Skip to content
Karat Logo
Karat

Privacy Policy

Last updated: January 30, 2025 | Version 4.0

Effective Date: January 30, 2025

Data Controller

FARAWAYHOME OÜ

Tornimäe 5, 10145 Tallinn, Estonia

Tax ID: EE102783607

Company ID: 17081333

Email: hello@karat.re

Your Consent

By creating an account on Karat, you explicitly consent to:

  • The collection and processing of your personal data as described in this Privacy Policy
  • The use of your data to provide personalized property recommendations
  • The sharing of your contact information with property providers when you initiate contact
  • The processing of your data by our third-party service providers listed below
  • The transfer of your data to countries outside the EU under appropriate safeguards
  • Receiving transactional emails related to your account and activity

You may withdraw your consent at any time by deleting your account or contacting us at hello@karat.re. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Data We Collect

Account Information:

  • Name and email address
  • Password (encrypted)
  • Profile picture (optional)
  • User role (viewer/provider)

Usage Data:

  • Property views and interactions
  • Search queries and preferences
  • Messages and communications
  • Saved properties and lists

Technical Data:

  • IP address and device information
  • Browser type and version
  • Session information

Google Contacts Import

Karat offers an optional feature that allows real estate agents (Providers) to import their professional contacts from Google Contacts into our CRM system. This section explains how we handle Google Contacts data in compliance with the Google API Services User Data Policy.

What Data We Access:

When you choose to import your Google Contacts, we request read-only access to:

  • Contact names
  • Email addresses
  • Phone numbers

We use the contacts.readonly scope, which provides read-only access. We cannot modify, delete, or write to your Google Contacts.

How We Use This Data:

  • One-time import: Contacts are imported once when you initiate the import process
  • CRM storage: Imported contacts are stored in your private CRM within Karat (powered by Supabase)
  • Client management: Helps you manage client relationships and communications within the platform

We do NOT continuously sync with your Google Contacts. Each import is a one-time operation initiated by you.

Data Retention & Deletion:

  • Imported contacts remain in your CRM until you delete them or close your account
  • You can delete individual imported contacts at any time from your CRM
  • Closing your account permanently deletes all imported contacts within 30 days

Data Sharing:

We do NOT share your Google Contacts data with third parties. Imported contacts are stored securely in your private CRM and are only visible to you. We do not sell, rent, or transfer this data to advertisers, data brokers, or any other external parties.

Data Protection for Google User Data:

  • Google user data is encrypted in transit using TLS 1.2+
  • Stored data is encrypted at rest in our Supabase database
  • Access is restricted to authenticated users viewing only their own imported contacts
  • We do not use Google user data for advertising, profiling, or any purpose beyond the CRM functionality

Revoking Access:

You can revoke Karat's access to your Google Contacts at any time:

Revoking access prevents future imports but does not automatically delete contacts already imported. To delete imported contacts, use the CRM management features in your Karat account.

Google API Services Compliance:

Karat's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

How We Use Your Data

We process your personal data for the following purposes:

  • Service Provision: To provide and maintain our property listing platform
  • Account Management: To manage your account and authenticate users
  • Communication: To send you notifications, updates, and respond to inquiries
  • Personalization: To provide personalized property recommendations
  • Analytics: To understand how our service is used and improve it
  • Legal Compliance: To comply with legal obligations

Legal Basis (GDPR): We process your data based on:

  • Your consent (Article 6(1)(a))
  • Performance of contract (Article 6(1)(b))
  • Legal obligations (Article 6(1)(c))
  • Legitimate interests (Article 6(1)(f))

Automated Decision-Making & AI Processing

We use artificial intelligence (AI) and automated processing to enhance your experience on Karat. This section explains how we use these technologies and your rights regarding them.

AI-Powered Features:

  • Property Recommendations: We use OpenAI embeddings to analyze property descriptions and match them with your viewing history and preferences to suggest relevant listings.
  • Search Enhancement: AI helps improve search results based on your queries and behavior patterns.
  • Content Generation: Property descriptions may be enhanced or summarized using AI to improve readability.

Your Rights Regarding Automated Processing:

  • Right to Opt-Out: You can request to opt out of AI-powered recommendations by contacting us at hello@karat.re
  • Right to Human Review: You can request human review of any automated decision that significantly affects you
  • Right to Explanation: You can request an explanation of how our AI systems work and how they process your data

Important: Our AI systems do not make legally binding decisions about you. Property recommendations are suggestions only and do not constitute real estate advice. All significant account decisions (suspension, deletion) are reviewed by humans.

Cookies and Tracking

We use the following types of cookies:

Essential Cookies:

Required for authentication and basic site functionality. These cannot be disabled.

Functional Cookies:

Remember your preferences and settings (sidebar state, scroll positions, notification preferences).

Analytics Cookies:

We use Google Analytics 4 (with your consent) to understand how visitors use our platform. Google Analytics cookies include _ga, _ga_*, and _gid. These are only set after you consent.

Local Storage:

We use browser local storage to save your preferences, drafts, and session data.

For detailed information about our cookie usage, please see our Cookie Policy.

Your GDPR Rights

Under GDPR, you have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Limit how we use your data
  • Right to Data Portability: Receive your data in a structured format
  • Right to Object: Object to processing of your data
  • Right to Withdraw Consent: Withdraw consent at any time

To exercise any of these rights, please visit your Settings page or contact us at hello@karat.re

Right to Object

You have the right to object to the processing of your personal data in certain circumstances. This section explains how to exercise this right.

