Privacy Policy
Last updated: January 29, 2026
This Privacy Policy describes how Kartha Labs ("Kartha," "we," "us") collects, uses, and shares your personal information when you use our services at kartha.app and our mobile applications (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this policy.
Information Collected
1.1 Information You Provide
Account Information:
- Email address
- Display name (optional)
- Profile picture (optional)
User Content:
- Tasks, notes, and projects you create
- Routines, schedules, and events
- Counters and logs
- Documents and files you upload
Payment Information:
- Handled by Kartha's payment processors (Razorpay, DodoPayments, Apple, Google)
- Kartha does NOT store full payment card details
1.2 Information Collected Automatically
Usage Data:
- Features used and frequency
- App performance data
- Error and crash reports
Device Information:
- Device type and operating system
- Browser type and version
- IP address (for security purposes)
1.3 Mobile Application Data
If you use Kartha on iOS or Android, additional information may be collected:
Device Information:
- Device model and operating system version
- Unique device identifiers (for subscription verification only)
- App version installed
- Timezone and language settings
Subscription Data (via RevenueCat):
- Purchase history within Kartha
- Subscription status (active, expired, trial, etc.)
- Transaction identifiers
- Price and currency of purchases
This data is collected to:
- Verify your subscription status across devices
- Provide customer support for billing issues
- Prevent subscription fraud
- Improve app compatibility
How Your Information Is Used
Your information is used to:
- Provide and maintain the Service
- Process your subscription and payments
- Send transactional emails (receipts, password resets)
- Improve the Service based on usage patterns
- Ensure security and prevent fraud
- Comply with legal obligations
Kartha does NOT:
- Sell your personal data
- Use your content for advertising
- Share your data with third parties for marketing
- Train AI models on your personal content
Legal Bases for Processing (GDPR)
If you are located in the EU or UK, Kartha relies on the following legal bases to process your personal information:
- Consent: Your information may be processed if you have given permission to use your personal information for a specific purpose. You can withdraw your consent at any time.
- Performance of a Contract: Your personal information may be processed when it is necessary to fulfill Kartha's contractual obligations to you, including providing the Services.
- Legitimate Interests: Your information may be processed when it is reasonably necessary to achieve Kartha's legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms.
- Legal Obligations: Your information may be processed where it is necessary for compliance with Kartha's legal obligations.
Data Storage and Security
4.1 Where Your Data Is Stored
Your data is stored on servers provided by:
- Supabase (Database and Authentication)
- Vercel (Web Hosting)
Both providers maintain SOC 2 compliance and use encryption at rest.
4.2 Security Measures
- TLS 1.3 encryption in transit
- AES-256 encryption at rest
- Row Level Security (RLS) database isolation
- Optional client-side encryption for sensitive content
Absolute security cannot be guaranteed. Transmission of personal information is at your own risk.
Payment and Subscription Processors
Third-party services are used to process payments and manage subscriptions. Full payment card details are not stored on Kartha's servers.
Web Payments:
- Razorpay (India): razorpay.com/privacy
- DodoPayments (International): dodopayments.com/privacy
Mobile App Payments:
- Apple App Store: apple.com/legal/privacy
- Google Play Store: policies.google.com/privacy
Subscription Management:
- RevenueCat: revenuecat.com/privacy
When you make a purchase:
- Payment card details are sent directly to the payment processor
- Kartha receives only: confirmation of payment, subscription status, transaction ID, and last 4 digits of card (for display purposes)
- Kartha does NOT receive or store: full card numbers, CVV, or banking credentials
Third-Party Services
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Database, Auth | supabase.com/privacy |
| Vercel | Hosting | vercel.com/privacy |
| Razorpay | Payments (India) | razorpay.com/privacy |
| DodoPayments | Payments (Intl) | dodopayments.com/privacy |
| RevenueCat | Mobile Subscriptions | revenuecat.com/privacy |
| Calendar Sync, OAuth | policies.google.com/privacy | |
| Apple | OAuth, IAP | apple.com/legal/privacy |
App Store Data Sharing: When you download Kartha from an App Store, that App Store may share certain data with Kartha as described in their privacy policies. Kartha does not have access to your App Store account credentials or payment methods stored with Apple or Google.
Cookies
Kartha uses essential cookies for authentication and session management. No tracking cookies or third-party advertising cookies are used.
Types of cookies used:
- Essential cookies: Required for authentication and session management
- Preference cookies: Remember your settings (theme, timezone)
Managing cookies: Most web browsers allow you to control cookies through settings. However, disabling cookies may affect functionality.
Your Rights
You have the right to:
- Access your data (Settings → Export Data)
- Correct inaccurate data
- Delete your data (Settings → Delete Account)
- Port your data (JSON export)
- Opt out of analytics
To exercise these rights, visit your account settings or contact Kartha at privacy@kartha.app
8.1 Managing Mobile Subscriptions
Your subscription management rights depend on where you subscribed:
If you subscribed via Web (Razorpay/DodoPayments):
- Manage subscription: Settings → Account → Subscription
- Cancel anytime through the app
- Request refunds directly from Kartha
If you subscribed via Apple App Store:
- Manage subscription: iPhone Settings → [Your Name] → Subscriptions
- Cancel through Apple, not through Kartha
- Request refunds at reportaproblem.apple.com
- Apple controls billing and refund decisions
If you subscribed via Google Play:
- Manage subscription: Google Play → Profile → Payments & subscriptions
- Cancel through Google Play, not through Kartha
- Request refunds through Google Play
- Google controls billing and refund decisions
To check where you subscribed: Settings → Account → Subscription will show your billing provider.
