GDPR and data handling
Karo is designed with GDPR compliance in mind. Here's what's stored, what isn't, and where data goes.
What Karo stores
| Data | Where it's stored | How long |
|---|---|---|
| Chat messages (content of conversations) | Karo's database (UK infrastructure) | Indefinitely |
| Chat session identifiers | First-party cookie on visitor's browser | Duration of session |
| Verified email addresses (for order lookup) | Karo's database, scoped to session | Duration of session |
| Order data (after verification) | Karo's database, scoped to session | Duration of session |
What Karo does NOT store
- No customer payment data
- No ticket barcodes or QR codes beyond the live session
- No postcodes or full address data
- No data is sent to or stored by the underlying AI model
- No third-party tracking or advertising cookies
The AI model and personal data
This is important: no personal data is ever sent to the AI model that powers Karo. When Karo retrieves an order or processes a refund, the personal information in that transaction stays within Karo's own infrastructure. The AI receives only the structured, de-identified output it needs to form a response.
Infrastructure
Karo's servers and databases are hosted in the UK on renewable energy. Data does not leave the UK for processing.
Your privacy policy
We recommend pointing the privacy policy link in your Interface settings to your own venue's privacy policy, which should cover use of AI assistants and third-party chat tools.
If you need a template clause or have questions about DPA (Data Processing Agreement) requirements, contact your SynapTix account manager.