Privacy Notice
Last updated January 4, 2026
1. Overview
This Privacy Notice describes how KarmaGate LLC ("KarmaGate", "we", "us", or "our") collects, uses, shares, and protects personal information when you use our website, software, and services (collectively, the "Services").
Data Controller
KarmaGate LLC
Registered in Georgia
Email: privacy@karmagate.com
1.1 Scope
This Privacy Notice applies to all personal information collected through:
- Our website at karmagate.com and related websites
- KarmaGate software products (Free, Pro, and Enterprise)
- Customer support and communications
- Marketing activities and events
1.2 Key Principles
We are committed to:
- Transparency: Being clear about what data we collect and how we use it
- Minimization: Collecting only the data we need for legitimate purposes
- Security: Protecting your data with appropriate technical and organizational measures
- Control: Giving you control over your personal information
2. Information We Collect
2.1 Information You Provide
We collect information you provide directly, including:
- Account Information: Name, email address, password, organization name, job title
- Payment Information: Credit card details, billing address (processed by our payment providers)
- Communication Data: Messages, support tickets, feedback, and survey responses
- Profile Information: Profile picture, preferences, settings
2.2 Information Collected Automatically
When you use our Services, we automatically collect:
- Device Information: Device type, operating system, browser type and version
- Usage Data: Features used, time spent, interactions with the software
- Log Data: IP address, access times, pages viewed, error logs
- Location Data: Country and region based on IP address (not precise location)
2.3 Information from Third Parties
We may receive information from:
- Identity Providers: When you sign in using SSO
- Payment Processors: Transaction confirmations and fraud prevention data
- Analytics Providers: Aggregated usage statistics
- Business Partners: Referral information from authorized resellers
2.4 Sensitive Data
We do not intentionally collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health information, or biometric data. Our software is designed for security testing, and users should not input sensitive personal data into the testing functionality.
3. How We Use Your Information
3.1 Service Provision
We use your information to:
- Provide, maintain, and improve our Services
- Process transactions and manage your account
- Authenticate users and prevent unauthorized access
- Provide customer support and respond to inquiries
- Send transactional communications (license keys, receipts, updates)
3.2 Product Improvement
We use aggregated and anonymized data to:
- Analyze usage patterns and improve user experience
- Develop new features and functionality
- Fix bugs and improve performance
- Conduct research and development
3.3 Marketing and Communications
With your consent, we may:
- Send newsletters and product updates
- Notify you about promotions and new features
- Invite you to events and webinars
You can opt out of marketing communications at any time by clicking the unsubscribe link or contacting us at privacy@karmagate.com.
3.4 Legal and Safety
We may use your information to:
- Comply with legal obligations and respond to lawful requests
- Enforce our Terms of Service and protect our rights
- Detect, prevent, and investigate fraud and abuse
- Protect the safety and security of our users and the public
3.5 Legal Bases for Processing (GDPR)
For users in the European Economic Area, UK, and similar jurisdictions, our legal bases for processing are:
| Purpose | Legal Basis |
|---|---|
| Providing Services | Contract performance |
| Payment processing | Contract performance |
| Marketing communications | Consent |
| Product improvement | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Legal compliance | Legal obligation |
5. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
5.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days |
| Transaction records | 7 years (legal requirement) |
| Support communications | 3 years from last communication |
| Usage logs | 90 days |
| Marketing preferences | Until consent withdrawn |
5.2 Account Deletion
When you delete your account, we will delete or anonymize your personal information within 30 days, except where we need to retain certain information for legal purposes or to resolve disputes.
6. Security Measures
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.
6.1 Technical Measures
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Regular security assessments and penetration testing
- Intrusion detection and prevention systems
- Access controls and authentication mechanisms
- Regular security updates and patching
6.2 Organizational Measures
- Employee security training and awareness programs
- Access limited to personnel who need it for their roles
- Confidentiality obligations for all employees and contractors
- Incident response procedures
- Regular security audits
For more information about our security practices, please visit our Security page.
