Privacy Policy
Last updated: January 30, 2025 | Version 4.0
Effective Date:
January 30, 2025
Data Controller
FARAWAYHOME OÜ
Tornimäe 5, 10145 Tallinn, Estonia
Tax ID: EE102783607
Company ID: 17081333
Email: hello@karat.re
Your Consent
By creating an account on Karat, you explicitly consent
to:
-
The collection and processing of your personal data as described
in this Privacy Policy
-
The use of your data to provide personalized property
recommendations
-
The sharing of your contact information with property providers
when you initiate contact
-
The processing of your data by our third-party service providers
listed below
-
The transfer of your data to countries outside the EU under
appropriate safeguards
-
Receiving transactional emails related to your account and
activity
You may withdraw your consent at any time by deleting your account or
contacting us at hello@karat.re. Withdrawal of consent does not affect
the lawfulness of processing based on consent before its withdrawal.
Data We Collect
Account Information:
- Name and email address
- Password (encrypted)
- Profile picture (optional)
- User role (viewer/provider)
Usage Data:
- Property views and interactions
- Search queries and preferences
- Messages and communications
- Saved properties and lists
Technical Data:
- IP address and device information
- Browser type and version
- Session information
Google Contacts Import
Karat offers an optional feature that allows real estate agents
(Providers) to import their professional contacts from Google Contacts
into our CRM system. This section explains how we handle Google
Contacts data in compliance with the
Google API Services User Data Policy.
What Data We Access:
When you choose to import your Google Contacts, we request read-only
access to:
- Contact names
- Email addresses
- Phone numbers
We use the contacts.readonly scope, which provides
read-only access. We cannot modify, delete, or write to your Google
Contacts.
How We Use This Data:
-
One-time import: Contacts are imported once when
you initiate the import process
-
CRM storage: Imported contacts are stored in your
private CRM within Karat (powered by Supabase)
-
Client management: Helps you manage client
relationships and communications within the platform
We do NOT continuously sync with your Google Contacts. Each import is
a one-time operation initiated by you.
Data Retention & Deletion:
-
Imported contacts remain in your CRM until you delete them or close
your account
-
You can delete individual imported contacts at any time from your
CRM
-
Closing your account permanently deletes all imported contacts
within 30 days
Data Sharing:
We do NOT share your Google Contacts data with third
parties.
Imported contacts are stored securely in your private CRM and are
only visible to you. We do not sell, rent, or transfer this data to
advertisers, data brokers, or any other external parties.
Data Protection for Google User Data:
- Google user data is encrypted in transit using TLS 1.2+
- Stored data is encrypted at rest in our Supabase database
-
Access is restricted to authenticated users viewing only their own
imported contacts
-
We do not use Google user data for advertising, profiling, or any
purpose beyond the CRM functionality
Revoking Access:
You can revoke Karat's access to your Google Contacts at any time:
Revoking access prevents future imports but does not automatically
delete contacts already imported. To delete imported contacts, use the
CRM management features in your Karat account.
Google API Services Compliance:
Karat's use and transfer of information received from Google APIs
adheres to the
Google API Services User Data Policy, including the Limited Use requirements.
How We Use Your Data
We process your personal data for the following purposes:
-
Service Provision: To provide and maintain our
property listing platform
-
Account Management: To manage your account and
authenticate users
-
Communication: To send you notifications, updates,
and respond to inquiries
-
Personalization: To provide personalized property
recommendations
-
Analytics: To understand how our service is used
and improve it
-
Legal Compliance: To comply with legal obligations
Legal Basis (GDPR): We process your data based on:
- Your consent (Article 6(1)(a))
- Performance of contract (Article 6(1)(b))
- Legal obligations (Article 6(1)(c))
- Legitimate interests (Article 6(1)(f))
Automated Decision-Making & AI Processing
We use artificial intelligence (AI) and automated processing to
enhance your experience on Karat.
AI-Powered Features:
-
Property Recommendations: We use OpenAI embeddings
to analyze property descriptions and match them with your viewing
history and preferences to suggest relevant listings.
-
Search Enhancement: AI helps improve search results
based on your queries and behavior patterns.
-
Content Generation: Property descriptions may be
enhanced or summarized using AI to improve readability.
Your Rights Regarding Automated Processing:
-
Right to Opt-Out: You can request to opt out of
AI-powered recommendations by contacting us at hello@karat.re
-
Right to Human Review: You can request human review
of any automated decision that significantly affects you
-
Right to Explanation: You can request an
explanation of how our AI systems work and how they process your
data
Important: Our AI systems do not make legally binding
decisions about you. Property recommendations are suggestions only and
do not constitute real estate advice. All significant account
decisions (suspension, deletion) are reviewed by humans.
Cookies and Tracking
We use the following types of cookies:
Essential Cookies:
Required for authentication and basic site functionality. These cannot
be disabled.
Functional Cookies:
Remember your preferences and settings (sidebar state, scroll
positions, notification preferences).
Analytics Cookies:
We use Google Analytics 4 (with your consent) to understand how
visitors use our platform. Google Analytics cookies include
_ga, _ga_*, and _gid. These are
only set after you consent.
Local Storage:
We use browser local storage to save your preferences, drafts, and
session data.
For detailed information about our cookie usage, please see our
Cookie Policy.
