Privacy Policy

KARRI.IO Privacy Policy

Effective Date: 27/05/2026

Who we are

Karri.io Ltd ("Karri", "we", "us", or "our") is committed to protecting your privacy and handling your personal data responsibly.

We are registered in England and Wales (company number 13759853), with our registered office at 71 Queen Victoria Street, London, EC4V 4BE.

We are the data controller in respect of the personal data described in this policy. This means we decide how and why your personal data is processed.

If you have any questions about this policy or about how we handle your data, you can contact us at any time: privacy@karri.io

What this policy covers

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what your rights are.

It applies to:

(a) our website at karri.io;

(b) the Karri app (available on iOS and Android);

(c) the Karri Messenger device and related hardware; and

(d) any communications we send you in connection with the above (collectively, the "Services").

Please read this policy carefully. If you have any concerns about the way we handle your data, please contact us at privacy@karri.io before using the Services.

1. Children's Data and Parental Accounts

1.1 A service designed for children, managed by parents

The Karri Service is designed for children aged approximately 7 to 12 years old. We recognise that children deserve the highest level of privacy protection online, and our service has been built with that principle at its core.

1.2 Who is the account holder?

1.2.1 The Karri account is created and held by a parent or guardian (the "account holder"). The account holder is the adult who purchases the Karri device, sets up the membership, and manages the account through the Karri app.

1.2.2 The child who uses the Karri Messenger device does not create an account and does not provide personal data directly to us. The child is a user of the device, but the account holder is the data subject for the purposes of this policy and UK data protection law.

1.2.3 By creating an account and purchasing a membership, the account holder takes responsibility for managing how the Karri Service is used within their household.

1.3 Account creation and payment verification

1.3.1 To enable a Karri Messenger device to work on the Karri platform,  the account holder is required to complete a payment step processed through One of our payment providers. This payment step serves as a verification measure to ensure that account setup is carried out by an adult who is capable of entering into a legally binding contract and making a financial transaction.

1.3.2 No Karri Messenger devices can be enabled on the platform without completing this payment step.

1.4 Invited contacts

1.4.1 The account holder (parent/guardian acting as the admin) may invite trusted adults, such as grandparents, other family members, or approved contacts, to communicate with the child via the Karri platform.

1.4.2 Invited contacts will receive an invitation from the account holder. The account holder retains full control over who is permitted to communicate with the child and may remove contacts at any time.

1.4.3 Invited contacts who join the platform will have their own limited account for the purposes of communication only. We will process their name and contact details as necessary to facilitate this.

1.5 No direct collection of personal data from children

1.5.1 We do not knowingly collect personal data directly from children. The child's name or nickname may be entered by the account holder when setting up the device, but this information is associated with the parent's account rather than any separate child account.

1.5.2 If we become aware that we have inadvertently collected personal data directly from a child without appropriate parental involvement, we will take prompt steps to delete that data.

2. What Personal Data We Collect

2.1 Account and membership data

When you create an account and purchase a Karri device or membership, we collect:

2.1.1 your name;

2.1.1 your email address;

2.1.1 your delivery address;

2.1.1 your phone number (if provided);

2.1.1 payment information (processed securely by Stripe -- we do not store full payment card details);

2.1.1 membership and subscription details, including plan type, billing frequency, and renewal status; and

2.1.1 name or nickname you assign to the child's device.

2.2 Usage and device data

When you use the Karri app or website, we may collect:

2.2.1 your IP address;

2.2.1 device information, including device model, operating system, and app version;

2.2.1 browser type and settings;

2.2.1 log data, including access times, pages or screens viewed, and interactions; and

2.2.1 app usage events and analytics data (see Section 3 on Analytics).

2.3 Communications data

2.3.1 If you contact our customer support team, we will collect and retain records of that communication, including any personal data you include in your message.

2.3.2 We use Intercom to manage customer support interactions.

2.4 Marketing data

2.4.1 If you have opted in to receive marketing communications, we will hold your name and email address for that purpose (see Section 6 on Marketing).

