Privacy Policy

This Privacy Policy explains how the Digital Karma mobile application (“Digital Karma,” “the App,” “we,” “us,” or “our”) collects, uses, stores, and protects information about you (“user,” “you,” or “your”). Digital Karma is a personal-privacy assistant that helps you assess your digital security posture, scan for exposed personal information, and learn about online safety.

By using Digital Karma you agree to the practices described below. If you do not agree, please do not install or use the App.

Data controller: Digital Karma
Contact: [email protected]

We collect the minimum information required to operate the App. Categories below correspond to Google Play’s Data Safety form.

2.1 Account information (only if you create an account)

• Email address — used to sign you in, send security codes, and recover your password. Stored encrypted in transit (TLS 1.3) and at rest (PostgreSQL with AES-256 disk encryption).
• Password — never stored as plaintext. Hashed using bcrypt with a per-user salt and a cost factor of 12+. Even our staff cannot read your password.
• User ID (UUID) — randomly generated by our backend. Used internally to associate your data with your account.

2.2 App activity

• Assessment answers — your responses to in-app digital-privacy assessments.
• Scan results — username scan results, phone-number scan results, and (optionally) email-breach scan results that you choose to save.
• Badges and milestones — which achievements you have earned in the App.
• App preferences — dark mode, notification preferences, scan-frequency preference, two-factor-authentication flag.

2.3 Hashed identifiers (one-way, irreversible)

• Phone numbers — when you scan a phone number, the number is hashed with SHA-256 on your device before any optional sync. The plaintext phone number is never sent to or stored by our backend.
• Password breach lookups — when you check whether a password has been exposed, we use HIBP k-anonymity: SHA-1 hashing on your device, then sending only the first 5 characters of the hash. Your actual password never leaves your device.

2.4 Purchase history (only if you purchase Pro)

• Anonymous purchase event — RevenueCat (our subscription processor) sends our backend a webhook event indicating that a user with your User ID has an active subscription. This contains the product ID and entitlement status only. We do not see or store credit-card numbers, billing addresses, or any other payment details — those are handled exclusively by Google Play / Apple App Store.

2.5 Diagnostic & technical data (opt-in only)

• Crash logs — if you opt in, anonymous crash traces are recorded so we can fix bugs. No personal content is included. Off by default.
• App interactions — if you opt in to analytics, we record aggregate counts (e.g., “assessment completed”) with no personal content. Off by default.

2.6 What we DO NOT collect

We never collect, request, or transmit any of the following:

• Your contacts list
• Your call logs or SMS message contents
• Your photos, videos, or files
• Your location (GPS, network, or otherwise)
• Your microphone or camera input
• Your installed-apps list
• Advertising IDs (IDFA, AAID)
• Biometric data — Face ID / fingerprints stay on your device’s secure enclave; we never see them
• Browser history
• Health, fitness, or financial information

We use your information only for the purposes you would reasonably expect from a privacy-and-security app:

We do not use your data for advertising, profile-building, behavioral targeting, or sale to third parties.

If you are in the European Economic Area, the United Kingdom, or Switzerland, our legal basis for processing your data is:

• Contract (Article 6(1)(b)) — we process your account, scan, and assessment data to provide the App’s functionality you requested.
• Consent (Article 6(1)(a)) — for opt-in features such as email breach alerts, crash logs, and analytics. You may withdraw consent at any time in Settings.
• Legitimate interest (Article 6(1)(f)) — for security monitoring, fraud prevention, and rate-limiting on our authentication endpoints.

5.1 On your device

• AsyncStorage — stores non-sensitive data like UI preferences and locally-cached scans.
• expo-secure-store (Keychain on iOS, EncryptedSharedPreferences on Android) — stores your access and refresh tokens with hardware-backed encryption.
• Optional biometric lock — when enabled, the App requires Face ID / fingerprint / device PIN before opening.

