitutes sensitive personal information (such as account log-in credentials in combination with credentials permitting access to the account), Karta uses and discloses it only as reasonably necessary to provide and secure the Services, including authentication, fraud prevention, security, and account protection, and only for purposes that do not require Karta to offer a right to limit such use under applicable law. Karta does not use sensitive personal information to infer characteristics about a consumer and does not sell or share sensitive personal information. Account-security artifacts such as API key digests, encrypted BYOK provider keys, and MFA/passkey data are processed solely as account-security data, in encrypted or hashed form, and are not used as consumer-identifying sensitive personal information.
If and to the extent applicable law ever entitles you to limit Karta's use of sensitive personal information, you may request that limitation by emailing privacy@karta.sh; based on the limited, security-only purposes described above, Karta does not believe any such right is currently triggered.
8. Non-Discrimination and Non-Retaliation
Karta will not discriminate or retaliate against you for exercising any right described in this Notice, including by denying the Services, charging different prices or rates, or providing a different level or quality of the Services, except as permitted by applicable law. Karta does not currently offer any financial incentive or price or service difference in exchange for the retention, sale, or sharing of personal information; if Karta ever does so, it will provide the notice and obtain the consent that applicable law requires.
9. Retention
Karta retains personal information for the periods described in the Privacy Policy, determined by account lifecycle; billing, tax, and accounting requirements; security and audit needs; legal holds and dispute resolution; and ongoing service operation, and for no longer than reasonably necessary for each disclosed purpose unless a longer period is required or permitted by law.
10. Changes; Contact
Karta may update this Notice from time to time as described in the Privacy Policy, and the "Last updated" date reflects the most recent revision. For questions about this Notice or Karta's privacy practices, contact privacy@karta.sh or write to LifeSage LLC, 600 1st Ave Ste 102, PMB 2132, Seattle, WA 98104, USA.