Privacy Policy

Effective Date: May 27, 2026 · Last Updated: May 27, 2026 · Version: 2.0

1. Introduction

This Privacy Policy explains how Digital Karma(“Digital Karma,” “the Platform,” “we,” “us,” or “our”) collects, uses, stores, and protects information about you (“user,” “you,” or “your”). Digital Karma is a personal-privacy education and assessment platform available as a web application and mobile application. It helps you assess your digital security posture, scan for exposed personal information, learn about online safety through interactive modules, and track your security improvement over time.

By using Digital Karma you agree to the practices described below. If you do not agree, please do not use the Platform.

Data controller: Digital Karma
Contact: [email protected]

2. Information We Collect

We collect the minimum information required to operate the Platform.

2.1 Account information (only if you create an account)

  • Email address — used to sign you in, send security codes, welcome emails, and recover your password. Encrypted in transit (TLS) and at rest.
  • Password — never stored as plaintext. Hashed using bcrypt with a per-user salt and a cost factor of 12+. Even our staff cannot read your password.
  • Username (optional) — a display name you choose for the leaderboard and social features. Validated for length and appropriate content.
  • User ID (UUID) — randomly generated by our backend. Used internally to associate your data with your account.
  • Google account info (if you sign in with Google) — we receive your email address and display name from Google. We do not receive or store your Google password.

2.2 Platform activity

  • Assessment answers — your responses to digital-privacy assessments across 10 security domains (passwords, Wi-Fi, email, devices, social media, browsing, two-factor auth, phishing, backups, and software updates).
  • Digital Footprint Scan results — information you voluntarily provide (name, location, employer, social profiles) and the AI-generated analysis of your public digital exposure. Scan results are encrypted at rest using AES-256-GCM with a dedicated encryption key stored separately from the database.
  • Badges, milestones, and XP — achievements earned through learning modules and assessments.
  • App preferences — dark mode, notification preferences, and accessibility settings.
  • Data broker opt-out tracking — if you use our Data Removal Tracker, we store which brokers you’ve contacted and the status of each removal request.
  • Social features (Pro only) — friend connections, avatar customization, and leaderboard participation. Friendships are stored as mutual connections between user IDs.
  • Survey responses (optional) — if you participate in our product research survey.

2.3 Digital Footprint Scan — what we search

When you request a Digital Footprint Scan, our system performs the following research using information you voluntarily provide:

  • Data broker lookups — we check major people-search sites to see if they list your information.
  • Public web searches — we search DuckDuckGo using combinations of your provided name, location, employer, and other details to discover publicly indexed pages mentioning you. This means search engines process queries containing your information.
  • Breach database lookups — via Have I Been Pwned (HIBP) using k-anonymity for passwords and direct lookup for email addresses.
  • Username enumeration — checking public platforms (GitHub, Reddit, etc.) for accounts matching your known usernames.
  • AI analysis — the collected evidence is analyzed by our AI to score seven risk categories, identify attack scenarios, and generate a personalized action plan. Our AI does not infer sensitive characteristics like ethnicity, religion, or political beliefs.

All scan results are encrypted at rest using AES-256-GCM before storage. Scan records are automatically deleted after 12 months unless you delete them sooner.

2.4 Hashed identifiers (one-way, irreversible)

  • Password breach lookups — when you check whether a password has been exposed, we use HIBP k-anonymity: SHA-1 hashing, then sending only the first 5 characters of the hash. Your actual password never leaves your device.

2.5 Purchase information (only if you pre-order or subscribe)

  • Stripe (web payments) — all payment processing is handled by Stripe. We receive a webhook confirming your payment status and order details. We never see, store, or process your credit card number, CVV, or billing address — those are handled exclusively by Stripe.
  • Google Play Billing (mobile Android) — payments are processed entirely by Google Play. We receive only your User ID and entitlement status.

2.6 Anonymized community analytics

  • After each scan, we record anonymized aggregate metadata (number of platforms found, broker count, score ranges) — with zero personally identifiable information. This powers community comparison features like “How You Compare” and broker success rate badges.
  • Engagement scoring — we compute an engagement score based on scan frequency, opt-out progress, and platform usage. This is used solely to personalize your experience (e.g., relevant recommendations) and is never shared externally.

