Privacy Policy

Last updated: 19 April 2026

1. Controller

The controller responsible for data processing on this website and in the KarmaFlow app is:

SHOP-Construct UG (haftungsbeschränkt)
von-Schwind-Str. 17, 45768 Marl, Germany
Contact: E-Mail schreiben

2. Data Collected

We collect and process the following data:

  • Account data: Email address, first name, and encrypted password upon registration
  • Usage data: Your karma entries, AI analyses, streaks, and milestones
  • Technical data: Device information, app version, language setting, time zone
  • Payment data: For web checkout via Stripe: email, payment status (no credit card data stored by us)

3. Legal Basis for Processing

We process your data on the following legal grounds:

  • Art. 6(1)(b) GDPR (Performance of a contract): Providing KarmaFlow core features — logging entries, AI analysis, karma score, streaks, achievements. This is the core contractual service.
  • Art. 6(1)(f) GDPR (Legitimate interests): Account security, abuse prevention, token-based authentication, rate limiting.
  • Art. 6(1)(a) GDPR (Consent): Push notifications (daily reminder, streak warning, weekly review) — only after active consent.

4. AI Processing and Data Processors

Your journal entries are analysed by AI services to assign karma dimensions (e.g. compassion, mindfulness, discipline), provide a karma score, and generate reflection prompts.

AI providers used:

  • OpenAI, L.P. (San Francisco, USA) — GPT models for karma analysis. Your entries are transmitted to OpenAI via API. Under the OpenAI API Terms of Use (Section 3), API data is not used to train AI models.
  • Anthropic PBC (San Francisco, USA) — Claude models as a fallback system. The same safeguards apply. Under the Anthropic Usage Policy, API data is not used for AI training.

Processing is carried out solely for the performance of the contractual service (Art. 6(1)(b) GDPR). Your data is not shared with third parties for advertising purposes.

4a. Anonymised Feedback Pool (secondary use)

To provide free users with immediate reflection prompts even without an AI call, we reuse previously generated AI responses in anonymised form. Specifically:

  • The original entry text is not stored. Only the AI-generated output (reflection summary, question, karma dimension, karma value) is reused — never the user input.
  • Automated PII filtering: Before reuse, AI responses are checked by a filter that detects email addresses, phone numbers, URLs, longer digit sequences, and likely proper names. Responses with any such finding are discarded and never added to the pool.
  • No personal reference: The anonymised pool entries stored this way contain neither a user ID nor any entry text; we are unable to link them back to an individual user.
  • Retention: Anonymised pool entries are deleted at the latest 6 months after their last use. A FIFO cap of 50,000 entries per language also applies.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving service quality and reducing AI costs for free users). No user consent is required as no personal data is added to the pool.
  • Audit log: For accountability, an internal audit record is kept per persistence attempt (user ID, entry ID, decision, rejection reason). Raw text is only stored when an entry actually passed the PII check and was added to the anonymised pool; otherwise a short, non-reversible hash is stored instead. The audit log is automatically deleted after 90 days at the latest.

4b. Advertising (Google AdMob)

In the KarmaFlow app, free users can voluntarily watch a rewarded video to earn one additional entry per day (maximum 3 videos per day). Ads are served via Google AdMob (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Premium users see no ads.

Data processed by AdMob:

  • Advertising ID (Android Advertising ID — can be reset anytime in device settings)
  • IP address
  • Device data (model, OS, language)
  • Approximate location (IP-based, no GPS)

Legal basis: Art. 6(1)(a) GDPR (consent). Before the first ad is loaded, we display a consent dialog via Google UMP in line with §25 TDDDG / the ePrivacy directive. You may withdraw consent at any time in the app settings. Without consent, no videos are loaded and no bonus entry is offered.

Details on data processing by Google: policies.google.com/privacy.

4c. Images Attached to Journal Entries (Photo Journal)

Starting with version 0.4.4 you can attach images to your Karma entries (Free plan: one image per entry, Premium: up to three). Uploading is optional — entries without images keep working exactly as before.

Where the images are stored:

  • Cloudflare R2 (EU jurisdiction): We use an object storage bucket with location European Union (endpoint *.eu.r2.cloudflarestorage.com). Images never leave the EU.
  • One bucket per app: KarmaFlow, KarmaDream and KarmaPrisma each have a dedicated bucket — images of one app are technically isolated from the others.

Data processed:

  • Image content (JPEG or PNG, max. 5 MB per image)
  • Technical metadata: file size, width × height
  • EXIF data is not transmitted. The app strips EXIF fields (including GPS location) from each image before upload.

