Privacy Policy

Last updated: February 2025

KarmaLink Ltd ("we," "our," or "us") is committed to protecting your privacy and the security of personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our website at karmalink.online and our customer reputation management platform ("Service"). We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

KarmaLink Ltd, United Kingdom, is the data controller for personal data processed as described in this policy. If you have questions about our data practices or wish to exercise your rights, please contact us using the details at the end of this policy.

2. Scope and Legal Basis

This policy covers:

  • Website visitors: visitors to karmalink.online (cookies, analytics, contact form submissions)
  • Business users: businesses that use the KarmaLink platform (account data, usage data)
  • End-customers: individuals whose data is processed by the platform on behalf of business users (e.g. hashed identifiers, review and booking context)

We process personal data only where we have a lawful basis: contract (to provide the Service), consent (where you have given clear consent, e.g. marketing or non-essential cookies), legitimate interests (e.g. security, analytics, improving our services, where balanced against your rights), or legal obligation (e.g. tax, regulatory compliance).

3. Information We Collect

3.1 Website (karmalink.online)

  • Contact form: When you submit the contact form (enquiry type, name, email, message, consent choices), we use this to respond to your enquiry. Data is sent to our AWS Lambda function and may be emailed to us via Amazon SES; for waitlist sign-ups with marketing consent, we may add you to our Mailchimp audience. Legal basis: consent and legitimate interest (responding to enquiries).
  • Cookies and similar technologies: We use essential, analytics, and (with consent) marketing cookies as described in the Cookies section below.
  • Usage data: When you visit our website, we may collect technical data (IP address, browser type, device, referring URL) and usage data via Google Tag Manager and Google Analytics (with consent where required). We use this to improve the site and understand how it is used. Legal basis: consent (for non-essential) or legitimate interest (for essential and, where applicable, analytics).

3.2 KarmaLink Platform (Service)

  • Business account information: Business name, contact details, property information, and other data necessary to provide the Service. Legal basis: contract.
  • Customer data (end-customers): Businesses may provide customer email addresses or other identifiers. We convert email addresses to SHA-256 hashes and do not store the original plain-text email in our systems. We may store hashed identifiers, booking context, review content, and karma-related data to provide reputation and review management. We act as a data processor for this data; the business user is the data controller. Legal basis: we process on instructions of the business user under our contract with them; the business must have its own lawful basis for collecting and sharing this data.
  • Usage and operational data: Logs, authentication events, and usage data necessary to operate, secure, and improve the Service. Legal basis: contract and legitimate interest.

4. How We Use Your Information

  • To provide and operate the Service (reputation management, karma scoring, review management, analytics)
  • To communicate with you (support, updates, marketing where you have consented)
  • To improve the Service and our website (analytics, product development)
  • To comply with legal obligations and protect our rights
  • To ensure security and prevent fraud or abuse

5. Data Protection and Security

We implement appropriate technical and organisational measures, including:

  • SHA-256 hashing of customer email addresses in the platform so plain-text emails are not stored
  • Encryption in transit (TLS) and at rest where applicable
  • Access controls, authentication, and audit logging
  • AWS infrastructure in the UK/EU (eu-west-2) with enterprise-grade security
  • Regular review of security practices and updates

While we take reasonable steps to protect personal data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Sharing and Third Parties

We may share personal data with:

  • Service providers (processors): AWS (hosting, Lambda, SES), Google (analytics, Tag Manager), Mailchimp (email marketing, where you have consented). These providers process data on our instructions and under agreements that protect your data.
  • Legal and regulatory: Where required by law, court order, or to protect our rights, we may disclose data to authorities or advisers.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity.

We do not sell your personal data. We do not share your data with third parties for their own marketing purposes except where you have consented (e.g. marketing cookies or Mailchimp sign-up).

7. International Transfers

We primarily store and process data in the United Kingdom and European Economic Area (e.g. AWS eu-west-2). Where we use services that transfer data outside the UK/EEA (e.g. Mailchimp in the US), we ensure appropriate safeguards are in place, such as UK adequacy decisions, standard contractual clauses, or other mechanisms approved under UK data protection law.

8. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy and to comply with legal obligations. For example: contact form and enquiry data is retained as needed to respond and for a limited period thereafter; cookie and analytics data as per the cookie table below; business account and platform data for the duration of the contract and for a reasonable period after termination for legal and operational purposes; end-customer (hashed) data in accordance with our contract with the business user and our retention policies. You may request erasure or restriction where your rights apply.

9. Cookies

Cookies are small text files placed on your device when you visit our website. We use them to provide functionality, remember preferences, and (with your consent) analyse traffic and deliver relevant content or advertising.

9.1 Why We Use Cookies

We use cookies to run the website, understand how visitors use it, and improve our services. With consent, we also use analytics and marketing cookies. You can manage your preferences using the button below or your browser settings.

9.2 Types of Cookies

Essential

Necessary for the website to function (e.g. security, network management, cookie consent). You cannot opt out of these. Duration: session or up to 1 year.

Analytics

Help us understand how visitors use the site (e.g. Google Analytics). Used only with your consent where required. Duration: up to 2 years.

Marketing

Used (with consent) for advertising or to limit ad frequency. May involve third-party cookies. Duration: up to 2 years.

9.3 Third-Party Cookies

We use Google Tag Manager (GTM) to manage tags. GTM may set cookies from Google Analytics and other integrated services. Those services have their own privacy and cookie policies.

9.4 Cookie Reference Table

Cookie NamePurposeDurationType
karmalink_cookie_consentStores your cookie consent preferences365 daysEssential
_gaGoogle Analytics – distinguishes unique users2 yearsAnalytics
_ga_*Google Analytics – persists session state2 yearsAnalytics
_gidGoogle Analytics – distinguishes users24 hoursAnalytics
_gatGoogle Analytics – throttles request rate1 minuteAnalytics

10. Cookie Management

You can manage your cookie preferences at any time using the button below or your browser settings. Blocking or deleting cookies may affect site functionality or your experience.

Most browsers let you control cookies via Settings (e.g. Chrome: Settings → Privacy and security → Cookies and other site data; Firefox: Settings → Privacy & Security → Cookies; Safari: Preferences → Privacy; Edge: Settings → Cookies and site permissions).

11. Your Rights (UK GDPR)

Under UK data protection law, you have the right to:

  • Access: request a copy of your personal data
  • Rectification: have inaccurate data corrected
  • Erasure: request deletion of your data in certain circumstances
  • Restrict processing: limit how we use your data in certain cases
  • Object: object to processing based on legitimate interests or for direct marketing
  • Data portability: receive your data in a structured, machine-readable format where applicable
  • Withdraw consent: where we rely on consent, you may withdraw it at any time

To exercise these rights, contact us using the details below. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK:ico.org.uk/make-a-complaint.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page with a new "Last updated" date and, for material changes, we will notify you by email or through the Service where appropriate. We encourage you to review this policy periodically.

13. Contact Us

For questions about this Privacy Policy, our data practices, or to exercise your rights:

KarmaLink Ltd, United Kingdom

Contact us