2.7 Diagnostic & technical data

  • Google Analytics (if configured) — anonymous page views and aggregate usage metrics to help us understand which features are most useful. No personal content is included. You can disable this in your browser settings.
  • Server logs — we log request metadata (IP address, timestamps, error codes) for security monitoring and debugging. Personal identifiers like email addresses are not included in server logs — we use anonymized user IDs for audit trails.

2.8 What we DO NOT collect

We never collect, request, or transmit any of the following:

  • Your contacts list
  • Your call logs or SMS message contents
  • Your photos, videos, or files
  • Your location (GPS, network, or otherwise)
  • Your microphone or camera input
  • Your installed-apps list
  • Advertising IDs (IDFA, AAID)
  • Biometric data — Face ID / fingerprints stay on your device’s secure enclave; we never see them
  • Browser history
  • Health, fitness, or financial information
  • Sensitive demographics — our AI does not infer ethnicity, religion, political beliefs, or dietary preferences

3. How We Use Your Information

We use your information only for the purposes you would reasonably expect from a privacy-and-security platform:

PurposeWhat we use
Authenticate youEmail + bcrypt-hashed password, or Google SSO, optional email 2FA code
Run your Digital Footprint ScanName, location, employer, social profiles (as provided by you) — searched via public web sources and analyzed by AI
Show your scans and assessmentsUser ID, encrypted scan records, assessment history
Track your learning progressModule completions, XP, badges, streak data
Process your purchaseUser ID + Stripe/Google Play webhook events (no card details)
Send transactional emailEmail address — sign-in codes, welcome email, security nudges, re-engagement reminders (opt-out available)
Community features (leaderboard, comparison)Username (display only), anonymized scores and analytics — never your real name or email
Improve the PlatformAnonymous aggregate metrics and page analytics (if enabled)

We do not use your data for advertising, profile-building, behavioral targeting, or sale to third parties.

5. How We Store and Protect Your Data

5.1 Encryption

  • In transit: All connections use TLS encryption. Every page and API call is served over HTTPS.
  • At rest (database): Our database uses AES-256 disk encryption.
  • At rest (scan data): Individual scan results are additionally encrypted using AES-256-GCM with a dedicated encryption key stored separately from the database. This means even if someone gained access to the database, each scan result would be unreadable without the separate key.
  • Passwords: bcrypt-hashed with cost factor 12+. Never stored as plaintext.

5.2 Access controls

  • Role-based access controls with admin and user roles.
  • All API routes that access user-specific data require authentication and verify session ownership.
  • Rate limiting applied to all endpoints to prevent abuse (e.g., 10 login attempts per 15 minutes, 5 scans per hour).
  • Optional two-factor authentication via email verification code.
  • Content Security Policy (CSP) headers to prevent cross-site scripting.

5.3 On mobile devices

  • Secure token storage — authentication tokens are stored using platform-native secure storage (Keychain on iOS, EncryptedSharedPreferences on Android).
  • Optional biometric lock — when enabled, the App requires Face ID / fingerprint / device PIN before opening.

5.4 Hosting

  • Backend and database hosted on Abacus.AI’s infrastructure (United States).
  • Encrypted, automated backups retained for 30 days for disaster recovery.

5.5 Payment processing

  • Stripe (web payments) handles all payment card processing. Stripe is PCI DSS Level 1 certified — the highest level of security in the payment industry. We never see or store your card details.
  • Google Play Billing (Android) handles all mobile payment information. We receive only entitlement status.

6. Third-Party Services

Digital Karma uses a small, intentional set of third parties. Each is listed below with what it does and what data it sees.

ServicePurposeData shared
Have I Been Pwned (HIBP)Password breach lookup (k-anonymity) and email breach lookupFirst 5 chars of SHA-1 password hash; email address for breach check
DuckDuckGoPublic web search during scansSearch queries containing your provided name, location, employer
Abacus.AI (AI processing)AI analysis of scan evidence to generate risk scores and action plansCollected public evidence (anonymized research brief) — not raw personal data
StripePayment processing (web)Payment card info handled entirely by Stripe; we receive only order status
Google Sign-In (optional)Authentication via Google SSOEmail address and display name from your Google account
Google Analytics (optional)Anonymous page-level usage metricsAnonymous page views and interaction events — no personal content
Google Play Billing (Android)Mobile payment processingPer Google Play’s policies
Abacus.AI Cloud (hosting)Hosting our backend, database, and email deliveryAll backend-stored data as described in this policy

We do not use Facebook SDK, advertising SDKs, Mixpanel, Amplitude, Sentry, AppsFlyer, or any other tracking / advertising service.