Your GDPR Rights
Under GDPR, you have the following rights:
-
Right to Access: Request a copy of your personal
data
-
Right to Rectification: Correct inaccurate data
-
Right to Erasure: Request deletion of your data
("right to be forgotten")
-
Right to Restriction: Limit how we use your data
-
Right to Data Portability: Receive your data in a
structured format
-
Right to Object: Object to processing of your data
-
Right to Withdraw Consent: Withdraw consent at any
time
To exercise any of these rights, please visit your
Settings page or contact us at hello@karat.re
Right to Object
You have the right to object to the processing of your personal data
in certain circumstances.
Direct Marketing
You have an absolute right to object to the use of your data for
direct marketing purposes.
How to opt out: Use the unsubscribe link in any
marketing email, or visit your
Settings page to manage your email
preferences.
Profiling & Personalization
You can object to profiling used for personalized recommendations.
How to opt out: Email hello@karat.re with subject
"Opt-Out of Profiling" and we will disable personalized
recommendations for your account within 30 days.
Legitimate Interest Processing
Where we process your data based on legitimate interests, you can
object on grounds relating to your particular situation.
How to object: Email hello@karat.re explaining your
situation. We will cease processing unless we have compelling
legitimate grounds that override your interests.
Data Portability
You have the right to receive your personal data in a structured,
commonly used, and machine-readable format, and to transmit that data
to another controller.
How to Request Your Data:
-
Visit your Settings page and click "Export
My Data"
- Or email hello@karat.re with subject "Data Export Request"
- We will verify your identity and process your request
-
You will receive your data within 30 days (typically within 7 days)
What You'll Receive:
Your data export will include:
- Account information (name, email, profile data)
- Your property listings (if you're a provider)
- Saved properties and lists
- Message history
- Activity and interaction data
- Consent records
Export Format:
Your data will be provided in JSON format, which is
machine-readable and can be imported into other services. A
human-readable summary in PDF format is also available upon request.
Data Retention & Security
Retention Period:
- Account data: Retained while your account is active
- Usage data: Retained for 24 months
- Deleted account data: Permanently removed within 30 days
Security Measures:
- Encryption of data in transit (HTTPS/TLS)
- Encrypted password storage
- Regular security audits
- Access controls and authentication
- Secure cloud infrastructure (Supabase)
Data Sharing & Transfers
We do NOT sell your personal data.
We may share your data with the following categories:
-
Service Providers: Third-party companies that help
us operate our platform (see Data Processors below)
-
Property Agents: When you contact them about
listings or request information
-
Legal Requirements: When required by law, court
order, or regulatory authority
Data Processors & Sub-Processors
| Processor |
Service |
Location |
Purpose |
| Supabase |
Database, Auth, Storage |
EU/US |
User data storage, authentication |
| Mux |
Video Processing |
US |
Video transcoding, streaming |
| Resend |
Email Delivery |
US |
Transactional emails |
| OpenAI |
AI Processing |
US |
Property descriptions, embeddings, recommendations |
| Mapbox |
Geocoding |
US |
Address mapping, location services |
| Netlify |
Hosting |
US/Global |
Application hosting, CDN |
| Google Ireland Limited |
Analytics, Tag Manager, Contacts API |
EU/US |
Website analytics, conversion tracking (with consent), optional
contacts import for CRM
|
All processors have Data Processing Agreements (DPA) in place. We will
notify you at least 30 days before adding or changing sub-processors.
International Data Transfers
Your data may be transferred to and processed in:
- European Union (Primary: Estonia, database hosting)
-
United States (Mux video processing, OpenAI embeddings, Resend
emails)
For transfers outside the EU, we ensure adequate protection through:
- Standard Contractual Clauses (EU Commission approved)
- Data Processing Agreements with all processors
- Adequacy decisions (where available)
Data Breach Notification
In the event of a data breach affecting your personal data:
- We will assess the breach within 24 hours
-
Notify the Estonian Data Protection Inspectorate within 72 hours (if
high risk)
- Notify affected users without undue delay via email
- Document the breach and our response
- Take measures to prevent recurrence
You will be notified by email to your registered address if your data
is affected.
Children's Privacy
Our service is intended for users aged 18 and over. We do not
knowingly collect personal data from children under 18.
If you are a parent or guardian and believe your child has provided us
with personal data, please contact us immediately at hello@karat.re.
If we discover that we have collected data from a child under 18, we
will delete that information promptly.
Contact & Complaints
Data Protection Officer
Email: hello@karat.re
Response time: 5 business days (maximum 30 days under GDPR)
Supervisory Authority
You have the right to lodge a complaint with:
Or your local EU data protection authority if you reside in another EU
country.
To exercise your GDPR rights:
-
Visit your Settings page for data export
and account deletion
-
Email hello@karat.re with subject "GDPR Request - [Your Request
Type]"
-
We will respond within 30 days (typically within 5 business days)
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes
in our practices, services, or legal requirements.
Notification of Changes:
-
Material changes will be communicated via email to your registered
address
- In-app notification for significant updates
- Updated "Last updated" date at the top of this page
-
For material changes, you may be required to re-accept the updated
terms
Version History:
Current Version: 4.0
Effective Date: January 30, 2025
Previous versions available upon request at hello@karat.re