About 5 min read

Privacy & Security

Karma One puts user data privacy and security first. This page explains how we protect your data, what privacy options are available, and the control you have over your own information.

Core Principles

  • Your data belongs to you. We do not claim ownership of your conversations or uploaded files.
  • Not used for training. Your data is never used to train any AI model.
  • Minimal collection. We collect only what is strictly necessary to provide the service.
  • Full transparency. We are open about how your data is handled.

Encryption

In Transit

All data transmitted between your device and Karma One servers is encrypted with TLS 1.3. This means your conversations, uploaded files, and account information cannot be intercepted or read by third parties during transmission.

End-to-End Encryption

Karma One implements end-to-end encryption (E2EE) for conversation content:

  • Messages are encrypted on your device before they are sent to the server.
  • The server stores only encrypted ciphertext.
  • Only your device holds the decryption key.

This ensures that even Karma One's own servers cannot read the plaintext of your conversations.

At Rest

Data stored on Karma One servers is protected with AES-256 encryption, the same standard used across finance, healthcare, and government sectors worldwide.

Data Storage

Where Data Is Stored

Karma One stores data on trusted cloud infrastructure that meets international security standards. The specific storage location depends on your service region.

For organizations with data residency requirements, we offer regional hosting options and on-premises deployment through Sovereign AI.

What Is Stored

| Data Type | Storage Method | Retention | |-----------|---------------|-----------| | Conversations | End-to-end encrypted | Until you delete them or close your account | | Uploaded files | Encrypted at rest | Until you delete them or close your account | | Knowledge base indexes | Encrypted at rest | Follows the lifecycle of the source file | | Account information | Encrypted at rest | Duration of account existence | | Usage statistics | Anonymized | Used for service improvement only |

What Is Not Stored

  • Plaintext conversation content on servers (E2EE prevents this)
  • Payment card numbers (processed by certified payment providers)
  • Biometric data
  • Precise device location (unless you explicitly use the location tool)

Sovereign AI Options

For users with heightened data privacy requirements, Karma One provides two levels of Sovereign AI:

Advanced Sovereign AI (Local / Karma Box)

  • AI models run on your own device (via Karma Box on macOS).
  • Data never leaves your machine.
  • No internet connection required for AI processing.
  • Ideal for handling the most sensitive information.
  • Includes local image generation and local vision analysis capabilities.

How to activate: In a conversation, say "Use the Advanced Sovereign AI model."

Cloud Sovereign AI

  • AI models run on cloud infrastructure you control.
  • Data stays within your designated infrastructure boundary.
  • Does not pass through third-party public AI services.
  • Ideal for enterprise-grade privacy requirements.

How to activate: In a conversation, say "Use the Sovereign AI model."

In sovereign mode, some features that depend on third-party services (such as web search or third-party image generation) may be unavailable.

The table below summarizes data flow by mode:

| Mode | Data Sent Externally | Third Party Involved | |------|---------------------|---------------------| | Standard | Yes (to AI provider) | Anthropic, OpenAI, or Google | | Cloud Sovereign | To your servers only | None | | Local Sovereign (Karma Box) | Nowhere | None |

See Sovereign AI for setup instructions and detailed comparisons.

No Training on User Data

Karma One makes an explicit commitment:

  • We do not use your conversations to train AI models.
  • We do not use your uploaded files to train AI models.
  • We do not provide your data to any third party for model training.
  • AI model improvements come from the model providers (Anthropic, OpenAI, Google) through their own independent training processes, which are also governed by their respective no-training-on-user-data policies.

This commitment applies to all subscription tiers, including free accounts.

Your Data Rights

Data Export

You can export your data at any time:

  • Conversations -- Export to PDF, Word (DOCX), Excel (XLSX), or Markdown format.
  • Knowledge base files -- Download the original files you uploaded.
  • Full account data -- Contact support to receive a complete copy of your personal data.

Data Deletion

You have full control over data deletion:

  • Delete individual messages -- Remove specific messages from a conversation.
  • Delete entire conversations -- Delete a full conversation and its history.
  • Delete knowledge base files -- Remove specific files and their associated indexes.
  • Clear all data -- One-click removal of all personal data from Settings.

Data deletion is permanent and irreversible. Once deleted, data is removed from all servers and backups within 30 days.

Account Closure

If you choose to stop using Karma One, you can request account closure:

  1. Open Settings.
  2. Go to Account Management.
  3. Tap Delete Account.
  4. Confirm the deletion.

What happens after closure:

  • All conversation data is permanently deleted.
  • All uploaded files are permanently deleted.
  • Account information is cleared.
  • Active subscriptions are automatically cancelled.
  • The process completes within 30 days of confirmation.

GDPR Compliance

For users in the European Union, Karma One complies with the General Data Protection Regulation (GDPR):

  • Right to be informed -- Clear notice about how data is collected and used.
  • Right of access -- You can view and obtain a copy of your data.
  • Right to rectification -- You can correct inaccurate personal information.
  • Right to erasure -- You can request deletion of your data (right to be forgotten).
  • Right to data portability -- You can export your data in standard formats.
  • Right to restrict processing -- You can limit how your data is used.
  • Right to object -- You can object to specific data processing activities.

Data processing is based on legitimate interest (service provision) and user consent. You can withdraw consent at any time.

Security Audits and Practices

Karma One's security program includes:

  • Regular security audits -- Periodic third-party penetration testing and vulnerability assessments.
  • Access control -- Strict role-based access control and the principle of least privilege for all internal systems.
  • Incident response -- 24/7 security monitoring with defined incident response procedures and escalation paths.
  • Infrastructure security -- Network segmentation, intrusion detection systems, and DDoS protection.
  • Employee training -- Mandatory security awareness training for all team members.
  • Vendor assessment -- Third-party vendors are evaluated for security and compliance before integration.
  • Code security -- Secure development lifecycle with code review, static analysis, and dependency scanning.

Compliance Certifications

Karma One aligns with recognized international security and privacy frameworks:

| Framework | Status | Description | |-----------|--------|-------------| | GDPR | Compliant | EU General Data Protection Regulation | | SOC 2 Type II | In progress | Service Organization Control audit | | ISO 27001 | Aligned | Information security management standard | | PIPL | Compliant | China Personal Information Protection Law |

We continuously work to expand our compliance coverage as the regulatory landscape evolves.

Third-Party AI Services

When providing AI capabilities in standard mode, Karma One may route requests to third-party AI providers (such as Anthropic Claude, OpenAI GPT, or Google Gemini). In these cases:

  • Only the data necessary to fulfill the current request is sent to the provider.
  • Each provider has its own privacy policy and data protection commitments.
  • All major providers commit to not using API data for model training.
  • You can choose to use Sovereign AI mode to avoid data passing through any third-party service entirely.

Contact

If you have questions about data privacy or need to exercise your data rights, contact us through:

  • The Feedback feature in the app.
  • Email: support@karma.box

We commit to responding within 30 days of receiving your request.