7. Your Rights
Depending on your location and applicable laws, you may have the following rights regarding your personal information:
7.1 Right to Access
You have the right to request a copy of the personal information we hold about you and information about how we process it.
7.2 Right to Rectification
You have the right to request correction of inaccurate or incomplete personal information.
7.3 Right to Erasure
You have the right to request deletion of your personal information in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.
7.4 Right to Restrict Processing
You have the right to request that we restrict the processing of your personal information in certain circumstances.
7.5 Right to Data Portability
You have the right to receive your personal information in a structured, commonly used, machine-readable format and to transmit it to another controller.
7.6 Right to Object
You have the right to object to processing of your personal information based on legitimate interests, including for direct marketing purposes.
7.7 Right to Withdraw Consent
Where we rely on your consent to process your personal information, you have the right to withdraw that consent at any time.
7.8 Exercising Your Rights
To exercise any of these rights, please contact us at privacy@karmagate.com. We will respond to your request within 30 days. We may request verification of your identity before processing your request.
7.9 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable data protection laws.
9. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.
9.1 Transfer Safeguards
When we transfer personal information outside of the European Economic Area, UK, or other regions with comprehensive data protection laws, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses approved by the European Commission
- Data Processing Agreements with all sub-processors
- Additional technical and organizational measures as appropriate
9.2 Data Residency Options
Enterprise customers may have options for data residency in specific geographic regions. Please contact us for more information about data residency options.
10. Data Processing Agreement
This section constitutes a Data Processing Agreement ("DPA") between you as the data controller and KarmaGate LLC as the data processor, as required under GDPR and similar data protection regulations.
Note: This DPA applies when KarmaGate processes personal data on your behalf. For Enterprise customers requiring a separate signed DPA, please contact legal@karmagate.com.
10.1 Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data.
- "Data Controller" means you, the entity that determines the purposes and means of processing.
- "Data Processor" means KarmaGate LLC, which processes Personal Data on behalf of the Data Controller.
- "Sub-processor" means any third party engaged by KarmaGate to process Personal Data.
10.2 Processing Instructions
KarmaGate will only process Personal Data in accordance with your documented instructions, including:
- Providing the Services as described in these Terms
- Complying with other reasonable documented instructions that are consistent with these Terms
- Processing required by applicable law (we will inform you unless prohibited)
10.3 Security Obligations
KarmaGate will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit and at rest
- Measures to ensure ongoing confidentiality, integrity, availability, and resilience
- Regular testing and evaluation of security measures
- Process for restoring availability and access to Personal Data in case of incident
10.4 Sub-processors
You authorize KarmaGate to engage sub-processors to assist in providing the Services, subject to:
- Written agreements with sub-processors imposing equivalent data protection obligations
- Notice to you of any intended changes to sub-processors with opportunity to object
- KarmaGate remaining liable for sub-processor compliance
10.5 Data Subject Rights
KarmaGate will assist you in responding to requests from data subjects exercising their rights under applicable data protection law, including requests for access, rectification, erasure, restriction, portability, and objection.
10.6 Data Breach Notification
KarmaGate will notify you without undue delay upon becoming aware of a Personal Data breach affecting your data. The notification will include:
- Nature of the breach including categories and number of data subjects affected
- Contact details of our data protection officer or other contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
10.7 Audit Rights
KarmaGate will make available information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by you or an auditor mandated by you.
10.8 Return and Deletion
Upon termination of the Services, KarmaGate will, at your choice, delete or return all Personal Data and delete existing copies unless retention is required by applicable law.
11. California Privacy Rights (CCPA)
This section provides additional disclosures required by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), for California residents.
