Privacy Policy

Last updated: April 2026

This Privacy Policy (the “Policy”) applies to personal information collected by, or provided to, Karate Labs Inc. and its affiliates and subsidiaries (collectively “Karate Labs,” “we,” “us,” “our”) via our websites, applications, and electronic communications (collectively, the “Platform”). This Policy describes how we collect, use, share, and protect personal information, and the choices available to you regarding that information.

This Policy applies to personal information collected through the Platform, which includes the Karate Labs website, account portal, and licensing systems. It does not apply to Customer Data processed within Karate Labs products, which operate entirely on-premises within the customer’s own infrastructure (see below).

Important — On-Premises Architecture: Karate Labs products are deployed and executed entirely on-premises within the customer’s own environment. All customer test data, application data, source code, test scripts, and test results remain within the customer’s firewall at all times. Karate Labs does not receive, access, process, store, or transmit any Customer Data. We do not offer a cloud-hosted version of our products. Karate Labs does not sell, rent, or trade your personal information, and we do not use Customer Data for marketing or any other purpose.

1. Personal Information We Collect

We collect the following categories of personal information to provide, enhance, and support our products and services. You are not required to provide all personal information identified below; however, if you do not provide requested information, we may not be able to provide you with some or all of our services.

  • Contact and Demographic Information: name, address (including billing and shipping), telephone number, email address, company name, and job title.
  • Payment Information: if you make a purchase, we collect payment details including credit card information and billing address. All payment data is processed and stored by Stripe. You may review their privacy notice at stripe.com/privacy.
  • Account Information: username, password (stored in hashed form), authentication tokens, and account preferences.
  • Usage and Device Information: device type and identifiers, browser type and version, operating system, IP address, referring and destination URLs, pages visited, features used, session duration, performance data, and error logs.
  • Location Data: approximate location derived from your IP address. We do not collect precise GPS location data.
  • Communication Information: contents of your communications with Karate Labs, whether via email, support channels, social media, or telephone, including any files or attachments you provide.
  • Employment Application Information: if you apply for a position at Karate Labs, we collect your resume, employment and education history, contact information, and related details.

2. How We Collect Personal Information

  • Directly from you: when you create an account, make a purchase, request a demo, submit a support request, fill out a registration form, respond to a survey, or otherwise communicate with us.
  • Automatically: when you use our Platform, through cookies, pixels, web beacons, server logs, and similar technologies (see Section 7).
  • From third parties: from service providers that help us build and maintain contact lists, from authentication providers (Google OAuth 2.0, GitHub OAuth, Microsoft OAuth), and from partners who integrate their services with ours.

3. Lawful Basis for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal information only when we have a valid lawful basis to do so. Our lawful bases include:

  • Contract Performance: processing necessary to perform our contract with you, including providing our products and services, processing payments, and managing your account.
  • Legitimate Interests: processing necessary for our legitimate interests, provided those interests are not overridden by your data protection rights. This includes improving our Platform, ensuring security, preventing fraud, and communicating with you about our services.
  • Consent: where you have given us specific consent to process your personal information for a particular purpose, such as receiving marketing communications. You may withdraw consent at any time (see Section 10).
  • Legal Obligation: processing necessary to comply with applicable laws, regulations, or legal processes.

4. How We Use Personal Information

We use personal information for the following purposes:

  • Providing, operating, and maintaining our Platform, products, and services.
  • Processing transactions and sending related information, including purchase confirmations and invoices.
  • Creating, managing, and authenticating your account.
  • Responding to your enquiries, comments, feedback, or support requests.
  • Communicating with you about products, services, updates, and technical notices.
  • Analysing usage patterns to improve our Platform, products, and user experience.
  • Conducting internal research, analytics, and product development.
  • Detecting, preventing, and addressing fraud, security issues, and technical problems.
  • Protecting the rights, property, and safety of Karate Labs, our users, and the public.
  • Complying with applicable laws, regulations, and legal processes.
  • Enforcing our Terms of Service and other agreements.

