Karmditkarmdit
sign inStart cleaning
Karmditkarmdit
Menu · 5
Start cleaning, free
no card · 30-day undo · ban-safe
KARMDIT  /  PRIVACY

Privacy
Policy.

What we collect, why, and what you can do about it.

LAST UPDATED · APRIL 14, 2026 · V2.0
● THE SHORT VERSION

You should be able to read this and understand it. Here's the gist.

  • We don't keep the content you delete.
    No silent backups, no "in case you change your mind" archive. Deleted means gone.
  • We use Reddit's official OAuth.
    Your password never touches our servers. Revoke our access from Reddit at any time.
  • We host in Frankfurt and follow GDPR by default.
    Same protections whether you're in Munich, Manila, or Minneapolis.
  • You can export or delete your data at any time.
    One click in your dashboard. We don't make you email anyone.
SECTION 01

Who we are

Karmdit is a tool for cleaning up your Reddit account, made by a small team based in Berlin and Munich. The legal entity is Karmdit GmbH, registered at Friedrichstraße 68, 10117 Berlin, Germany.

For anything in this policy: privacy@karmdit.com. For data-protection-specific requests, you can reach our DPO at the same address with the subject line "DPO request".

SECTION 02

What data we collect

We collect four buckets of data, and only what we need for each.

Account data
Your email address, your Reddit user ID and OAuth tokens (so we can act on your behalf), and your account creation date. That's it.
Usage data
The filters you've applied, the items you've removed, and an audit log of every Karmdit action so you can see what we did and roll back if needed.
Billing data
If you're on a paid plan, we store a Stripe customer ID and the metadata Stripe sends back (plan, billing country, last-four of card). We never see or store your card number.
Support communications
If you email us, we keep that email and our reply for 18 months so we can pick up where we left off if you write again.
What we don't collect: the content of your Reddit posts and comments after we've finished cleaning them. The plaintext is wiped within 24 hours of run completion. We retain a hash of the post ID for cache-eviction tracking, never the post itself.
SECTION 03

How we use it

We use your data to do the thing you signed up for: clean your Reddit account, then prove that we did. Specifically:

  • Providing the service. Reading your Reddit history, applying your filters, executing deletions, generating reports.
  • Billing. Charging you (if you're on a paid plan), managing renewals, handling refunds.
  • Security. Detecting unusual activity on your account and ours, blocking abuse.
  • Legal compliance. Responding to lawful requests where required, keeping records we have to keep.
Explicit: we do not train AI on your Reddit content, your filters, or your audit logs. We don't sell or rent any of it. We don't share it with advertisers. We don't even have advertisers.
SECTION 04

What we share

The only third parties involved in running Karmdit are the three we need to make the service work. Here they are, what they do, and what data they touch.

ServicePurposeData shared
StripePayment processingEmail, billing country, card
RedditOAuth-scoped account accessPer the scopes you authorized
Supabase EUDatabase hosting (Frankfurt)All account + usage data
Vercel EUWeb hosting (Frankfurt)Request logs, IPs (24h)

That's the whole list. No advertising networks. No data brokers. No analytics partners outside of Google Analytics (which we cover in Cookies).

SECTION 05

How long we keep it

Different data has different retention periods. Here's the full list.

Data typeKept forWhy
Reddit post contentUp to 24 hours after runTo execute the deletion
Audit log entries90 daysSo you can roll back; legal compliance
Account dataWhile your account is activeRunning the service
Account data after deletion30 days, then purgedRecovery window
Billing records10 yearsGerman tax law (HGB §257)
Support emails18 monthsContinuity of conversation
SECTION 06

Cookies

We use a small set of cookies — essentials for authentication and one optional analytics cookie. The full breakdown, with names and durations, is on the Cookies page.

SECTION 07

Your rights (GDPR / CCPA)

Whether you're in the EU, the UK, California, or anywhere else, the same rights apply to your Karmdit data. We don't differentiate by jurisdiction — that's just simpler.

Access
Download everything we have on you. Settings → Privacy → Export all data. Comes back as a JSON bundle within an hour.
Correction
Wrong email or country in your account? Edit it in Settings, or write us if it's somewhere weird.
Deletion
Settings → Account → Delete account. Goes through a 30-day recovery window, then is gone for good.
Portability
The JSON export is machine-readable and structured. Take it to a competitor; we won't be sad. (We will be a little sad.)
Objection
If you don't want us using your data for something specific (e.g., aggregate product analytics), email privacy@karmdit.com and we'll honor it.

You also have the right to lodge a complaint with your local data protection authority. Ours is the Berlin Beauftragte für Datenschutz und Informationsfreiheit. If we've messed up, please tell us first — but you don't have to.

SECTION 08

Security

We use industry-standard practices, which sounds boring because it's boring, which is the right register for security.

  • Encryption at rest for the database (AES-256, Supabase-managed keys).
  • Encryption in transit for everything (TLS 1.3, HSTS preloaded).
  • Encrypted backups rotated daily, retained for 7 days.
  • Access controls — only two engineers have production database access, and every query is logged and audited monthly.
  • OAuth-only Reddit access — your Reddit password never reaches us.
  • SOC 2 Type 2 audit — in progress, expected complete Q3 2026.

If you find a vulnerability, please email security@karmdit.com. We don't yet have a formal bug bounty but we will absolutely send you swag and credit.

SECTION 09

Children

Karmdit is not for anyone under 16. We don't knowingly collect data from children. If you believe we have, please write to privacy@karmdit.com and we'll delete it within 72 hours.

Reddit's own age requirement is 13, but ours is higher because GDPR's "child" threshold is 16, and we'd rather match the higher bar globally than draw a line by jurisdiction.

SECTION 10

International transfers

For now, all Karmdit infrastructure is in Frankfurt, Germany. Your data does not leave the EU. The only exception is when you yourself initiate an action that calls Reddit — those calls go to Reddit's US servers because that's where Reddit is — but no Karmdit-stored data is shipped to the US.

If we ever change this, we'll update this section and notify you 30 days before.

SECTION 11

Changes to this policy

We update this policy when our practices change. For meaningful changes — anything affecting how we collect or share data — we'll notify you by email at least 30 days before they take effect.

Cosmetic changes, typo fixes, and clarifications don't trigger a notification. The "last updated" date at the top of the page always reflects the most recent change.

SECTION 12

Contact

Anything privacy-related: privacy@karmdit.com. We aim to respond within two working days, and always within the legal limit (30 days for GDPR-eligible requests).

For legal service of process, please use our registered address: Karmdit GmbH, Friedrichstraße 68, 10117 Berlin, Germany.

Note (mockup only): Real legal copy TBD — final version reviewed by counsel before launch. The above is a draft for layout and tone; consider every paragraph subject to revision.