This document is a draft and will be finalized before launch. Questions? Contact hello@karmic.works.

Privacy Policy

Last updated: April 2026

This Privacy Policy describes how karmic.works ("we", "us", "our") handles data in connection with the Bodygraph API ("Service").

1. What We Collect

Account data: When you create an account, we collect your email address and a password. This is used for authentication and to communicate with you about your account.

API usage data: We track the number of API requests per key per day for rate limiting and usage display purposes. We record request counts, timestamps, and the API key used. We do not log request payloads (birth data inputs).

Payment data: Payments are processed by Polar (polar.sh), our Merchant of Record. Polar collects payment information (card details, billing address) directly. We do not store your payment details. Polar handles VAT calculation and collection. See Polar's privacy policy for details on how they handle payment data.

Analytics: We use analytics cookies on the landing page to understand how visitors use the site. You can decline analytics cookies via the cookie consent banner. The customer portal and API endpoints do not use analytics cookies.

2. What We Do NOT Collect or Store

Birth data: The API is a stateless endpoint. Birth date, birth time, and timezone data sent in API requests is processed in real-time to generate chart output and is immediately discarded. We do not store, log, or retain any birth data from API requests. We cannot retrieve or reconstruct past API inputs.

Chart output: Generated chart data (JSON, SVG, PNG) is returned directly in the API response and not stored on our servers.

3. How We Use Your Data

  • Account email: authentication, account communications, service updates
  • API usage counts: rate limiting, usage display in your portal, service monitoring
  • Analytics: understanding how visitors use the landing page to improve it

We do not sell, share, or provide your data to third parties, except:

  • Polar (payment processing — only email and payment details necessary for billing)
  • Analytics provider (anonymized visitor data from the landing page only, if you accept cookies)

4. Data Retention

  • Account data: retained as long as your account exists. You can request account deletion by emailing hello@karmic.works.
  • API usage data: daily request counts are retained for billing and usage display. Historical usage data older than 90 days may be aggregated and anonymized.
  • Birth data: not retained. Discarded immediately after processing.

5. Your Rights (GDPR)

If you are in the European Economic Area, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to processing of your data

To exercise these rights, email hello@karmic.works. We will respond within 30 days.

6. Security

API keys are generated using cryptographically secure methods. Account passwords are hashed and never stored in plain text. All API communication is encrypted via HTTPS (TLS).

7. Children

The Service is not directed at children under 16. We do not knowingly collect data from children.

8. Changes

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email.

9. Contact

Questions about this Privacy Policy? Email us at hello@karmic.works.