Last updated : Jul. 13, 2026

Privacy policy

This policy explains how Carl processes personal data in connection with its website, application, and related services.

Data controller

The data controller is Carl SAS, a company in formation, whose registered office is located at 24 rue Léon Frot, 75011 Paris, France.

For general questions: contact@hicarl.com. To exercise your rights or contact the data protection contact: DPO@hicarl.com.

Data collected

Carl may process the following categories of data:

Audio recordings are used to enable transcription and the processing requested by the user. They are not retained permanently by Carl after this processing.

Purposes

Data is processed to provide the service, create and secure accounts, enable management of contacts, sessions, notes, the calendar, session types and billing, generate AI-assisted transcripts or summaries, provide support, prevent abuse, measure product usage, and improve the user experience.

Legal bases

Depending on the processing, Carl relies on performance of the contract, legitimate interest in securing and improving the service, compliance with legal obligations, and consent when required.

Health data and user responsibility

Carl is intended for professionals. The user determines the information they enter in the application and remains responsible for the lawfulness of that entry, informing the persons concerned, and complying with their own professional obligations.

Carl is not a medical device and does not replace the practitioner's clinical or professional judgment.

Artificial intelligence

Some features use artificial intelligence providers, including OpenAI and Anthropic, to transcribe, structure, or summarize content submitted by the user. These providers act as processors with contractual data protection commitments.

Processors

Carl relies in particular on Supabase for the database, authentication, and storage, Vercel for hosting certain interfaces, Render for backend hosting, OpenAI and Anthropic for certain AI features, Google Auth for Google sign-in, and PostHog for product usage measurement.

Data is hosted exclusively in the European Union in the production configuration of the service. When processors are used, Carl ensures that appropriate data processing agreements are put in place.

Access to Google data

When the user connects their Google account, Carl accesses their Google Calendar through the Google Calendar permissions calendar.readonly and calendar.events, solely to synchronize their personal calendar with the appointments and sessions displayed or managed in the application. Carl reads existing events and creates, modifies, or deletes only events displayed or managed in the application. This data is not used for advertising, sold, or transferred to third parties except for processors strictly necessary to provide the service.

Carl's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Cookies and audience measurement

Carl uses technical trackers necessary for the operation of the service, including authentication, security, and session continuity. Carl also uses PostHog to measure product usage and improve the experience. These measurements are configured to limit collected data to what is necessary for service analysis.

Retention

Data is retained for the duration of account use, then deleted or archived according to applicable technical, contractual, accounting, legal, or security constraints. Billing data may be retained for legally required periods.

Data subject rights

In accordance with the GDPR, data subjects may request access, rectification, erasure, restriction, or objection to the processing of their data, as well as portability when applicable.

Requests may be sent to DPO@hicarl.com. The user may also delete their account from the application when this option is available.

Security

Carl implements technical and organizational measures designed to protect data against unauthorized access, loss, alteration, or unintended disclosure. Because no online service can guarantee absolute security, the user must also protect their credentials and limit the information entered to what is necessary.

Complaint

If you encounter a difficulty, you can contact Carl at DPO@hicarl.com. You also have the right to lodge a complaint with the competent supervisory authority, including the CNIL in France.

Changes to this policy

Carl may modify this policy to reflect changes to the service, its processors, or the applicable legal framework. The update date indicates the applicable version.