GDPR Rights (EU/UK/EEA Users)
If you are in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under GDPR:
- Right to Access: Request a copy of your personal data
- Right to Rectification: Request correction of inaccurate data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing: Request limitation of how your data is used
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time where consent is relied upon
- Right to Lodge a Complaint: File a complaint with your local data protection authority
How to exercise your rights: Email privacy@kartha.app or use the in-app settings. A response will be provided within 30 days.
Data Protection Authority: You may lodge a complaint with your local supervisory authority if you believe your rights have been violated.
US State Privacy Rights (CCPA and Others)
If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the following rights:
- Right to Know and Access: Request information about what personal data Kartha collects, uses, and discloses
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Portability: Obtain a copy of your personal data in a portable format
- Right to Non-Discrimination: Kartha will not discriminate against you for exercising your rights
- Right to Opt Out: Opt out of the sale of personal data or targeted advertising
Kartha does NOT sell your personal information.
Global Privacy Control (GPC): Kartha recognizes and honors Global Privacy Control (GPC) signals. If you use a browser or extension that supports GPC, your opt-out preference will be automatically applied. Visit globalprivacycontrol.org for more information.
How to exercise your rights: Email privacy@kartha.app. Your identity will be verified and a response provided within 45 days.
Appeals: If your request is declined, you may appeal by emailing contact@kartha.app. If your appeal is denied, you may submit a complaint to your state attorney general.
DPDP Act Rights (Indian Users)
If you are a resident of India, you have rights under the Digital Personal Data Protection Act, 2023 (DPDP Act). Under the Act, you are a "Data Principal" and Kartha is a "Data Fiduciary."
- Right to Access: Request a summary of your personal data and processing activities. Use Settings → Export Data to download all your data in JSON format.
- Right to Correction: Request correction of inaccurate or incomplete personal data. You can edit your data directly within the app at any time.
- Right to Erasure: Request deletion of your personal data. Use Settings → Account → Delete Account to initiate deletion. Your data will be removed within 30 days, and backups purged within 90 days.
- Right to Grievance Redressal: Submit complaints regarding data processing to privacy@kartha.app. Complaints will be acknowledged and addressed within 30 days.
- Right to Nominate: In the event of death or incapacity, your nominated representative may exercise your rights on your behalf. Contact privacy@kartha.app to register a nominee.
Consent: By creating an account on Kartha, you provide consent for the processing of your personal data as described in this policy. Consent is required to use the service. You may withdraw consent at any time by deleting your account via Settings → Account → Delete Account. Upon deletion, a 30-day grace period applies during which your data is retained in case you wish to restore your account. After 30 days, all personal data is permanently deleted and cannot be recovered.
Children's Data: Kartha does not knowingly process the data of individuals under 18 years of age. See the Children's Privacy section below for details.
Data Protection Board: If your complaint is not resolved to your satisfaction, you may file a complaint with the Data Protection Board of India as established under the DPDP Act, 2023.
How to exercise your rights: Email privacy@kartha.app or use the in-app settings. A response will be provided within 30 days.
Data Retention
General Retention:
- Active accounts: Data retained while account is active
- Deleted accounts: Data removed within 30 days
- Backups: Purged within 90 days of deletion
Subscription Data Retention:
| Data Type | Retention Period | Reason |
|---|---|---|
| Transaction records | 7 years | Tax and legal compliance |
| Subscription status | Account duration + 30 days | Service provision |
| Payment processor IDs | 7 years | Refund processing, disputes |
| RevenueCat user ID | Account duration | Subscription sync |
After account deletion:
- Active subscription data is removed within 30 days
- Transaction records required for legal/tax purposes may be retained longer
- Anonymized purchase analytics may be retained indefinitely
International Data Transfers
Your data may be transferred to and processed in countries outside your residence:
| Service | Location | Safeguards |
|---|---|---|
| Supabase | USA/EU | Standard Contractual Clauses |
| Vercel | USA/Global | Standard Contractual Clauses |
| RevenueCat | USA | Standard Contractual Clauses |
For EU/UK users: These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives equivalent protection.
Children's Privacy
Kartha is not intended for individuals under 18 years of age. Personal data from individuals under 18 is not knowingly collected. This is in accordance with the Digital Personal Data Protection Act, 2023 (India) and applicable international regulations.
If it is discovered that personal information from an individual under 18 has been collected, the account will be deactivated and the data deleted promptly.
If you believe information from an individual under 18 has been collected, please contact Kartha at privacy@kartha.app
Links to Other Websites
The Service may contain links to other websites not operated by Kartha. Kartha is not responsible for the content or privacy practices of third-party sites. You are encouraged to review the privacy policy of every site you visit.
Email Communications
Types of emails sent:
- Transactional: Account verification, password resets, receipts
- Service: Trial reminders, subscription updates, feature announcements
- Marketing: Product updates, tips (only with consent)
Unsubscribe: You can unsubscribe from marketing emails at any time by clicking the unsubscribe link in any email or updating your preferences in Settings.
Transactional emails related to your account cannot be opted out of while your account is active.
Changes to This Policy
This Privacy Policy may be updated from time to time. You will be notified of material changes via email or in-app notification at least 30 days before they take effect.
Your continued use of Kartha after changes constitutes acceptance of the updated policy.
Contact Us
For privacy inquiries:
Email: privacy@kartha.app
Mailing Address:
Kartha LabsPA: #17, Shanthi Nivas, 2nd Main, 2nd Block
KHM Block, Ganganagar
Bengaluru, Karnataka 560032
India
This Privacy Policy is effective as of the date shown above.