3. GPS and Location Data

3.1 What we collect

3.1.1 The Karri Messenger device is equipped with GPS functionality. When the GPS feature is active, the device transmits its geographical coordinates (latitude and longitude) to Karri's servers and makes the most recent location available to the account holder via the Karri app. The account holder can switch off the GPS tracking at any time using their companion app.

3.1.2 We do not collect a continuous or live stream of location data. We collect discrete GPS data points at intervals.

3.2 Data minimisation

3.2.1 We operate a strict data minimisation approach in respect of location data as detailed in paragraph 11.1.1

3.2.2 Older data points are automatically deleted from our systems as new data points are received. We do not build or retain a historical log of the child's movements.

3.3 What you see in the app

3.3.1 The Karri app displays the most recent location of the child's device to the account holder. The app does not display a historical trail or track of past movements. The account holder can also switch off GPS tracking at any time via the app.

3.4 Storage and servers

3.4.1 Location data is stored on servers located within the European Union (EU). We do not store location data on servers outside the EU.

3.5 Who can access location data

3.5.1 Location data is accessible as follows:

3.5.1(a) The account holder via the Karri app: the most recent location of the device associated with their account. The account holder may also grant permission to approved contacts (such as invited family members) to view the device location via their own app. This permission can be revoked by the account holder at any time.

3.5.1(b) Karri internal staff: access to raw location data is strictly limited. Only the Managing Director, Chief Technology Officer, and the most senior backend engineer are authorised to access location data as part of their system maintenance or troubleshooting responsibilities. This access is governed by our internal data access policy.

3.5.1(c) Location data is not shared with any other third parties, except as required by law.

3.6 Lawful basis for processing location data

3.6.1 The lawful basis for processing location data is the performance of our contract with you (to provide the Karri service you have purchased) and our legitimate interests in helping parents keep their children safe.

3.6.2 We have conducted a balancing test to assess our legitimate interests against the privacy rights of the individuals involved. In doing so, we have taken into account: (a) the limited volume of data retained; (b) the child safety purpose of the processing; (c) the restricted internal access to the data; and (d) the fact that the account holder, as the parent or guardian, has chosen to use this feature and is in control of the device.

4. Voice Messaging Data

4.1 Voice messaging is the core feature of the Karri Service. The Karri Messenger device allows a child to send voice messages to the account holder's app, and the account holder to send voice messages back to the device. Where two children have been mutually approved by their respective account holders (parents/guardians), children may also send voice messages to each other via their devices.

4.2 What we store

4.2.1 Voice messages  are stored as audio files on our servers, which are located within the European Union (EU) on AWS infrastructure. Voice messages are encrypted in transit and at rest.

4.2.2 Voice messages are audible to both the account holder (via the app) and the child (via the device) for as long as the account remains active. Voice messages are not subject to automatic deletion after a fixed period during the life of the account. 

4.3 Who can access voice message data

4.3.1 Access to voice message data within Karri is strictly limited. Only the Managing Director/CTO and the most senior backend engineer are authorised to access the raw voice message data, and only as necessary and after careful consideration, e.g. for system maintenance or troubleshooting.

4.4 Transcription

4.4.1 The Karri app gives users the option to transcribe voice messages into text. Transcription is provided by AssemblyAI, a third-party speech-to-text service which we’ve configured to use EU-based servers.  When transcription is used, the relevant audio file is transmitted to AssemblyAI for processing and the resulting text is returned  to the app. Transfers to AssemblyAI are made in reliance on the UK-US  Data Bridge (AssemblyAI is certified under the UK Extension to the EU-US Data Privacy Framework). A Data Processing Agreement is in place via AssemblyAI's standard terms.

4.5 Lawful basis

4.5.1 The lawful basis for processing voice message data is the performance of our contract with you (Article 6(1)(b) UK GDPR). Processing voice messages is necessary to deliver the core messaging feature of the Karri Service that you have purchased.

