karl.
Privacy

Privacy policy

Last updated: 7 June 2026.

1. Who we are

Karl is operated by Arvid Lindqvist, sole trader (enskild firma) registered in Sweden at Dag Hammarskjölds torg 9, 211 18 Malmö, Sweden. Swedish business identification number (organisationsnummer): 980509-5792. (the "Operator", "we", "us", or "our"). For privacy questions contact contact@karl-ai.se.

We are the controller of personal data described below, within the meaning of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

2. What this policy covers

This policy explains what personal data we collect when you:

  • visit the marketing site (karl-ai.se and subdomains);
  • request a 30-day trial licence via the trial form;
  • buy a paid Karl licence through our checkout (operated by Paddle);
  • contact us by email; and
  • run the Karl software itself.

It does not cover third-party sites linked from ours.

3. What data we collect, why, and on what legal basis

3.1 Trial form

  • Your email address. Used to deliver the signed trial licence file. We store a one-way SHA-256 hash of the lowercased, trimmed email so we can enforce the one-trial-per-address limit without keeping the plaintext address.
    Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in preventing trial abuse, and contract performance (Art. 6(1)(b)) for delivering the licence you requested.
  • Your IP address. Stored together with a daily counter to rate-limit trial requests per IP. Retained for 7 days, then deleted.
    Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in preventing abuse.

3.2 Paid purchases (Paddle)

We do not see or store your payment-card details. Paid checkout is operated by Paddle.com Market Limited ("Paddle"), which acts as merchant of record and as the data controller for payment data. Paddle's own privacy notice applies to that processing: paddle.com/legal/privacy.

When Paddle notifies us of a completed purchase we receive: your email address, the product and price you bought, the transaction ID, and Paddle's customer reference. We use these to issue and deliver your Karl licence and to honour future support and refund requests.
Legal basis: contract performance (Art. 6(1)(b) GDPR).

3.3 Issued licences

We retain a record of every issued licence (licence key, tier, email address, validity dates, and the originating transaction or trial ID) for as long as the licence is potentially in use, plus the periods required by Swedish bookkeeping law (Bokföringslagen, currently 7 years for accounting records relating to paid transactions).
Legal basis: contract performance (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c)).

3.4 Email correspondence

If you email us we keep the message and your address for as long as needed to handle your request, and afterwards for a reasonable period for follow-up and dispute resolution (typically up to 36 months).
Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

3.5 The Karl software itself

Karl is self-hosted. Your source code, prompts, AI trajectories, and related data stay on machines you control and are never sent to us. The Karl client contacts our update server strictly limited to:

  • (1) checking for new releases of the Karl software (anonymous); and
  • (2) verifying your licence key against the public update endpoint.

No source code, prompts, trajectory data, or any other content you produce or process with Karl is transmitted to us as part of these requests.

These requests reveal your IP address and the Karl version you are running, which are logged transiently by our hosting provider for up to 30 days for operational and security purposes.

We do not currently operate any telemetry, crash-reporting, or usage-analytics pipeline. If we add an optional telemetry feature in the future it will be off by default and this policy will be updated before it ships.

3.6 Website

The marketing site does not set tracking cookies, does not embed third-party analytics, and does not run advertising tags. Your hosting-provider access logs (IP, user agent, requested URL, timestamp) are retained for up to 30 days for security and abuse prevention.

4. Who we share data with

We share personal data only with the following categories of recipients, each acting as a processor unless noted:

  • Paddle.com Market Limited (Ireland / UK) — merchant of record for paid purchases. Acts as an independent controller for payment data.
  • Our infrastructure provider(s) — the marketing site and update server are hosted by Strato AG (Pascalstraße 10, 10587 Berlin, Germany). Strato's privacy notice: strato.com/legal/data-protection.
  • Our email-sending provider — outbound licence and support email is sent through Strato AG's SMTP service under the same hosting agreement.

We do not sell personal data and we do not share it with advertisers.

5. International transfers

Our primary infrastructure is in the EU/EEA. Where a processor (for example Paddle) transfers data outside the EEA, that transfer is covered by the European Commission's Standard Contractual Clauses or by an adequacy decision under Art. 45 GDPR. You can request a copy of the relevant safeguards by emailing us.

6. Your rights under the GDPR

Subject to the conditions in the GDPR you have the right to:

  • access the personal data we hold about you (Art. 15);
  • have inaccurate data corrected (Art. 16);
  • have your data erased (Art. 17);
  • restrict or object to processing (Art. 18 and 21);
  • data portability (Art. 20);
  • withdraw any consent you have given (Art. 7), without affecting earlier lawful processing.

To exercise any of these rights email contact@karl-ai.se. We will respond within one month.

You also have the right to lodge a complaint with the Swedish data-protection authority, Integritetsskyddsmyndigheten (IMY), or with the supervisory authority in your country of residence.

7. Security

We use TLS for all traffic between you and our services, store licence-issuance state on encrypted-at-rest volumes, and sign every licence file with an ECDSA P-256 key whose private half is held offline. We follow industry-standard practices for credential management and access control. No system is perfectly secure; if you believe you have found a vulnerability please email contact@karl-ai.se.

8. Changes

We will update this policy from time to time. Material changes will be announced on this page with a new "Last updated" date, and (for active customers) by email where required by law.

9. Contact

Arvid Lindqvist
Dag Hammarskjölds torg 9, 211 18 Malmö, Sweden
Email: contact@karl-ai.se