Processor:

  • Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA — object storage (Cloudflare R2). Physical storage happens in Cloudflare's EU data centres. Cloudflare is certified under the EU-US Data Privacy Framework; Standard Contractual Clauses (SCCs) apply additionally.

Legal basis: Art. 6(1)(b) GDPR (contract performance) — attaching an image is a core feature the user actively chooses to use.

Retention: Images are stored together with their entry and removed from the Cloudflare bucket automatically when the account is deleted. An hourly janitor job also purges any upload fragments (partial or abandoned uploads older than one hour).

Note on third-party content: If an image shows identifiable other people (faces, licence plates, etc.), responsibility for their rights rests with you as the user. Please avoid images that infringe the personality rights of third parties without their consent.

5. Third-Country Transfer (USA)

For AI analysis, advertising, web payment processing and technical error tracking, data is transferred to providers in the USA:

  • OpenAI and Anthropic: Transfer of journal entries for AI analysis
  • Google LLC (AdMob): Transfer of advertising ID, IP and device data for rewarded videos (consent-gated)
  • Stripe, Inc.: Transfer of email address and payment status for web checkout
  • Functional Software, Inc. dba Sentry: Transfer of technical error reports (stack traces, device metadata, app version) for stability improvements

The transfer is based on the EU-US Data Privacy Framework (adequacy decision by the European Commission of 10 July 2023). Additionally, Standard Contractual Clauses (SCCs) are in place as a safeguard.

5a. Error Tracking (Sentry)

To improve the stability of the app and API we use Sentry for the recording of technical errors.

Provider:

  • Functional Software, Inc. dba Sentry, 132 Hawthorne Street, San Francisco, CA 94107, USA

Data collected:

  • Error stack trace (which line of code crashed)
  • App/API version, platform (Android/iOS/web), locale, timezone
  • Anonymous session ID (not linked to account data)
  • Browser/device type (Sentry standard tags)

Data not collected:

  • The plain text of your journal entries or photos
  • Your account password or payment data
  • Location data

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a functional, secure app). Pseudonymisation is achieved through Sentry's default IP masking.

Retention at Sentry: 90 days (Sentry default retention).

6. Payment Processing

  • Stripe, Inc. (San Francisco, USA) — Payment processing for web checkout on karmaflow.app. Stripe processes payment data as an independent data processor. The Stripe Data Processing Agreement (DPA) is part of the Stripe Services Agreement.
  • Apple (App Store): In-app purchases on iOS. Apple processes payment data under its own data protection responsibility.
  • Google (Play Store): In-app purchases on Android. Google processes payment data under its own data protection responsibility.

We do not have access to credit card or bank account data.

7. Data Storage and Retention Periods

  • Data is stored on secure servers in the EU (location: Germany)
  • Passwords are stored only as hashes (bcrypt)
  • Transmission is encrypted (HTTPS/TLS)

Retention periods:

  • Account data: Stored until account deletion by the user
  • On account deletion: Immediate account deactivation (soft-delete). Final deletion of all personal data after 30 days. Payment data is retained for up to 10 years in accordance with tax retention requirements (Section 147 of the German Fiscal Code).
  • AI response cache: 24 hours, then automatically deleted
  • Images (Photo Journal, see section 4c): stored until the related entry or account is deleted; orphaned upload fragments are purged hourly
  • Anonymised feedback pool (see section 4a): deleted at the latest 6 months after last use; FIFO cap of 50,000 entries per language
  • Feedback audit log (see section 4a): automatically deleted after 90 days
  • Session tokens: Access token 15 minutes, refresh token 7 days

8. Your Rights (Art. 15-22 GDPR)

You have the right at any time to:

  • Access (Art. 15): Information about what data we store about you
  • Rectification (Art. 16): Correction of inaccurate data
  • Erasure (Art. 17): Complete deletion of your account and all data
  • Restriction (Art. 18): Restriction of processing
  • Data portability (Art. 20): Export of your data in a machine-readable format
  • Objection (Art. 21): Objection to processing based on legitimate interests
  • Withdrawal (Art. 7(3)): Withdrawal of consent at any time (e.g. push notifications)

You can delete your account and export your data directly in the app under Settings.

Right to lodge a complaint: You have the right to lodge a complaint with the competent data protection supervisory authority. The responsible authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Kavalleriestr. 2-4, 40213 Düsseldorf, www.ldi.nrw.de).

9. Cookies and Tracking

This website does not use tracking cookies or analytics. Only technically necessary cookies are used for admin session management (HttpOnly, Secure, SameSite=Strict).

10. Contact

For questions about data protection: E-Mail schreiben