5. Cookies and Tracking Technologies

5.1 What we use

5.1.1 We use cookies and similar tracking technologies on our website. These include:

5.1.1(a) Essential cookies: necessary for the website to function correctly;

5.1.1(b) Analytics cookies: to understand how visitors use our website (Google Analytics, Google Firebase, Google Data Studio, Hotjar);

5.1.1(c) Advertising cookies: to measure the performance of our advertising campaigns and to show relevant ads (Google Ads, Meta (Facebook/Instagram), Amazon Ads); and

5.1.1(d) Functional cookies: to remember your preferences and improve your experience.

5.2 Your consent

5.2.1 Non-essential cookies (including analytics and advertising cookies) are only placed on your device with your consent. You will be asked to provide this consent via our cookie consent banner when you first visit our website.

5.2.2 You can withdraw or manage your cookie preferences at any time by [accessing our cookie settings tool / adjusting your browser settings].

5.2.3 Please note that disabling certain cookies may affect the functionality of our website.

6. Analytics

6.1 Tools we use

6.1.1 We use analytics tools to understand how our website and app are used, to improve our products, and to measure the performance of our marketing. We use the following analytics tools:

6.1.1(a) Google Analytics - website traffic and user behaviour analysis;

6.1.1(b) Google Firebase - app usage and events data, including anonymised crash reporting and usage metrics;

6.1.1(c) Google Data Studio - data visualisation and reporting; and

6.1.1(d) Hotjar - website behaviour recording and heatmapping (records anonymised on-screen user behaviour on our website).

6.2 Anonymisation and minimisation

6.2.1 Where possible, analytics data is collected in anonymised or aggregated form. We configure our analytics tools to minimize the amount of personal data processed for analytics purposes.

6.2.2 We do not use analytics data to build individual profiles of our users or to make automated decisions about them.

6.3 Lawful basis

6.3.1 The lawful basis for analytics processing is our legitimate interests in understanding how our services are used and improving them. Where analytics processing relies on cookies, it is subject to your consent as described in Section 5.

7. Marketing Communications

7.1 Our approach

7.1.1 We only send marketing communications to you if you have given us your explicit consent to do so. Consent is collected via an opt-in at the point of purchase on our Shopify store. You will not receive marketing communications from us unless you have actively ticked the relevant opt-in box during the checkout process.

7.2 Tools we use

7.2.1 We use the following tools to manage and send marketing communications:

7.2.1(a) Klaviyo -- email marketing and automated campaign management;

7.2.1(b) Mailerlite -- email newsletters and campaigns; and

7.2.1(c) Sendgrid -- transactional and marketing email delivery.

7.3 Withdrawing consent

7.3.1 You can withdraw your consent to receive marketing communications at any time. Every marketing email we send includes an unsubscribe link. Clicking that link will remove you from our marketing list. You can also withdraw consent by contacting us at hello@karri.io.

7.3.2 Withdrawing your consent to marketing will not affect your ability to use the Karri Service or the validity of any processing that took place before you withdrew consent.

7.3.3 Please note that we may still send you transactional or service-related communications (such as order confirmations, shipping updates, or important notices about your account) even if you have opted out of marketing. These communications are not marketing and do not require consent.

8. Lawful Basis for Processing

8.1 The table below sets out the categories of personal data we process, the purposes for which we process them, and the lawful basis we rely on under UK GDPR.

9. Who We Share Your Data With

9.1 Our approach to data sharing

9.1.1 We do not sell your personal data to third parties. We share personal data with third parties only where it is necessary to provide the Karri Service, to comply with a legal obligation, or where you have given us your consent to do so.

9.1.2 All third parties who process personal data on our behalf are required to do so in accordance with our instructions and applicable data protection law. Where required, we enter into Data Processing Agreements with our processors under Article 28 of the UK GDPR.

9.2 Third-party provider schedule

The following table sets out the categories of third-party providers we use, what data they receive, and why.

