How does Kars HQ find businesses without websites?

Kars HQ scrapes Google Places for local businesses in any city + niche you choose, then scores each result on whether they have a website, how strong it is, and how active their social presence is. The lowest-scoring leads are your highest-opportunity prospects.

How much does Kars HQ cost?

Free tier: 10 search credits, no card required. Starter: $29/mo for 80 monthly credits. Agency: $99/mo for 400 monthly credits + white-label PDF audits. One-time top-up packs available too — they never expire.

What does a "credit" cost me?

Each search consumes credits based on result count + radius — typically 1-9 per search. A 10-result search at 5km is 1 credit; a 60-result search at 25km is 8 credits. The Settings page shows the exact cost guide.

Does Kars HQ work outside Belgium?

Yes. Kars HQ works in any city, any country. Pricing auto-detects your local currency (EUR, USD, GBP, AUD).

Are the AI pitches actually personalized?

Yes. Each pitch is generated through a multi-pass AI system that extracts real signals from the lead's online presence (review excerpts, missing website features, competitor angles) and writes the pitch in your voice — using a profile you set in Settings. Email, LinkedIn DM, Instagram DM, and voice-message variants are produced for every lead.

Legal · Worldwide

Privacy Policy

Last updated: April 24, 2026

Template disclaimer

This is a starter template. It does not constitute legal advice. You should consult a qualified lawyer — ideally one familiar with GDPR (EU/UK), CCPA/CPRA (California), and the data-protection regime that applies to you and your end users — before relying on this policy. Requirements vary by jurisdiction and business model.

Contents

1. Who We Are
2. Data We Collect
3. How We Use Your Data
4. Legal Basis for Processing (GDPR)
5. Third-Party Processors
6. Data Retention
7. Your Rights (GDPR · CCPA · Worldwide)
8. Cookies
9. International Data Transfers
10. Data Security
11. Children's Privacy
12. Changes to This Policy
13. Contact & Data Requests

1. Who We Are

Kars HQ (“we”, “us”, “our”) is a SaaS tool used by web designers, agencies, and B2B service businesses around the world to discover local businesses with weak or absent online presence. The Service is operated from Belgium and used by customers in 40+ countries.

For the purposes of GDPR (EU/UK/EEA), CCPA/CPRA (California), and equivalent privacy laws elsewhere, we are the data controller (or "business" under CCPA) for personal data you provide when creating an account and using the Service.

Contact: support@karshq.com

2. Data We Collect

We collect the following categories of personal data:

CategoryData

Account dataEmail address, hashed password (stored by Supabase Auth — we never see your plain-text password)

Profile dataDisplay name, timezone preference

Usage dataSearches performed (city, niche, radius), credits consumed, subscription plan

Lead dataBusinesses you save as leads: names, addresses, websites, phone numbers, notes, pipeline status, follow-up dates

Billing dataPayment method details (handled entirely by Stripe — we do not store card numbers), subscription status, invoice history

Technical dataIP address, browser type, device, session cookies, error logs (collected by Supabase and Vercel)

We do not collect any special categories of personal data (e.g. health, race, political opinions) as defined under Article 9 GDPR.

3. How We Use Your Data

We use your personal data for the following purposes:

Service provision: Authenticating your account, running searches, displaying your leads and calendar events, sending you credits.
Billing: Processing your subscription payments and top-up purchases via Stripe; sending payment confirmations and invoices.
Service improvement: Analysing aggregated, anonymised usage patterns to improve search quality and feature prioritisation.
Security: Detecting and preventing fraud, abuse, and unauthorised access.
Legal compliance: Meeting our obligations under applicable law (Belgian law as our home jurisdiction, plus EU regulations, and any applicable laws of the country you reside in) and Stripe's requirements.
Support: Responding to enquiries and resolving issues you report.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Legal Basis for Processing (GDPR)

We rely on the following legal bases under Article 6 of the GDPR:

Contract (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for — authentication, searches, billing.
Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and aggregate analytics. We have balanced our interests against your rights and determined that this processing is proportionate.
Legal obligation (Art. 6(1)(c)): Retaining billing records as required by Belgian tax law (our home jurisdiction).
Consent (Art. 6(1)(a)): Any optional communications (e.g. product updates). You may withdraw consent at any time.

5. Third-Party Processors

We share data with the following sub-processors who act on our behalf. Each is bound by a Data Processing Agreement (DPA) and appropriate safeguards.

ProcessorLocationPurpose

SupabaseUSA / EU*Authentication, database (leads, events, profiles, credits)

VercelUSA / EU*Application hosting and edge delivery

Google LLCUSAPlaces API — business search results

AnthropicUSAClaude API — AI-generated pitch content and website analysis

Stripe, Inc.USAPayment processing, subscription management, invoicing

* Supabase and Vercel offer EU-region deployments. We endeavour to store data within the EU where possible. See Section 9 for more on international transfers.

6. Data Retention

We retain personal data only as long as necessary for the purposes described above:

Account & profile data: Retained while your account is active, deleted within 30 days of account deletion request.
Usage & lead data: Retained while your account is active. You may delete individual leads at any time. All data is deleted within 30 days of account deletion.
Billing records: Retained for 7 years as required by Belgian tax law (Art. 60 W.Ib.), even after account deletion.
Technical / security logs: Retained for up to 90 days.

7. Your Rights (GDPR · CCPA · Worldwide)

The rights you have over your personal data depend on where you live. To exercise any of them, email us at support@karshq.com — we respond within 30 days (45 days for CCPA requests, extendable as the law allows).

