Last updated · 2026-06-09

Privacy policy

We collect the minimum data needed to run Karigar. This page explains what we collect, why, the legal basis under GDPR and India's DPDP Act, how long we keep it, who else processes it on our behalf, and how to exercise your rights.

Who we are

Karigar is operated by photoGen. For privacy questions, data-subject requests, or any concerns about how your data is handled, contact support@karigar.studio. Under India's DPDP Act, this address also serves as our designated grievance officer contact.

What we collect & why

• Email — only if you sign in. Used to send magic-link sign-ins and pack-purchase receipts. Lawful basis: performance of contract (GDPR Art 6(1)(b)).
• Photos you upload — stored for generation processing. Auto-deleted from our servers after 24 hours. Lawful basis: performance of contract.
• Generated outputs — kept as long as your account exists so you can re-download them. Lawful basis: performance of contract.
• IP-derived country — used to show the right currency / payment methods / marketplaces for your region. Stored briefly in a cookie. Your IP itself is kept for 30 days for abuse prevention, not associated with your account. Lawful basis: legitimate interest (regional service delivery).
• Payment info — handled entirely by Razorpay. We never see or store your card or UPI details; we only receive a payment id + amount. Lawful basis: performance of contract.
• Usage analytics & error monitoring — privacy-friendly product analytics (PostHog) and crash/error reporting (Sentry) to improve the product and fix bugs. Off until you opt in via the consent banner; no analytics cookies are set before you accept, and you can withdraw anytime from Cookie settings in the footer. We never attach your account id, name, photo bytes, or payment data to analytics. Lawful basis: consent (GDPR Art 6(1)(a)); analytics cookies are set only after your prior consent (EU ePrivacy Directive).

How we use it

Only to run the service: generate photos, grant credits, process payments, prevent abuse, fix bugs, and improve product flows. We do not sell or share your data with advertisers. We do not send marketing emails unless you explicitly opt in.

Who else processes your data

We rely on third-party providers for the following categories: hosting + edge compute, database + auth + storage, image generation (the AI model that produces the output photo), payments, bot detection, identity (Google OAuth), product analytics, and error monitoring. Each provider has signed a data-protection agreement covering GDPR + DPDP obligations. Where data leaves India or the EU, the transfer is protected by Standard Contractual Clauses (SCCs) or an equivalent adequacy mechanism.

The categories of providers we use are published on our sub-processors page. For the current named providers behind each category, email support@karigar.studio and we will share them. We notify signed-in users 14 days before adding any new provider.

Cookies

We use two categories of cookies. Essential cookies keep you signed in, remember your language choice, and carry your IP-derived country for payment + marketplace selection; these are always on because the site doesn't work without them. Analytics cookies (PostHog) are off by default and only set after you accept on the consent banner; you can change your mind any time via Cookie settings in the footer. Sentry replay is captured only when an error occurs, not for normal browsing, and masks all text and inputs.

Retention

• Uploaded photos: 24 hours (auto-deleted)
• Generated outputs: stored as long as your account exists
• Server logs: 30 days
• Anonymous IP records (abuse prevention): 30 days
• Account data: deleted immediately when you delete your account. Payment/invoice records (payment id + amount only — never your photos, generated images, or other content) are retained for as long as Indian tax law requires (up to 8 years) and then deleted; this minimal statutory retention is the only data not erased on account deletion.
• Analytics events: 12 months rolling window

Your rights

Under GDPR (if you're in the EU/EEA/UK) and India's DPDP Act, you have the following rights at no cost:

• Right to access — see what data we hold on you. Use the “Export my data” button on /account to download a JSON file with every record we have.
• Right to rectification — correct anything inaccurate. Email us and we'll update it.
• Right to erasure — delete your account and all associated data. The Delete account button on /account does this immediately and cascades through all sub-processors.
• Right to data portability — same JSON export as above; machine-readable JSON format.
• Right to restrict / object to processing — turn analytics off from Cookie settings in the footer; for other processing, email us.
• Right to withdraw consent — revoke analytics consent any time from Cookie settings in the footer; affects only future tracking.
• Right to lodge a complaint — with your local Data Protection Authority (EU/UK) or India's Data Protection Board once it's operational. You don't need to contact us first.

We respond to data-subject requests within 30 days (GDPR) / 7 days of acknowledgement (DPDP). For requests, email support@karigar.studio.

Age

Karigar is intended for users aged 18 or older. We do not knowingly collect data from anyone under 18. Under India's DPDP §9, anyone under 18 is a child and requires verifiable parental consent; under GDPR Art 8, children under 16 in EU member states likewise need parental consent for online services. If you believe we have data on a minor without proper consent, email support@karigar.studio and we will delete it.

Data breach notification

If a security incident exposes your personal data, we will: (1) notify the relevant supervisory authority within 72 hours (GDPR) and India's Data Protection Board (DPDP), (2) notify affected users by email without undue delay if the breach poses a high risk to their rights, and (3) publish a post-incident summary on this page.

Grievance officer

For India-based users under the DPDP Act: photoGen is the designated Data Fiduciary. Grievance officer contact: support@karigar.studio. We acknowledge complaints within 7 days and aim to resolve them within 30 days.

Changes to this policy

If we make material changes — adding a new sub-processor, changing retention windows, or expanding the data we collect — we'll update the “Last updated” date at the top and email signed-in users 14 days before the change takes effect. The latest version is always at /privacy.

Contact

Any privacy question, request, or complaint: support@karigar.studio. We read every email.