Last updated · 2026-05-24
Privacy policy
We collect the minimum data needed to run Karigar. This page explains what we collect, why, the legal basis under GDPR and India's DPDP Act, how long we keep it, who else processes it on our behalf, and how to exercise your rights.
Who we are
Karigar is operated by photoGen. For privacy questions, data-subject requests, or any concerns about how your data is handled, contact hritikshiwach7@gmail.com. Under India's DPDP Act, this address also serves as our designated grievance officer contact.
What we collect & why
- Email — only if you sign in. Used to send magic-link sign-ins and pack-purchase receipts. Lawful basis: performance of contract (GDPR Art 6(1)(b)).
- Photos you upload — stored for generation processing. Auto-deleted from our servers after 24 hours. Lawful basis: performance of contract.
- Generated outputs — kept as long as your account exists so you can re-download them. Lawful basis: performance of contract.
- IP-derived country — used to show the right currency / payment methods / marketplaces for your region. Stored briefly in a cookie. Your IP itself is kept for 30 days for abuse prevention, not associated with your account. Lawful basis: legitimate interest (regional service delivery).
- Payment info — handled entirely by Razorpay. We never see or store your card or UPI details; we only receive a payment id + amount. Lawful basis: performance of contract.
- Anonymous usage analytics — aggregate page-view data via Vercel Analytics. Lawful basis: legitimate interest.
- Identified product analytics and error attribution — tagged with your account id once you sign in, ONLY if you explicitly opt in via Account → “Tag analytics with my account”. Off by default. No email, name, photo bytes, or payment data is sent. Lawful basis: consent (Art 6(1)(a)).
How we use it
Only to run the service: generate photos, grant credits, process payments, prevent abuse, fix bugs, and improve product flows. We do not sell or share your data with advertisers. We do not send marketing emails unless you explicitly opt in.
Who else processes your data
We rely on third-party providers for the following categories: hosting + edge compute, database + auth + storage, image generation (the AI model that produces the output photo), payments, bot detection, identity (Google OAuth), product analytics, and error monitoring. Each provider has signed a data-protection agreement covering GDPR + DPDP obligations. Where data leaves India or the EU, the transfer is protected by Standard Contractual Clauses (SCCs) or an equivalent adequacy mechanism.
The current named list (provider, purpose, region) is available on request — email hritikshiwach7@gmail.com and we will share it. We notify signed-in users 14 days before adding any new provider.
Cookies
We use two categories of cookies. Essential cookies keep you signed in, remember your language choice, and carry your IP-derived country for payment + marketplace selection; these are always on because the site doesn't work without them. Analytics cookies (PostHog + Sentry session replay) are off by default; you opt in via the consent banner on your first visit and can change your mind at any time from /account.
Retention
- Uploaded photos: 24 hours (auto-deleted)
- Generated outputs: stored as long as your account exists
- Server logs: 30 days
- Anonymous IP records (abuse prevention): 30 days
- Account data + payment records: until you delete your account; payment records may be retained longer where Indian tax law requires (typically 8 years)
- Analytics events: 12 months rolling window
Your rights
Under GDPR (if you're in the EU/EEA/UK) and India's DPDP Act, you have the following rights at no cost:
- Right to access — see what data we hold on you. Use the “Export my data” button on /account to download a JSON file with every record we have.
- Right to rectification — correct anything inaccurate. Email us; some fields you can edit directly from /account.
- Right to erasure — delete your account and all associated data. The Delete account button on /account does this immediately and cascades through all sub-processors.
- Right to data portability — same JSON export as above; machine-readable JSON format.
- Right to restrict / object to processing — opt out of analytics from /account; for other processing, email us.
- Right to withdraw consent — revoke analytics consent any time from /account; affects only future tracking.
- Right to lodge a complaint — with your local Data Protection Authority (EU/UK) or India's Data Protection Board once it's operational. You don't need to contact us first.
We respond to data-subject requests within 30 days (GDPR) / 7 days of acknowledgement (DPDP). For requests, email hritikshiwach7@gmail.com.
Age
Karigar is intended for users aged 16 or older. We do not knowingly collect data from anyone under 16. Under GDPR Art 8, children under 16 in EU member states need verifiable parental consent for online services; under DPDP §9, children under 18 in India require parental consent. If you believe we have data on a minor without proper consent, email hritikshiwach7@gmail.com and we will delete it.
Data breach notification
If a security incident exposes your personal data, we will: (1) notify the relevant supervisory authority within 72 hours (GDPR) and India's Data Protection Board (DPDP), (2) notify affected users by email without undue delay if the breach poses a high risk to their rights, and (3) publish a post-incident summary on this page.
Grievance officer
For India-based users under the DPDP Act: photoGen is the designated Data Fiduciary. Grievance officer contact: hritikshiwach7@gmail.com. We acknowledge complaints within 7 days and aim to resolve them within 30 days.
Changes to this policy
If we make material changes — adding a new sub-processor, changing retention windows, or expanding the data we collect — we'll update the “Last updated” date at the top and email signed-in users 14 days before the change takes effect. The latest version is always at /privacy.
Contact
Any privacy question, request, or complaint: hritikshiwach7@gmail.com. We read every email.