Direct Marketing

You have an absolute right to object to the use of your data for direct marketing purposes.

How to opt out: Use the unsubscribe link in any marketing email, or visit your Settings page to manage your email preferences.

Profiling & Personalization

You can object to profiling used for personalized recommendations.

How to opt out: Email hello@karat.re with subject "Opt-Out of Profiling" and we will disable personalized recommendations for your account within 30 days.

Legitimate Interest Processing

Where we process your data based on legitimate interests, you can object on grounds relating to your particular situation.

How to object: Email hello@karat.re explaining your situation. We will cease processing unless we have compelling legitimate grounds that override your interests.

Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

How to Request Your Data:

  1. Visit your Settings page and click "Export My Data"
  2. Or email hello@karat.re with subject "Data Export Request"
  3. We will verify your identity and process your request
  4. You will receive your data within 30 days (typically within 7 days)

What You'll Receive:

Your data export will include:

  • Account information (name, email, profile data)
  • Your property listings (if you're a provider)
  • Saved properties and lists
  • Message history
  • Activity and interaction data
  • Consent records

Export Format:

Your data will be provided in JSON format, which is machine-readable and can be imported into other services. A human-readable summary in PDF format is also available upon request.

Legitimate Interest Assessment

Where we rely on legitimate interests as the legal basis for processing, we have conducted a balancing test to ensure our interests do not override your rights. This section summarizes our legitimate interests:

Platform Security & Fraud Prevention

We process IP addresses and device information to detect and prevent fraud, abuse, and security threats. This protects all users and maintains platform integrity.

Service Improvement

We analyze aggregated usage patterns to improve our platform features, fix bugs, and enhance user experience. Individual users are not targeted or affected negatively by this processing.

Network & Information Security

We monitor access patterns to detect unauthorized access attempts and protect user data. This is essential for GDPR compliance and user protection.

Business Communications

We send service-related communications (account updates, security alerts, policy changes) that are necessary for the operation of your account.

You can object to any processing based on legitimate interests by contacting us at hello@karat.re with details of your specific situation.

Data Retention & Security

Retention Period:

  • Account data: Retained while your account is active
  • Usage data: Retained for 24 months
  • Deleted account data: Permanently removed within 30 days

Security Measures:

  • Encryption of data in transit (HTTPS/TLS)
  • Encrypted password storage
  • Regular security audits
  • Access controls and authentication
  • Secure cloud infrastructure (Supabase)

Data Sharing & Transfers

We do NOT sell your personal data.

We may share your data with the following categories:

  • Service Providers: Third-party companies that help us operate our platform (see Data Processors below)
  • Property Agents: When you contact them about listings or request information
  • Legal Requirements: When required by law, court order, or regulatory authority

Data Processors & Sub-Processors

ProcessorServiceLocationPurpose
SupabaseDatabase, Auth, StorageEU/USUser data storage, authentication
MuxVideo ProcessingUSVideo transcoding, streaming
ResendEmail DeliveryUSTransactional emails
OpenAIAI ProcessingUSProperty descriptions, embeddings, recommendations
MapboxGeocodingUSAddress mapping, location services
NetlifyHostingUS/GlobalApplication hosting, CDN
Google Ireland LimitedAnalytics, Tag Manager, Contacts APIEU/USWebsite analytics, conversion tracking (with consent), optional contacts import for CRM

All processors have Data Processing Agreements (DPA) in place. We will notify you at least 30 days before adding or changing sub-processors.

International Data Transfers

Your data may be transferred to and processed in:

  • European Union (Primary: Estonia, database hosting)
  • United States (Mux video processing, OpenAI embeddings, Resend emails)

For transfers outside the EU, we ensure adequate protection through:

  • Standard Contractual Clauses (EU Commission approved)
  • Data Processing Agreements with all processors
  • Adequacy decisions (where available)

Data Breach Notification

In the event of a data breach affecting your personal data:

  • We will assess the breach within 24 hours
  • Notify the Estonian Data Protection Inspectorate within 72 hours (if high risk)
  • Notify affected users without undue delay via email
  • Document the breach and our response
  • Take measures to prevent recurrence

You will be notified by email to your registered address if your data is affected.

Children's Privacy

Our service is intended for users aged 18 and over. We do not knowingly collect personal data from children under 18.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at hello@karat.re.

If we discover that we have collected data from a child under 18, we will delete that information promptly.

Contact & Complaints

Data Protection Officer

Email: hello@karat.re

Response time: 5 business days (maximum 30 days under GDPR)

Supervisory Authority

You have the right to lodge a complaint with:

Estonian Data Protection Inspectorate

Website: https://www.aki.ee/en

Email: info@aki.ee

Or your local EU data protection authority if you reside in another EU country.

To exercise your GDPR rights:

  • Visit your Settings page for data export and account deletion
  • Email hello@karat.re with subject "GDPR Request - [Your Request Type]"
  • We will respond within 30 days (typically within 5 business days)

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements.

Notification of Changes:

  • Material changes will be communicated via email to your registered address
  • In-app notification for significant updates
  • Updated "Last updated" date at the top of this page
  • For material changes, you may be required to re-accept the updated terms

Version History:

Current Version: 4.0

Effective Date: January 30, 2025

Previous versions available upon request at hello@karat.re