Privacy Policy

01 Who we are

The Karzo platform is operated by Karzo Technologies Co., Ltd. (“Karzo”, “we”, “us”), a company incorporated in Thailand with registered office at 101 True Digital Park East, Pegasus Building, 5FL, Unit 545, Sukhumvit Rd, Bang Chak, Phra Khanong, Bangkok 10260, Thailand. Karzo is the data controller for personal data processed through the Karzo platform.

This policy explains what personal data we collect, how we use it, who we share it with, and the rights you have under Thailand’s Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”). Where the European Union’s General Data Protection Regulation (“GDPR”) applies to a particular user, we treat them as having the equivalent rights described in section 9 below.

02 What this policy covers

This is the general privacy policy for the Karzo platform. It covers:

the Karzo Pro web application — the operations dashboard used by Karzo customers and their staff to manage fleets, tasks, drivers, and logistics workflows;
this website (karzopro.com) and any forms on it, such as demo-request and contact forms;
sign-in to the above, including signing in with your Google account.

The Karzo Driver mobile app has its own dedicated policy, available at karzopro.com/karzo-driver-privacy-policy.

03 Personal data we process

3.1 Account and identity data

Sign-in is handled by Clerk, our authentication provider, which supports several sign-in methods including Sign in with Google. Depending on how you sign in, we process:

your email address;
your full name;
your profile photo, if your provider supplies one;
the identifier of the federated identity provider you sign in with (for example, your Google account ID) — your provider password is never seen by us or by Clerk;
session tokens issued by Clerk so you don’t have to sign in on every visit.

3.2 Google account data

When you choose Sign in with Google, Google asks for your permission to share a limited set of profile information with us through the OAuth consent screen. With your consent we receive, via Google’s OAuth service, only the following from the openid, email, and profile scopes:

your Google account’s email address and whether it is verified;
your basic profile information — your name and profile picture;
a stable Google account identifier used to recognise your account on return visits.

We do not request access to your Gmail, Google Drive, Google Contacts, Calendar, or any other Google service or restricted scope. We use Google sign-in solely to authenticate you and create or match your Karzo account — we do not read, store, or transmit any other Google user data.

Google API Services — Limited Use. Karzo’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We do not use Google user data for advertising, we do not sell it, and we do not transfer it to third parties except as necessary to provide or improve the Karzo sign-in feature, to comply with applicable law, or as part of a merger or acquisition with your consent. Humans do not read this data except with your explicit consent, to comply with the law, for security purposes, or to perform operations in aggregate and anonymised form.

3.3 Profile and organisation data

Once you have an account, we hold the data needed to give you access to the right workspace, including your role, the organisation or Karzo customer you belong to, and your permissions within the Karzo Pro application.

3.4 Operational data you create through the platform

As you use the Karzo Pro application, we store the records you create and manage — for example fleets, vehicles, drivers, tasks, routes, attachments, notes, and status changes. This operational data may incidentally contain personal data of third parties (for example a recipient’s name on a task), which you are responsible for entering lawfully.

3.5 Diagnostic and technical data we collect automatically

Log and security data. Our infrastructure records standard request metadata (IP address, timestamp, browser user-agent, requested URL) to operate, secure, and debug the service.
Error reports. When something goes wrong we may collect technical context such as the error, page, browser, and app version to fix reliability issues.
Preferences. Settings such as your chosen language and light/dark theme are stored to remember your choices.

We do not sell your personal data, and we do not use it for cross-site advertising.

04 How we use your data

To provide the platform’s functionality — authenticate you (including via Google sign-in), create and match your account, give you access to the correct workspace, and store the operational records you manage.
To secure the service — detect, prevent, and investigate fraud, abuse, and security incidents.
To diagnose and fix problems — via error and log data, so we can ship reliability fixes.
To communicate with you — respond to demo requests and support enquiries you submit.
To comply with our legal obligations — including responding to lawful requests from authorities, defending legal claims, and meeting recordkeeping requirements that apply to us as a Thai company.

Under the PDPA, our lawful bases for processing are:

Performance of a contract with you or with your organisation — the agreement under which you use the platform.
Legitimate interest in operating, securing, and improving the service (for diagnostic, log, and security data).
Consent — for example, the consent you give on Google’s OAuth screen to share your basic profile with us.
Legal obligation — where applicable.

