Privacy Policy
This policy describes how Karn Consulting, the operating brand of Karn Corporation (GSTIN 03CLWPK4491C1ZX, registered at Amritsar, Punjab, India), collects, uses, and protects your personal data when you use karnconsulting.co or engage us for services. We comply with India's Digital Personal Data Protection Act 2023 (DPDP), the EU/UK General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA/CPRA).
1. Data controller
The data controller is Karn Corporation, Amritsar, Punjab, India. Contact: support@karnconsulting.co.
2. Data we collect
- Contact data - name, email, phone, company, role (when you submit a brief, book a call, or email us).
- Qualification data - budget tier, timeline, the bottleneck described, UTM parameters captured at form submit.
- Engagement data - meeting notes, call recordings, project documents (only with explicit written consent).
- Usage data - anonymous analytics (pages, referrer, device, country) - only if you grant analytics consent.
- Conversational data - messages exchanged with the on-site AI concierge are processed transiently to generate replies. We do not retain transcripts beyond the session unless you submit a contact form.
- Telephony data - for AI Receptionist demos and inbound calls, Twilio handles call routing; recordings are kept only with consent and deleted after 90 days.
3. Legal bases (GDPR Art. 6 / DPDP §7)
- Contract - to deliver services you have engaged us for.
- Legitimate interest - to respond to enquiries and operate the website securely.
- Consent - for marketing emails, analytics cookies, and marketing cookies.
- Legal obligation - Indian tax / GST and audit retention.
4. How we use your data
To respond to enquiries, deliver our services, send relevant updates if you opt in, and improve the website. We do not sell your data and we do not share it for cross-context behavioural advertising. We disclose data only to the sub-processors listed below, each bound by a Data Processing Addendum.
5. Sub-processors
The following processors handle personal data on our behalf. Each is contractually bound to GDPR/DPDP-equivalent terms.
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| HubSpot | CRM, contact records, marketing automation | United States | SCCs + DPA |
| Google Analytics 4 | Anonymous website analytics (consent-gated) | United States / EU | SCCs + IP anonymisation |
| Meta (Facebook) Ads | Conversion + retargeting (consent-gated) | United States | SCCs + DPA |
| LinkedIn Ads | Conversion + retargeting (consent-gated) | United States / Ireland | SCCs + DPA |
| Cal.com | Meeting scheduling widget on /contact | Germany / United States | GDPR DPA |
| OpenAI | On-site AI concierge replies (Lovable AI Gateway) | United States | Zero-retention API; SCCs |
| Twilio | Call routing + SMS for AI Receptionist demos and inbound contact | United States / EU | SCCs + DPA |
| Cloudflare | CDN, DDoS protection, bot management | Global edge | SCCs + DPA |
| Resend / Postmark | Transactional email (replies, brief confirmations) | United States | SCCs + DPA |
6. International transfers
Where data leaves India / the EEA, we rely on Standard Contractual Clauses (SCCs) and supplementary measures (encryption in transit + at rest, IP truncation, restricted access).
7. Retention
- Contact records: 24 months from last interaction.
- Engagement records (contracts, invoices): 7 years (Indian tax / audit requirement).
- Anonymous analytics: 14 months.
- Call recordings: 90 days, only with consent.
- AI concierge transcripts: session-only unless you submit a form.
8. Your rights
Under GDPR, DPDP §11–§15, and CCPA you may request: access, correction, deletion, portability, restriction, objection, and withdrawal of consent. Email support@karnconsulting.co. We respond within 30 days. EU residents may also lodge a complaint with their local supervisory authority.
9. Cookies
We default all non-essential storage to denied via Google Consent Mode v2. See the cookie policy for the full list and to change your preferences.
10. Security
HTTPS everywhere, encryption at rest, least-privilege access, MFA on all admin systems, vendor due-diligence on every sub-processor, and a documented incident response process. Suspected breaches: notify within 72 hours per GDPR Art. 33.
11. Children
The site is not directed at children under 18 and we do not knowingly collect data from minors.
12. Grievance officer / DPO contact
Per the DPDP Act 2023 and GDPR Art. 27, our designated grievance officer / EU representative point of contact is Prateek Karn. Reach them at support@karnconsulting.co or +91 75769 56682. Response within 30 days.
13. Changes
We update this policy as practices evolve. Material changes are posted at the top of this page with a revised date.