7. Data Retention

  • Account data — kept until you delete your account.
  • Digital Footprint Scan results — automatically deleted after 12 months from the scan date via our automated cleanup process. You can also delete individual scans at any time.
  • Assessment history — kept until you delete your account or clear your data in Settings.
  • Anonymized community analytics — retained indefinitely as they contain no personally identifiable information and cannot be linked back to individual users.
  • Encrypted backups — retained for 30 days, then permanently destroyed.
  • Server logs — retained for 90 days for security monitoring, then deleted. Logs do not contain email addresses or other personal identifiers.

When you delete your account (Settings → Account → Delete Account), we permanently and irrevocably erase all of your account data, scan results, scan analytics, assessment history, and preferences from our active databases within 7 days, and from all backups within 30 days.

8. Your Rights

You can exercise the following rights at any time, regardless of where you live:

  • Access — view all your data via the in-app screens (assessments, scans, badges, profile).
  • Export — Settings → Export Account Data downloads a JSON file of all your data.
  • Correct / Update — edit your profile, username, and preferences in Settings.
  • Delete — Settings → Delete Account erases everything permanently.
  • Withdraw consent — disable analytics, email notifications, or community features in Settings.
  • Portability — request a machine-readable export by using the Export feature or emailing us.
  • Object / Restrict processing (GDPR) — email us.
  • Lodge a complaint (GDPR) — you may complain to your local data-protection authority. EU residents can find theirs at edpb.europa.eu/about-edpb/about-edpb/members_en.

California residents (CCPA / CPRA)

We do not sell or share personal information for cross-context behavioral advertising. You have the right to:

  • Know what personal information we collect (this policy).
  • Delete your information (Settings → Delete Account).
  • Correct inaccurate information.
  • Limit use of sensitive personal information — Digital Karma does not use any of the categories that CCPA defines as sensitive in a way that triggers the limit-use right (e.g., we do not infer sensitive characteristics).
  • Non-discrimination — exercising any of these rights will never result in degraded service.

To exercise any right, email us. We will respond within 30 days (45 for complex requests).

9. Email Communications

We may send you the following types of email:

  • Transactional (cannot be disabled) — sign-in verification codes, password resets, account deletion confirmations.
  • Welcome email — sent once when you create your account.
  • Security nudges — periodic reminders to complete your Risk Score assessment or check your scan results. You can opt out via Settings or email unsubscribe links.
  • Re-engagement — if you haven’t used the platform recently, we may send a check-in email with personalized recommendations. You can opt out at any time.

We never send marketing emails to purchased lists, and we never share your email address with third parties for their marketing purposes.

10. Children's Privacy

Digital Karma is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact us and we will promptly delete it.

11. International Data Transfers

Our backend is hosted in the United States. If you access Digital Karma from outside the United States, your data will be transferred to and processed there. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for international transfers.

12. Security Incident Response

In the unlikely event of a data breach affecting your personal information, we will:

  1. Notify affected users by email within 72 hours of discovery.
  2. Notify relevant supervisory authorities as required by GDPR / CCPA / state breach-notification laws.
  3. Publish a public post-mortem with the cause, scope, and remediation steps.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  1. Update the “Last Updated” date at the top of this page.
  2. Notify you in-app on next launch (and by email for changes that materially expand our data collection).

Your continued use of Digital Karma after a change indicates acceptance of the updated policy. If you do not agree to a change, you may delete your account before it takes effect.

14. Contact Us

Questions, complaints, or rights requests:

Email: [email protected]

We respond to all privacy inquiries within 30 days.

Digital Karma is a personal-privacy education tool. Nothing in this Privacy Policy or the Platform constitutes legal, financial, or cybersecurity advice. For high-stakes incidents (e.g., identity theft, doxxing, stalking), contact a qualified professional or law enforcement.