Privacy Policy
This Privacy Policy explains how Karos Labs collects, uses, stores, shares, and protects information, including any data we access through Google APIs. We do not sell your personal information, and we never use data accessed through Google APIs for advertising.
- 1. Who we are
- 2. Scope of this policy
- 3. Information we collect
- 4. Google user data
- 5. Limited Use disclosure
- 6. How we use information
- 7. How we share information
- 8. Storage & security
- 9. Data retention
- 10. Your rights & choices
- 11. International transfers
- 12. Children's privacy
- 13. Changes
- 14. Contact us
01Who we are
This website and the services described on it are operated by KAROS PROJECT MANAGEMENT SERVICES - FZCO, a company registered in the IFZA Free Zone, Dubai Silicon Oasis, United Arab Emirates (license no. 87692), trading as "Karos Labs" ("Karos Labs," "we," "us," or "our"), a marketing agency providing AI-assisted strategy, creative, content, and growth services to business clients.
For privacy questions, our registered address is IFZA Business Park, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates, and our contact email is hello@karoslabs.com.
02Scope of this policy
This policy applies to:
- Website visitors who browse karoslabs.com or contact us through the site.
- Clients and prospective clients who engage us or share information during proposals, onboarding, or ongoing work.
- Authorized users who connect a Google account (such as a work Gmail mailbox) to our internal tools so we can organize client communications on their behalf.
It does not cover third-party websites, platforms, or services that we link to but do not control.
03Information we collect
Information you give us
- Contact and inquiry details: your name, email address, company, and the contents of any message you send through our contact form, chat assistant, or by email.
- Scheduling details: when you book a call, the name, email, and any notes you provide to our scheduling tool.
- Client engagement information: brand materials, account details, and other information you share so we can deliver our services.
Information we access on your behalf (with your permission)
- Google account data (Gmail): if an authorized user connects a Google account, we access email metadata as described in the next section. This is always opt-in and can be disconnected at any time.
- Meeting records: where a client or team member invites our notetaker to a call, we may store the resulting transcript or summary to maintain a record of the engagement.
Information collected automatically
- Basic technical logs: standard server logs such as IP address, browser type, and pages requested, used for security and to keep the site running. We do not use advertising or cross-site tracking cookies on this website.
04Google user data
When an authorized user chooses to connect their Google account, we request a single, read-only permission scope: gmail.readonly. We request the minimum access needed and nothing more.
What we access
- We read email metadata only: subject lines, sender and participant email addresses, message snippets (short previews), timestamps, and message counts.
- We do not request, download, or store full email bodies or attachments.
- We only retain records of conversations that include at least one external participant (for example, a client or prospect). Purely internal email is not stored.
Why we access it
The sole purpose is to give our team an organized, up-to-date view of client and prospect conversations inside our internal operations tools, so we can serve clients well and keep engagement records accurate. We do not use this data for any other purpose.
How we protect it
- The credential that allows ongoing access (the refresh token) is encrypted at rest using AES-256-GCM encryption and is never exposed to client-facing surfaces.
- Access tokens are used in memory only and are never written to long-term storage.
- Stored conversation metadata is held in access-controlled infrastructure with row-level security and is never shared with our clients or any other customer.
How to revoke access
You can disconnect at any time, with immediate effect, by either: (1) removing Karos Labs from your Google account at myaccount.google.com/permissions, or (2) emailing hello@karoslabs.com to request disconnection and deletion. On revocation, we stop all further access and delete the stored credential.
05Limited Use disclosure
Google API Services User Data Policy
Karos Labs' use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In line with those requirements, we affirm that data obtained through Google APIs is:
- Not sold to anyone, under any circumstances.
- Not used or transferred for advertising, including personalized, retargeted, or interest-based advertising.
- Not used to train generalized or third-party artificial-intelligence or machine-learning models.
- Only used to provide and improve the specific features described above, or as required for security, legal compliance, or with your explicit consent.
- Not read by humans except where you give explicit consent, where required for security or to comply with applicable law, or where the data has been aggregated and anonymized for internal operations.
06How we use information
- To respond to inquiries, schedule calls, and provide proposals.
- To deliver, maintain, and improve the marketing services our clients engage us for.
- To organize and keep accurate records of client and prospect communications.
- To secure our systems, prevent abuse, and meet legal and accounting obligations.
We do not sell personal information, and we do not use Google user data for advertising or model training.
07How we share information
We do not sell your personal information. We share information only in these limited situations:
- Service providers / subprocessors: trusted vendors that host our infrastructure, send transactional email, process scheduling, or provide AI processing, strictly to perform services for us and under confidentiality and data-protection obligations. They may not use the data for their own purposes.
- Legal and safety reasons: when required by law, subpoena, or to protect the rights, property, or safety of Karos Labs, our clients, or others.
- Business transfers: in connection with a merger, acquisition, or sale of assets, subject to this policy.
- With your consent: when you direct us to share information.
Data accessed through Google APIs is never shared with our clients or other customers, and is never sold or used for advertising.
08Storage & security
We protect information using industry-standard measures, including:
- Encryption in transit (HTTPS/TLS) and encryption at rest for sensitive credentials (AES-256).
- Access controls and row-level security so each client and user can only access their own data.
- Secrets and API credentials stored in a protected server-side vault, never in client-side code.
- The principle of least privilege, we request the minimum access needed and store the minimum data needed.
No method of transmission or storage is perfectly secure, but we work to protect your information and review our practices regularly.
09Data retention
We keep personal information only as long as needed for the purposes described here, to maintain accurate engagement records, or to meet legal obligations. Google account metadata is retained only while your account remains connected and is deleted when you disconnect or on request. Inquiry and client records are retained for the duration of our relationship and a reasonable period afterward, then deleted or anonymized.
10Your rights & choices
Depending on where you live, you may have the right to access, correct, delete, or export your personal information, to object to or restrict certain processing, and to withdraw consent. To exercise any of these rights, email hello@karoslabs.com and we will respond within the timeframe required by applicable law.
- California residents (CCPA/CPRA): we do not sell or "share" personal information as those terms are defined, and we will not discriminate against you for exercising your rights.
- EEA/UK residents (GDPR): our legal bases for processing are your consent, performance of a contract, and our legitimate interests in operating and securing our business. You may lodge a complaint with your local data-protection authority.
11International transfers
We operate internationally, and your information may be processed in countries other than your own, including the United States and the United Arab Emirates. Where required, we use appropriate safeguards for cross-border transfers.
12Children's privacy
Our website and services are intended for businesses and adults. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact us and we will delete it.
13Changes to this policy
We may update this policy from time to time. When we do, we will revise the "Last updated" date above and, for material changes, take additional steps as required by law. Your continued use of the site after an update means you accept the revised policy.
14Contact us
Questions about this policy or your data? Reach us at:
KAROS PROJECT MANAGEMENT SERVICES - FZCO (trading as Karos Labs)
Email: hello@karoslabs.com
Address: IFZA Business Park, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates