Privacy Policy

Last updated: March 2026

1. Controller

The controller responsible for data processing on this website and in the KarmaFlow app is:

SHOP-Construct UG (haftungsbeschrÀnkt)
von-Schwind-Str. 17, 45768 Marl, Germany
Contact: E-Mail schreiben

2. Data Collected

We collect and process the following data:

  • Account data: Email address, first name, and encrypted password upon registration
  • Usage data: Your karma entries, AI analyses, streaks, and milestones
  • Technical data: Device information, app version, language setting, time zone
  • Payment data: For web checkout via Stripe: email, payment status (no credit card data stored by us)

3. Legal Basis for Processing

We process your data on the following legal grounds:

  • Art. 6(1)(b) GDPR (Performance of a contract): Providing KarmaFlow core features — logging entries, AI analysis, karma score, streaks, achievements. This is the core contractual service.
  • Art. 6(1)(f) GDPR (Legitimate interests): Account security, abuse prevention, token-based authentication, rate limiting.
  • Art. 6(1)(a) GDPR (Consent): Push notifications (daily reminder, streak warning, weekly review) — only after active consent.

4. AI Processing and Data Processors

Your journal entries are analysed by AI services to assign karma dimensions (e.g. compassion, mindfulness, discipline), provide a karma score, and generate reflection prompts.

AI providers used:

  • OpenAI, L.P. (San Francisco, USA) — GPT models for karma analysis. Your entries are transmitted to OpenAI via API. Under the OpenAI API Terms of Use (Section 3), API data is not used to train AI models.
  • Anthropic PBC (San Francisco, USA) — Claude models as a fallback system. The same safeguards apply. Under the Anthropic Usage Policy, API data is not used for AI training.

Processing is carried out solely for the performance of the contractual service (Art. 6(1)(b) GDPR). Your data is not shared with third parties for advertising purposes.

5. Third-Country Transfer (USA)

For AI analysis and web payment processing, data is transferred to providers in the USA:

  • OpenAI and Anthropic: Transfer of journal entries for AI analysis
  • Stripe, Inc.: Transfer of email address and payment status for web checkout

The transfer is based on the EU-US Data Privacy Framework (adequacy decision by the European Commission of 10 July 2023). Additionally, Standard Contractual Clauses (SCCs) are in place as a safeguard.

6. Payment Processing

  • Stripe, Inc. (San Francisco, USA) — Payment processing for web checkout on karmaflow.app. Stripe processes payment data as an independent data processor. The Stripe Data Processing Agreement (DPA) is part of the Stripe Services Agreement.
  • Apple (App Store): In-app purchases on iOS. Apple processes payment data under its own data protection responsibility.
  • Google (Play Store): In-app purchases on Android. Google processes payment data under its own data protection responsibility.

We do not have access to credit card or bank account data.

7. Data Storage and Retention Periods

  • Data is stored on secure servers in the EU (location: Germany)
  • Passwords are stored only as hashes (bcrypt)
  • Transmission is encrypted (HTTPS/TLS)

Retention periods:

  • Account data: Stored until account deletion by the user
  • On account deletion: Immediate soft-delete marking. Final deletion of personal data after expiry of tax retention periods (up to 10 years for payment data under Section 147 of the German Fiscal Code)
  • AI response cache: 24 hours, then automatically deleted
  • Session tokens: Access token 15 minutes, refresh token 7 days

8. Your Rights (Art. 15-22 GDPR)

You have the right at any time to:

  • Access (Art. 15): Information about what data we store about you
  • Rectification (Art. 16): Correction of inaccurate data
  • Erasure (Art. 17): Complete deletion of your account and all data
  • Restriction (Art. 18): Restriction of processing
  • Data portability (Art. 20): Export of your data in a machine-readable format
  • Objection (Art. 21): Objection to processing based on legitimate interests
  • Withdrawal (Art. 7(3)): Withdrawal of consent at any time (e.g. push notifications)

You can delete your account and export your data directly in the app under Settings.

Right to lodge a complaint: You have the right to lodge a complaint with the competent data protection supervisory authority. The responsible authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Kavalleriestr. 2-4, 40213 DĂŒsseldorf, www.ldi.nrw.de).

9. Cookies and Tracking

This website does not use tracking cookies or analytics. Only technically necessary cookies are used for admin session management (HttpOnly, Secure, SameSite=Strict).

10. Contact

For questions about data protection: E-Mail schreiben