What we do not do: We do not sell, rent, or trade your personal information to third parties. We do not use personal information to build advertising profiles or for cross-context behavioural advertising. Because Karate Labs products run entirely on-premises within our customers’ environments, we never receive, access, or process Customer Data (including test data, source code, test scripts, or test results). The personal information described in this Policy relates solely to our website, account portal, and licensing systems — not to the operation of our products.

5. How We Share Personal Information

We may share your personal information in the following limited circumstances:

  • Within Karate Labs: we may share information among our affiliates and subsidiaries for the purposes described in this Policy.

Third-Party Service Providers: We share information with vendors who perform services on our behalf under contractual obligations to protect your data. These include:

Service Provider Purpose Data Processed
Amazon Web Services (AWS) Website and portal hosting (not customer product data) Website, portal, and account data only
Stripe Payment processing and billing Payment and transaction data
PostHog Product analytics Usage and device data
Google, GitHub, Microsoft OAuth Account authentication Authentication tokens and basic profile
  • Legal Obligations and Protection: when we have a good-faith belief that disclosure is necessary to comply with applicable law, regulation, or legal process; to enforce our Terms of Service; to detect and prevent fraud or security threats; or to protect the rights, property, or safety of Karate Labs, our users, or the public.
  • Business Transfers: in connection with a merger, acquisition, divestiture, or any sale or transfer of some or all of our business assets, personal information may be among the assets transferred. We will provide notice and, where legally required, an opportunity to object.
  • With Your Consent: we may share your information for other purposes with your explicit consent.

We do not sell or share (as defined under CCPA/CPRA) your personal information for cross-context behavioural advertising.

6. International Data Transfers

Karate Labs is headquartered in the United States. Because our products operate entirely on-premises within the customer’s environment, Customer Data (test data, source code, test scripts, and test results) is never transferred to Karate Labs or across international borders by us. The international data transfer provisions below apply only to personal information collected through our website, account portal, and licensing systems. If you are located outside the United States, such personal information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) or UK Addendum, as applicable. You may request a copy of these safeguards by contacting us at privacy@karatelabs.io.

7. Cookies and Tracking Technologies

We use cookies, pixels, web beacons, and similar technologies to collect usage information, support Platform functionality, and analyse performance. The following table summarises the types of cookies we use:

Cookie Type Purpose Duration
Strictly Necessary Essential for Platform operation, including authentication, security, and access to secure areas. Session or persistent, as required
Performance / Analytics Collect aggregated information about how users interact with our Platform to improve functionality and performance. Up to 24 months
Functionality Remember your preferences (e.g., language, region) to provide enhanced and personalised features. Up to 12 months

Your Cookie Choices: You can manage or disable cookies through your browser settings. Most browsers allow you to reject all or some cookies, and we provide a cookie preference mechanism on our Platform — you can update your cookie preferences here. Please note that disabling certain cookies may impair Platform functionality.

Global Privacy Control (GPC): We honour browser-based opt-out preference signals, including the Global Privacy Control (GPC) signal, as required by applicable law. When we detect a GPC signal, we treat it as a valid opt-out request.

8. Data Retention

We retain personal information only for as long as reasonably necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting obligations. Retention periods vary by data type:

  • Account Data: retained for the duration of your account and for up to 12 months after account closure, unless a longer period is required by law.
  • Payment and Transaction Records: retained for up to 7 years to comply with tax and financial reporting obligations.
  • Usage and Analytics Data: retained in identifiable form for up to 24 months; thereafter aggregated or anonymised.
  • Communication Records: retained for up to 3 years after the last interaction, unless ongoing legal or support obligations apply.
  • Employment Application Data: retained for up to 12 months after the recruitment process concludes, unless you consent to a longer retention period.

When personal information is no longer required, we securely delete or anonymise it in accordance with our data retention schedule.

9. Data Security

We implement appropriate technical and organisational measures to protect personal information collected through our Platform against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, access controls, regular security assessments, and employee training. Importantly, because Karate Labs products are deployed entirely on-premises, customer test data and application data remain within the customer’s own security perimeter and are subject to the customer’s own security controls. Karate Labs has no access to this data. However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security for data collected through our website and portal.