Cloud Infrastructure

Analytics

Marketing and CRM

Customer Support

Commerce and Memberships

Advertising

Fulfilment and Shipping

App Stores

IoT Connectivity

Accounting

Internal Tools

Surveying

Transcription

9.3 Other disclosures

9.3.1 We may also disclose your personal data:

9.3.1(a) where required by law, regulation, or court order;

9.3.1(b) to law enforcement or regulatory authorities where we are legally obliged to do so;

9.3.1(c) to professional advisers (including lawyers, accountants, and auditors) under obligations of confidentiality; and

9.3.1(d) in connection with a business sale, merger, acquisition, or restructuring, where personal data may be transferred to the new owner or operator of the business.

10. International Transfers of Personal Data

10.1 Our own servers

10.1.1 Karri's own servers, including those on which we store account data and location data, are based within the European Union. The EU and the UK have mutual adequacy decisions, meaning personal data can flow freely between the UK and EU without the need for additional transfer mechanisms.

10.2 Transfers to third countries via third-party providers

10.2.1 Some of the third-party providers listed in Section 9 are based in the United States or other countries outside the UK. When we transfer personal data to such providers, we ensure that appropriate safeguards are in place.

10.2.2 For the purposes of transfers to the United States, the primary mechanisms we rely on are:

10.2.2(a) UK-US Data Bridge (UK Extension to the EU-US Data Privacy Framework): Where a US-based provider is certified under the UK-US Data Bridge (the UK Extension to the EU-US Data Privacy Framework), we rely on that adequacy mechanism for the transfer. The UK-US Data Bridge entered into force on 12 October 2023 and allows personal data to be transferred from the UK to certified US organisations without the need for additional safeguards. We take steps to verify that relevant US providers are registered and active participants in the Data Privacy Framework with the UK Extension before relying on this mechanism.

10.2.2(b) International Data Transfer Agreement (IDTA) / Standard Contractual Clauses (SCCs) with UK Addendum: Where a provider is not certified under the Data Bridge, or where other transfer mechanisms are more appropriate, we use the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with UK Addendum as approved by the ICO. These are contractual mechanisms that require the recipient to protect personal data to a standard equivalent to UK law.

10.2.3 We take steps to keep our transfer arrangements under review and to ensure that the safeguards we rely on remain valid and appropriate. Given the evolving nature of international data transfer law, we will update this section if transfer mechanisms change.

10.2.4 For transfers to other countries (outside the US and EU), we rely on the transfer mechanisms most appropriate to the circumstances, including adequacy decisions made by the UK Government and, where necessary, contractual safeguards.

10.2.5 If you would like more information about the specific safeguards we have in place for any particular transfer, please contact us at hello@karri.io.

11. Data Retention

11.1 Location data

11.1.1 As described in Section 3, we retain only the most recent GPS data point per device at any one time. Older data points are automatically overwritten as new data points are received.

11.2 Account and membership data

11.2.1 Membership data is retained for the duration of your active membership and for a reasonable period afterwards, to allow us to deal with any queries, disputes, or legal claims that may arise. App account data is deleted immediately after you cancel your account. We will review and delete Membership data that is no longer necessary on a periodic basis.

11.3 Marketing data

11.3.1 If you have given us consent to receive marketing communications, we will retain your name and email address for marketing purposes until you withdraw your consent. Once you withdraw consent, we will remove you from our active marketing lists promptly.

11.4 Customer support records

11.4.1 We retain records of customer support interactions for as long as is necessary to resolve the matter and for a reasonable period thereafter, taking into account the possibility of follow-up queries or legal claims.

11.5 Voice message data

11.5.1 Voice messages will be retained based on the membership type as long as the account remains active but are currently not subject to automatic deletion. When an account is closed or deleted, voice messages stored on Karri's servers in chats owned by the account holder are deleted. Voice messages in chats that are still active after account closure remain subject to Karri's plan-based message retention period. Our  retention approach will be under continuous review in light of the storage limitation principle under UK GDPR Article 5(1)(e)

11.6 General

11.6.1 In some cases, we may be required by law to retain certain data for a minimum period (for example, financial and accounting records). In such cases, we will retain the data for the minimum period required by law and delete it thereafter.

