Privacy Policy
Effective Date: February 6, 2026
Last Updated: February 6, 2026
This Privacy Policy describes how Expedition Community, Inc. ("Karley," "we," "us," or "our") collects, uses, and protects information in connection with our AI conversion agent platform (the "Service"). The Service is a business-to-business (B2B) platform provided to business customers. This policy applies to our website (karley.ai), Shopify application, embeddable widget, and all related services.
1. Who This Policy Applies To
This policy covers two categories of individuals:
Customers (Merchants): Businesses and business professionals who sign up for and use the Karley platform. The Service is intended solely for business use. By signing up, customers represent that they are acting on behalf of a business entity or in a professional business capacity.
End Users (Website Visitors): People who interact with the Karley widget on our customers' websites.
2. Information We Collect
From Customers (Merchants):
Data Type | Collected? | Purpose |
Name | Yes | Account identification |
Business name | Yes | Account identification |
Email address | Yes | Account management, communications |
Store URL / Website URL | Yes | Service configuration |
Billing information | Via Stripe | Payment processing (we do not store card details) |
Product/service content | Yes | AI training and response generation |
Phone number | No | Not collected |
Physical address | No | Not collected |
From End Users (Widget Visitors):
Data Type | Collected? | Purpose |
UUID (anonymous visitor identifier) | Yes | Session continuity across visits |
Session ID | Yes | Conversation tracking within a session |
Conversation content | Processed, not stored with PII | Real-time AI response generation |
CTA interactions | Links: no data collected; Integrations: processed for transmission, not retained | Outbound links and/or integrated actions to merchant's apps |
IP address | Not currently; may collect in future | If collected: general location derivation, security, fraud prevention |
General location (country/region) | Not currently; may collect in future | If collected: localized responses, analytics |
Precise geolocation (GPS) | No | Not collected |
Name, email, phone | No | Not collected or stored by Karley |
From Customer Platforms (e.g., Shopify):
Data Type | Collected? | Purpose |
Product catalog data | Yes | AI response generation |
Product descriptions, pricing, inventory | Yes | Accurate product Q&A |
Store configuration data | Yes | Service integration |
Customer/shopper data (e.g., order history, profiles) | May access with merchant permission | Personalized widget experiences (e.g., order status, recommendations) |
Customer PII from platforms | Only if merchant grants access | Personalization; processed per merchant's privacy obligations |
Important: End user conversations are associated with a UUID (universally unique identifier) — an anonymous, non-personally-identifiable string that allows session continuity. This UUID is not linked to any personal information. We do not currently collect IP addresses or location data from end users, but we may do so in the future for purposes such as deriving general location (country/region level) for localized responses, security, and analytics. We will not collect precise geolocation (GPS coordinates). Where a merchant grants Karley access to platform customer data (such as Shopify customer information) to enable personalized experiences, such data is processed solely for that purpose and in accordance with the merchant's own privacy obligations to their customers. Where end users submit information through integrated calls-to-action, Karley processes that data solely to transmit it to the merchant's designated applications and does not retain end user personal information. Any material changes to our data collection practices will be reflected in an updated Privacy Policy.
3. How We Use Information
We use the information we collect to provide, maintain, and improve the Service; generate AI-powered responses for end users; process payments through Stripe; communicate with customers about their accounts; provide customers with aggregated analytics and reporting (including top questions, conversion metrics, and engagement statistics); comply with legal obligations; and detect and prevent fraud or abuse.
We do not use customer or end user data to train our own AI models. Content is processed by third-party AI providers solely for generating real-time responses.
4. Third-Party Data Sharing
We share data with the following categories of third parties, solely for the purposes described:
Third Party | Data Shared | Purpose |
AI Model Providers (currently including Anthropic, OpenAI, Google; subject to change) | Conversation content, customer-provided product/service information, catalog data, platform customer data (if merchant-authorized) | AI response generation and personalization |
Stripe | Customer billing information | Payment processing |
Shopify (bidirectional) | OAuth tokens, store/catalog data, customer data (if merchant-authorized) | Platform integration and personalization |
Amazon Web Services (AWS) | All service data (encrypted) | Cloud hosting and data storage |
Customer-designated integrations (e.g., CRMs, email platforms, calendars) | End user data submitted through integrated CTAs (processed, not retained) | Transmitting CTA data to merchant's applications |
We reserve the right to change, add, or remove third-party providers at any time, including AI model providers, to improve the Service or for any business reason. We will update this policy to reflect material changes in our third-party providers.
We do not sell personal data. We do not share data with advertising networks, data brokers, or any third party for purposes unrelated to providing the Service.