05 Who we share your data with

We do not sell your personal data, and we do not share it for third-party advertising. We do share it with the following service providers, who process it on our behalf and under contract:

Provider	What they process	Why	Where
Clerk Inc.	Email, name, profile photo, federated identity, session tokens.	Authentication and session management.	United States. clerk.com/privacy
Google LLC	Your Google account email, basic profile, and account identifier — only during the OAuth sign-in step. Also fonts and infrastructure services.	Federated “Sign in with Google” identity, plus supporting services.	United States and Google’s global infrastructure. policies.google.com/privacy
Cloudflare, Inc.	Network routing of traffic between your browser and our backend; hosting of this website and storage of release artefacts (build outputs).	Hosting and infrastructure for our site and APIs.	Global edge network. cloudflare.com/privacypolicy

We may also disclose your data to your organisation or the Karzo customer whose workspace you belong to, where that disclosure is necessary to perform the underlying contract. Where this applies, your organisation is a separate data controller of that data.

We may disclose your data to courts, law-enforcement authorities, or regulators where we are legally compelled to, or where we have a good-faith basis to do so to protect the rights or safety of users or the public.

06 International data transfers

Several of the service providers above are located in countries outside Thailand — in particular the United States. Where the PDPA applies, we rely on the “adequate protection”, “appropriate safeguards” or “contractual” bases under section 28 of the PDPA for these transfers, depending on the provider. Where the GDPR applies, we rely on Standard Contractual Clauses or equivalent transfer safeguards.

07 How long we keep your data

Account and session data — for as long as your account is active. When your access is removed, your authentication record is deactivated.
Operational data — retained as part of our customer’s operational record, for as long as the underlying contract requires plus any period required by Thai accounting and labour law (typically up to 10 years).
Log, security, and error data — retained for a limited period for security and diagnostic purposes.
Google account data — we retain only the basic profile fields needed to keep your account linked; you may revoke Karzo’s access at any time (see section 9).

08 Children

The Karzo platform is a business tool and is not directed at children. We do not knowingly collect personal data from anyone under the age of legal majority in their jurisdiction.

09 Your rights

Under the PDPA you have the right to:

request access to the personal data we hold about you;
request that we correct it if it is inaccurate or incomplete;
request that we erase it, where one of the PDPA grounds for erasure applies;
request that we restrict its processing or object to specific types of processing;
request that we provide it to you, or transmit it directly to another controller, in a structured machine-readable format (portability);
withdraw any consent you have given (this does not affect the lawfulness of processing carried out on the basis of that consent before withdrawal);
lodge a complaint with the Personal Data Protection Committee of Thailand (PDPC).

Where the GDPR applies to you, you have equivalent rights under it, plus the right to lodge a complaint with your local supervisory authority.

Revoking Google access. You can review and revoke Karzo’s access to your Google account at any time from your Google Account’s security settings at myaccount.google.com/permissions. Revoking access disables Google sign-in for your Karzo account but does not by itself delete your Karzo account.

To exercise any of these rights, write to us at hello@karzopro.com. We will respond within 30 days (or such shorter period as is required by the applicable law). We may need to verify your identity before acting on the request.

10 Security

All network traffic between your browser and our backend is encrypted in transit using TLS. Authentication tokens are handled by our authentication provider and stored securely. We restrict employee access to personal data on a need-to-know basis and review our access controls periodically. No system is perfectly secure, however, and we cannot guarantee that unauthorised access will never happen — if it does, we will notify you and the relevant authorities as required by the PDPA.

11 Changes to this policy

We may update this policy as the platform changes — for example, when we introduce a new sign-in method, a new OAuth scope, or a new service provider, or when we change retention periods. The “Last updated” date at the top of this page reflects when the current version took effect. Material changes will additionally be surfaced in the product where appropriate.

12 Contact us

Questions about this policy or about how we handle your data:

Email: hello@karzopro.com
Mail: Karzo Technologies Co., Ltd., 101 True Digital Park East, Pegasus Building, 5FL, Unit 545, Sukhumvit Rd, Bang Chak, Phra Khanong, Bangkok 10260, Thailand.