11.1 Categories of Personal Information
We collect the following categories of personal information:
- Identifiers: Name, email address, IP address, account identifiers
- Commercial Information: Products or services purchased, payment history
- Internet Activity: Browsing history, interactions with our website
- Geolocation Data: General location based on IP address
- Professional Information: Job title, company name
- Inferences: Preferences derived from the above
11.2 Sources of Personal Information
We collect personal information from:
- Directly from you (account registration, purchases, support requests)
- Automatically through your use of our Services (cookies, analytics)
- Third-party service providers (payment processors, analytics providers)
11.3 Business Purposes for Collection
We use personal information for:
- Providing our Services and customer support
- Processing transactions and payments
- Security and fraud prevention
- Improving our products and services
- Marketing and communications (with consent)
- Legal compliance
11.4 Your CCPA Rights
As a California resident, you have the following rights:
Right to Know
You can request disclosure of what personal information we have collected, used, disclosed, or sold about you in the past 12 months.
Right to Delete
You can request deletion of your personal information, subject to certain exceptions.
Right to Correct
You can request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing
You can opt out of the sale or sharing of your personal information for targeted advertising.
Right to Limit Sensitive Personal Information
You can limit the use of sensitive personal information to what is necessary for providing our Services.
Right to Non-Discrimination
You will not be discriminated against for exercising your privacy rights.
11.5 Sale and Sharing of Personal Information
Do Not Sell or Share My Personal Information
KarmaGate does not sell personal information in the traditional sense. However, some cookies and tracking technologies may constitute "sharing" under CCPA for targeted advertising purposes.
You can opt out of this sharing by:
- Using our cookie preferences to disable marketing cookies
- Enabling Global Privacy Control (GPC) in your browser
- Contacting us at privacy@karmagate.com
11.6 Exercising Your Rights
To submit a CCPA request:
- Email: privacy@karmagate.com
- Subject line: "CCPA Request"
We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf with written permission.
11.7 Financial Incentive Programs
We do not offer financial incentives that require disclosure under CCPA.
11.8 Retention
We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Notice, unless a longer retention period is required by law. See Section 5 (Data Retention) for more details.
12. APEC Privacy Framework
KarmaGate adheres to the Asia-Pacific Economic Cooperation (APEC) Privacy Framework principles for the protection of personal information transferred within the APEC region.
12.1 APEC Privacy Principles
We comply with the following APEC privacy principles:
Preventing Harm
We implement measures to minimize the risk of harm to individuals from the collection and use of their personal information.
Notice
We provide clear notice about our data practices at or before the time of collection.
Collection Limitation
We only collect personal information that is necessary for our stated purposes.
Uses of Personal Information
We only use personal information for the purposes for which it was collected or for compatible purposes.
Choice
We provide individuals with choices regarding the collection, use, and disclosure of their personal information.
Integrity of Personal Information
We take reasonable steps to ensure personal information is accurate, complete, and up-to-date.
Security Safeguards
We protect personal information with appropriate security measures against risks such as loss, unauthorized access, destruction, use, modification, or disclosure.
Access and Correction
Individuals can access their personal information and request corrections to inaccurate information.
Accountability
We are accountable for complying with these principles and have designated individuals responsible for data protection.
12.2 Cross-Border Data Transfers
When transferring personal information across borders within the APEC region, we ensure that:
- Appropriate contractual protections are in place
- Recipients are bound by equivalent privacy obligations
- Transfers comply with applicable data protection laws
- We remain accountable for information processed by third parties
12.3 APEC Member Economies
The APEC Privacy Framework applies to transfers to and from the following participating economies: Australia, Canada, Chinese Taipei, Japan, Republic of Korea, Mexico, Philippines, Singapore, and the United States.
12.4 Inquiries and Complaints
If you have questions or complaints about our handling of your personal information under the APEC Privacy Framework, please contact us at privacy@karmagate.com. We will investigate and attempt to resolve complaints in accordance with our internal procedures.
13. Children's Privacy
Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information.
14. Changes to This Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by:
- Posting the updated Privacy Notice on our website
- Updating the "Last updated" date
- For material changes, sending you an email notification
Your continued use of the Services after any changes constitutes acceptance of the updated Privacy Notice.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Notice or our data practices, please contact us:
KarmaGate LLC
Privacy inquiries: privacy@karmagate.com
For legal matters: legal@karmagate.com
For security matters: security@karmagate.com
We aim to respond to all requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.