Calls-to-Action and Integrations: Calls-to-action presented within the Karley widget may include outbound links to destinations configured by the merchant (such as email signup pages, demo scheduling URLs, product pages, or shopping cart links) and, where available, integrated actions that transmit data directly to the merchant's designated third-party applications (such as CRM systems, email marketing platforms, or calendar tools). For outbound links, Karley does not collect, intercept, or store any information when an end user clicks them. For integrated actions, Karley processes data solely to facilitate transmission to the merchant's designated applications and does not retain end user personal information beyond what is necessary to complete the action. The merchant's own privacy policy governs the collection and use of data received through these integrations.
5. Cookies and Tracking
We use a minimal number of cookies and similar technologies:
Essential cookies: Required for the Service to function (authentication, session management). These cannot be disabled.
UUID (visitor identifier): A universally unique identifier (UUID) stored in the browser to maintain conversation continuity across visits. This UUID is an anonymous, randomly generated string that is not linked to any personal information.
We do not currently use third-party advertising cookies, social media tracking pixels, or cross-site tracking technologies. If we implement IP-based location detection or additional analytics in the future, we will update this section accordingly.
6. Data Security
We implement reasonable technical and organizational measures to protect information, including encryption of data in transit (TLS/SSL) and at rest, access controls limiting data access to authorized personnel, and secure cloud infrastructure. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.
7. Data Retention
We retain customer account data for the duration of the customer relationship and for up to three (3) years following account termination. This retention period supports compliance with legal and tax obligations, resolution of disputes, enforcement of our Terms, audit requirements, product improvement, and other legitimate business purposes. Conversation data associated with anonymous UUIDs is retained for service improvement and analytics purposes but is not linked to identifiable individuals. After the applicable retention period, we will delete or anonymize data in accordance with our internal data management practices.
8. Children's Privacy
The Service is not directed at children under the age of 13 (or 16 in the EU/UK). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without appropriate consent, we will delete that information promptly.
If you believe a child has provided us with personal information, please contact us immediately at support@karley.ai.
Customers who deploy the Karley widget on websites directed at children are solely responsible for compliance with COPPA, the UK Age Appropriate Design Code, and other applicable child protection laws, as described in our Terms of Service.
9. Your Rights
GDPR Rights (EU/UK/EEA Residents):
If you are located in the EU, UK, or EEA, you have the following rights under the General Data Protection Regulation: the right to access your personal data; the right to rectification of inaccurate data; the right to erasure ("right to be forgotten"); the right to restrict processing; the right to data portability; and the right to object to processing. Our legal basis for processing customer data is contract performance (Article 6(1)(b) GDPR). For analytics cookies, our legal basis is legitimate interest (Article 6(1)(f) GDPR).
CCPA/CPRA Rights (California Residents):
If you are a California resident, you have the right to know what personal information we collect and how it is used; the right to request deletion of your personal information; the right to opt out of the sale of personal information (we do not sell personal information); and the right to non-discrimination for exercising your rights.
Exercising Your Rights:
To exercise any of these rights, contact us at support@karley.ai. We will respond to verified requests in accordance with applicable law and will make reasonable efforts to respond promptly. We may ask you to verify your identity before processing a request. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.
10. International Data Transfers
The Service is currently hosted using cloud infrastructure that may involve data storage and processing in multiple jurisdictions, including the United States. If you are accessing the Service from outside the jurisdiction where your data is processed, your information may be transferred to, stored, and processed in a different jurisdiction. By using the Service, you consent to such transfer. For EU/UK residents, we rely on appropriate data transfer mechanisms, such as Standard Contractual Clauses (SCCs), as required by applicable law.
11. AI Transparency
In compliance with the EU AI Act (Regulation (EU) 2024/1689) and other applicable regulations, we disclose the following: the Karley widget is powered by artificial intelligence; conversations with the widget are processed by third-party large language models (which may change over time as we optimize the Service); AI-generated responses may not be accurate, complete, or appropriate; and no human is directly involved in generating real-time widget responses. The widget interface clearly identifies itself as an AI assistant.
AI Risk Classification: Karley is a commercial B2B AI system designed for website conversion assistance through conversational Q&A and product/service discovery. The Service is not classified as a "high-risk" or "prohibited" AI system under the EU AI Act. The Service is designed solely for commercial conversion assistance and shall not be used for any purpose that would cause it to be classified as high-risk.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice by posting the updated policy on our website with a new effective date and, where practicable, notifying customers by email. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.
13. Contact Us
For any questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, contact us at:
Expedition Community, Inc.
Email: support@karley.ai
Website: https://karley.ai
© 2026 Expedition Community, Inc. All rights reserved.