If you are in the EU, UK, or EEA — GDPR / UK GDPR

Right of access (Art. 15)

Request a copy of all personal data we hold about you.

Right to rectification (Art. 16)

Correct inaccurate or incomplete data. Most profile data can be updated directly in Settings.

Right to erasure (Art. 17)

Request deletion of your account and associated data, subject to our legal retention obligations.

Right to restrict processing (Art. 18)

Ask us to pause processing your data while a complaint is being resolved.

Right to data portability (Art. 20)

Receive your lead data and notes in a machine-readable format (we support CSV export from the app).

Right to object (Art. 21)

Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent

Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.

Right to lodge a complaint

You may complain to your local supervisory authority. EU residents commonly lodge complaints with their national DPA; UK residents with the Information Commissioner's Office (ico.org.uk). Belgian residents may use the GBA/APD (gegevensbeschermingsautoriteit.be).

If you are a California resident — CCPA / CPRA

California residents have rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). We do not sell or share personal information for cross-context behavioural advertising, and we do not process sensitive personal information for purposes that would trigger a "limit use" right.

Right to know

Request the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collection, and the third parties we share it with.

Right to delete

Request deletion of your personal information, subject to our legal exemptions (billing records, security, fraud prevention).

Right to correct

Request correction of inaccurate personal information.

Right to opt-out of sale or sharing

We do not sell or share your personal information. There is nothing for you to opt out of, but you can confirm this status in writing on request.

Right to non-discrimination

We will not deny you service, charge a different price, or provide a different level of quality because you exercised your CCPA rights.

Right to an authorized agent

You may designate an authorized agent to make a request on your behalf. We will verify identity before acting.

If you live elsewhere

Even if your country's privacy law isn't named above, we extend the same baseline rights to every Kars HQ user, regardless of where you are. You can:

Access your data

Email us and we'll send you a copy of the personal data we hold.

Correct your data

Update your profile in Settings or email us if a field isn't self-serve.

Delete your data

Request deletion of your account at any time. We retain only what we are legally required to (billing records, fraud prevention).

Export your data

Use the in-app CSV export, or ask us for a full machine-readable archive.

Opt out of marketing

Every transactional and marketing email contains an unsubscribe link.

File a complaint

You may complain to your local data-protection authority where one exists. We will cooperate with any legitimate inquiry.

8. Cookies

Kars HQ uses two categories of cookies: strictly necessary cookies for authentication and core product functionality, and one advertising cookie for measuring our Reddit ad campaigns. Visitors located in the EU, EEA, or UK are asked for opt-in consent before the advertising cookie loads. Everyone else can opt out at karshq.com/cookies.

CookiePurpose

sb-*-auth-tokenSupabase session token — keeps you logged in. Strictly necessary. Expires after inactivity.

sb-*-auth-token.0 / .1Chunked session tokens for large session payloads. Strictly necessary. Same lifetime.

kars_consentStores your cookie-banner choice (accepted / rejected) so we do not ask you again. Strictly necessary. 12-month lifetime.

redditstatic.com/ads/pixel.jsReddit advertising pixel — measures signup/purchase conversions from Reddit ad campaigns. Only loads for EU/EEA/UK visitors who clicked Accept. Loads by default for visitors elsewhere; you can opt out at /cookies.

You can review your current advertising-cookie preference and change it at any time, from any country, at karshq.com/cookies. You can also block all cookies at the browser level — note that blocking the strictly-necessary cookies will prevent sign-in.

9. International Data Transfers

Some of our sub-processors (Google, Anthropic, Stripe, and potentially Supabase and Vercel depending on region selection) are based in or transfer data to the United States.

For transfers from the EU to the US, we rely on the following safeguards:

EU Standard Contractual Clauses (SCCs) as implemented in our DPAs with each processor.
EU–US Data Privacy Framework adequacy decisions where applicable (e.g. Stripe, Google).

You may request information about the specific safeguards in place by contacting us at support@karshq.com.

10. Data Security

We implement appropriate technical and organisational measures to protect your data:

Passwords are hashed using bcrypt by Supabase Auth — we never have access to plain-text passwords.
All data is transmitted over HTTPS/TLS.
Database access is restricted by Row-Level Security (RLS) policies in Supabase — your data is isolated from other users.
API keys and service credentials are stored as environment variables, never in source code.
Access to production infrastructure is limited to authorised personnel only.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by Article 33 GDPR.

11. Children's Privacy

Kars HQ is a business tool intended solely for users aged 18 and older. We do not knowingly collect personal data from children under 18. If we become aware that a child has provided us with personal data, we will delete it promptly. If you believe a child has shared data with us, contact us at support@karshq.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the “Last updated” date at the top of this page and notify you by email.

We encourage you to review this policy periodically. Continued use of the Service after any changes constitutes your acceptance of the updated policy.

13. Contact & Data Requests

For all privacy-related enquiries, data subject requests, or to report a concern, please contact:

EntityKars HQ

LocationBelgium

Emailsupport@karshq.com

ResponseWithin 30 days (45 days for CCPA, extendable as the law allows)

You also have the right to lodge a complaint with your local data-protection authority. As we operate from Belgium, EU/EEA residents may complain to the Belgian Data Protection Authority (GBA/APD) at dataprotectionauthority.be; UK residents may complain to the ICO (ico.org.uk); California residents may complain to the California Attorney General; users elsewhere may use their national or state regulator if one exists.