← Back to home
Your data,
your rules.
Last updated · 12 April 2026 · Version 2.1
In one sentence
We collect the minimum data needed to send you a gift card, redeem it at a store, and keep fraud off the platform — and we never sell it.
01The short version
Karto (operated by Karto Technology FZ-LLC, registered in Baghdad, Iraq) offers a digital gift card platform. This policy explains what personal information we collect when you use the Karto app or website, how we use it, and the rights you have over it.
If anything here is unclear, email us at support@karto.me and a human will reply within two business days.
02What we collect
We group personal data into three buckets:
- Account data — phone number, name, profile photo (optional), preferred language. Used to identify your account and deliver gifts sent to you.
- Transaction data — gift amount, merchant, time of purchase, time of redemption, the last four digits of the payment method used, and a tokenized reference (no raw card numbers ever touch our servers — see §4).
- Device & usage data — device model, OS version, IP address, app version, crash logs, and anonymized event counts (e.g. "how many people tapped Send"). Used for fraud detection and product improvement.
03How we use it
We use your data only for the purposes listed below. Each is tied to a legal basis under Iraq's Personal Data Protection Act (draft 2024) and, where applicable, the EU GDPR for users accessing Karto from abroad.
- Delivering the service you signed up for — sending gift cards, confirming redemptions, customer support.
- Keeping the platform safe — spotting fraud, stolen-card attacks, and coordinated abuse. This includes device fingerprinting with a 45-day rolling retention.
- Complying with Iraqi anti-money-laundering law — for transactions above IQD 1,000,000 in aggregate per 30 days, we may request additional identity verification.
- Improving the product — analyzing aggregate, anonymized usage patterns. We never use personal identifiers for this.
04Who we share with
We share personal data only with the following categories of recipient, and only as needed:
- Payment processors — Zain Cash, FastPay, and Visa/Mastercard rails process your payment. They receive only what is strictly required. Raw card numbers never reach Karto servers.
- Merchants — when you redeem a gift card at a participating merchant, that merchant sees the gift amount, token, and time of redemption. They do not see the sender's phone number, your other transactions, or any contact data beyond what is printed on the gift token.
- Telecom partners — Zain Iraq, Asiacell, and Korek deliver SMS notifications. They receive the destination number and the message body, and retain delivery logs per Iraqi telecom regulations.
- Government bodies — only when served with a valid legal order under Iraqi law, and only the specific data scoped by that order.
We do not sell your data to advertisers, data brokers, or any third party. Not now, not ever.
05Where data lives
Primary storage is on encrypted servers hosted by AWS Bahrain (me-south-1 region), with an encrypted mirror in AWS Frankfurt for disaster recovery. Data at rest uses AES-256; data in transit uses TLS 1.3. Database backups are retained for 35 days and then cryptographically shredded.
06Your rights
You can, at any time and for any reason:
- Access — request a machine-readable export of all personal data we hold on you. Delivered within 14 days.
- Correct — fix any inaccurate data directly in the app (Settings → Profile), or email us.
- Delete — close your account. We keep transaction records for 7 years as required by Iraqi commercial law, but all other identifying data is scrubbed.
- Object — opt out of analytics and personalization. The app will keep working normally.
- Port — receive your data in a format that lets you move it to another provider.
07Cookies & tracking
On the web, we use a single first-party cookie to keep you signed in. We do not use third-party advertising cookies, Facebook Pixel, or Google Ads tracking. We measure usage with Plausible Analytics, which does not set cookies and does not collect personal data.
08Children's privacy
Karto is not intended for anyone under 16. We do not knowingly collect data from children. If you believe a child has created a Karto account, contact us at support@karto.me and we will remove the account promptly.
09Changes to this policy
We will post any material change to this page with a new version number and a clear summary of what changed. For significant updates — such as new data categories or recipients — we will notify active users by SMS and in-app banner at least 30 days before the change takes effect.
10Contact us
Our Data Protection Officer is Sama Hussain, reachable at support@karto.me. Postal mail:
Karto Technology FZ-LLC
Attn: Data Protection
Al-Mansour District
Baghdad, Iraq 10013