11.6.2 When we no longer need personal data, we delete or anonymise it securely.

12. Security

12.1 We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, disclosure, or destruction.

12.2 These measures include, but are not limited to:

12.2.1(a) access controls and role-based permissions limiting who within Karri can access personal data;

12.2.1(b) encrypted data transmission;

12.2.1(c) EU-based server infrastructure; and

12.2.1(d) strict internal policies on data access, particularly in relation to location data (see Section 3.5).

12.3 No method of electronic transmission or storage is 100% secure. While we do our best to protect your personal data, we cannot guarantee its absolute security. If you become aware of any potential security concern relating to your account, please contact us at privacy@karri.io.

13. Your Rights Under UK GDPR

13.1 Overview of your rights

13.1.1 As a data subject under UK data protection law, you have the following rights in relation to your personal data. These rights are exercised by the account holder (the parent or guardian who holds the Karri account). Where rights relate to data processed in connection with the child, the account holder may exercise those rights on the child's behalf.

13.2 The right of access (Subject Access Request)

13.2.1 You have the right to request a copy of the personal data we hold about you, together with information about how we use it.

13.3 The right to rectification

13.3.1 You have the right to ask us to correct any inaccurate or incomplete personal data we hold about you.

13.4 The right to erasure ("right to be forgotten")

13.4.1 You have the right to ask us to delete your personal data in certain circumstances, for example where the data is no longer necessary for the purpose for which it was collected, or where you have withdrawn your consent and there is no other lawful basis for the processing.

13.5 The right to restriction of processing

13.5.1 You have the right to ask us to restrict the processing of your personal data in certain circumstances, for example while we investigate a complaint about accuracy.

13.6 The right to data portability

13.6.1 Where we process your personal data on the basis of your consent or in performance of a contract, and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where technically feasible.

13.7 The right to object

13.7.1 You have the right to object to processing of your personal data where we rely on legitimate interests as our lawful basis. We will stop processing the data unless we have compelling legitimate grounds to continue that override your interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defence of legal claims.

13.7.2 You have an unconditional right to object to the processing of your personal data for direct marketing purposes. We will stop such processing immediately upon receipt of your objection.

13.8 Rights in relation to automated decision-making

13.8.1 We do not make decisions about you solely by automated means that have a legal or similarly significant effect on you.

13.9 How to exercise your rights

13.9.1 To exercise any of your rights, or if you have any questions about how we handle your personal data, please contact us at:

hello@karri.io

13.9.2 We will respond to your request within one month of receipt. In complex cases, we may extend this period by a further two months, in which case we will inform you within the first month and explain why.

13.9.3 We will not charge a fee for handling rights requests, except in cases where a request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee.

13.10 Right to complain to the Information Commissioner's Office (ICO)

13.10.1 If you are unhappy with how we have handled your personal data, or with our response to a rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority.

13.10.2 You can contact the ICO at:

Website: www.ico.org.uk

Helpline: 0303 123 1113

13.10.3 We would, however, welcome the opportunity to address any concerns you have before you contact the ICO. Please reach out to us at hello@karri.io in the first instance.

14. Links to Third-Party Websites and Services

14.1 Our website and app may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policy of any third-party service before providing them with your personal data.

15. Changes to this Policy

15.1 We are committed to reviewing and improving our data protection practices on an ongoing basis.

15.2 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (to the address associated with your account) or by a prominent notice on our website, ahead of the changes taking effect.

15.3 The current version of this policy, with its effective date and version number, will always be available at karri.io.

16. Contact Us

If you have any questions, concerns, or requests in relation to this Privacy Policy or our data practices, please contact us:

Karri.io Ltd71 Queen Victoria Street London EC4V 4BE

Email: hello@karri.io

Website: karri.io

Version History