10. Your Privacy Rights

10.1 Rights Under GDPR and UK GDPR (EEA, UK, and Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights under applicable data protection laws:

  • Access: the right to request a copy of the personal information we hold about you.
  • Rectification: the right to request correction of inaccurate or incomplete personal information.
  • Erasure: the right to request deletion of your personal information in certain circumstances.
  • Restriction: the right to request that we restrict the processing of your personal information.
  • Portability: the right to receive your personal information in a structured, commonly used, and machine-readable format.
  • Objection: the right to object to processing based on legitimate interests.
  • Withdrawal of Consent: where processing is based on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Automated Decision-Making: the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects on you.

If you believe we are processing your personal information unlawfully, you have the right to lodge a complaint with your local data protection supervisory authority. For the EEA: European Commission data protection authorities list. For the UK: the Information Commissioner’s Office (ICO). For Switzerland: FDPIC.

10.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

  • Right to Know: the right to request the categories and specific pieces of personal information we have collected, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom we share it.
  • Right to Delete: the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: the right to request correction of inaccurate personal information.
  • Right to Opt-Out: the right to opt out of the sale or sharing of personal information. As stated above, Karate Labs does not sell or share your personal information.
  • Right to Limit Use of Sensitive Personal Information: the right to limit the use of sensitive personal information to purposes necessary to provide the services you have requested.
  • Right to Non-Discrimination: we will not discriminate against you for exercising your privacy rights.

California Shine the Light: Under California Civil Code Section 1798.83, California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. Karate Labs does not disclose personal information to third parties for their direct marketing purposes.

CCPA Metrics: Karate Labs will publish annual metrics regarding the number of requests to know, delete, and opt out received, complied with, and denied, as required by regulation.

10.3 Rights Under Other US State Privacy Laws

Residents of states with applicable consumer privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Kentucky, Rhode Island, and Indiana) may exercise similar rights, including the right to access, correct, and delete personal information and to opt out of certain processing activities. We honour Global Privacy Control signals as opt-out requests where required by applicable state law.

11. Exercising Your Rights

To exercise any of the rights described above, please contact us at privacy@karatelabs.io or by writing to the address in Section 16. In your request, please:

  • Specify which right(s) you wish to exercise and the personal information to which your request relates.
  • Provide sufficient information for us to verify your identity (at a minimum, your full name, email address, and account details if applicable).
  • Indicate your preferred method of response delivery (e.g., email or post).

We will acknowledge your request within 10 business days and respond substantively within the timeframes required by applicable law (generally 30 days under GDPR/UK GDPR; 45 days under CCPA/CPRA, with a possible 45-day extension if needed). If we are unable to verify your identity, we may request additional information. You do not need to create an account to submit a request.

12. Data Protection Complaints Process

If you are dissatisfied with how we handle your personal information or respond to your request, you may submit a formal complaint to us at privacy@karatelabs.io. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days. If you remain unsatisfied after our internal process, you have the right to escalate your complaint to the relevant supervisory authority (see Section 10.1).

13. Automated Decision-Making and AI

Karate Labs does not currently use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. Should we implement such processing in the future, we will update this Policy and provide appropriate disclosures, safeguards, and opt-out mechanisms as required by applicable law, including the EU AI Act and GDPR Article 22.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required under GDPR and UK GDPR. Where the breach is likely to result in a high risk to you, we will notify you directly without undue delay. We will also comply with breach notification requirements under applicable US state laws.

15. Children’s Privacy

Our Platform is not directed to individuals under 18 years of age, and we do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take reasonable steps to delete that information promptly. If you believe we may have collected information from a child under 18, please contact us at privacy@karatelabs.io.

16. Contact Us

If you have questions, comments, or concerns about this Policy, or if you wish to exercise your privacy rights, please contact us at:

Karate Labs Inc.
Attn: Privacy Team
1507 Sandcroft Ln
Sugar Land, TX 77479
United States
Email: privacy@karatelabs.io

17. Updates to This Policy

We may update this Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. Material changes will be communicated through a notice on our Platform and, where appropriate, via email. We encourage you to review this Policy periodically. The “Last Updated” date at the top of this Policy indicates when the most recent revision was made.

© 2026 Karate Labs Inc. All rights reserved.