5.2 On our backend

• Hosting: Backend is hosted on Abacus.AI’s infrastructure (United States).
• Database: PostgreSQL with AES-256 disk encryption.
• Transport: All API calls use TLS 1.3.
• Passwords: bcrypt-hashed with cost factor 12+.
• Phone numbers: SHA-256 hashed before storage; plaintext never persisted.
• Access controls: Role-based access; production database access is restricted, logged, and requires multi-factor authentication for all staff.
• Backup: Encrypted, encrypted-at-rest, retained for 30 days for disaster recovery.
• Token expiry: Access tokens expire after 15 minutes; refresh tokens after 30 days.
• Optional two-factor authentication — when enabled, sign-in requires a 6-digit code emailed to you.

5.3 Subscription processing

• Google Play Billing and Apple In-App Purchase handle all payment information. We never see, store, or transmit your credit-card number.
• RevenueCat (privacy policy: https://www.revenuecat.com/privacy/) processes our subscription state. RevenueCat receives only your randomly-generated User ID — never your email or any personal details.

Digital Karma uses a small, intentional set of third parties. Each is listed below with what it does and what data it sees.

We do not use Firebase Analytics, Mixpanel, Amplitude, Sentry, AppsFlyer, Adjust, Branch, Facebook SDK, or any advertising / tracking SDK.

• Account data — kept until you delete your account.
• Assessment & scan history — kept until you delete your account or clear your data in Settings.
• Email-breach alerts — kept until you delete the alert or your account.
• Authentication tokens — refresh tokens automatically expire after 30 days of inactivity.
• Encrypted backups — retained for 30 days, then permanently destroyed.
• Anonymous crash logs (opt-in) — kept for 90 days, then deleted.

When you delete your account (Settings → Account → Delete Account), we permanently and irrevocably erase all of your account data from our active databases within 7 days, and from all backups within 30 days.

You can exercise the following rights at any time, regardless of where you live:

• Access — view all your data via the in-app screens (assessments, scans, badges, profile).
• Export — Settings → Export Results.
• Correct / Update — edit profile, settings, and preferences in the App.
• Delete — Settings → Delete Account erases everything; Settings → Clear All Data wipes only the local copy.
• Withdraw consent — disable analytics, crash logs, breach alerts, or 2FA in Settings.
• Portability — request a machine-readable export by emailing us.
• Object / Restrict processing (GDPR) — email us.
• Lodge a complaint (GDPR) — you may complain to your local data-protection authority. EU residents can find theirs at edpb.europa.eu/about-edpb/about-edpb/members_en.

California residents (CCPA / CPRA)

We do not sell or share personal information for cross-context behavioral advertising. You have the right to:

• Know what personal information we collect (this policy).
• Delete your information (Settings → Delete Account).
• Correct inaccurate information.
• Limit use of sensitive personal information — Digital Karma does not use any of the categories that CCPA defines as sensitive in a way that triggers the limit-use right (e.g., we do not infer characteristics).
• Non-discrimination — exercising any of these rights will never result in degraded service.

To exercise any right, email us. We will respond within 30 days (45 for complex requests).

Digital Karma is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact us and we will promptly delete it.

Our backend is hosted in the United States. If you access Digital Karma from outside the United States, your data will be transferred to and processed there. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for international transfers.

In the unlikely event of a data breach affecting your personal information, we will:

1. Notify affected users by email within 72 hours of discovery.
2. Notify relevant supervisory authorities as required by GDPR / CCPA / state breach-notification laws.
3. Publish a public post-mortem with the cause, scope, and remediation steps.

We may update this Privacy Policy from time to time. When we make material changes, we will:

1. Update the “Last Updated” date at the top of this page.
2. Notify you in-app on next launch (and by email for changes that materially expand our data collection).

Your continued use of Digital Karma after a change indicates acceptance of the updated policy. If you do not agree to a change, you may delete your account before it takes effect.

Questions, complaints, or rights requests:

Email: [email protected]
Postal: Digital Karma, 6203 Valleybrook Dr, Mechanicsburg, PA 17050, USA

We respond to all privacy inquiries within 30 days.