(Document compliant with EU Regulation 2016/679 – GDPR, UK GDPR, CCPA/CPRA, PIPEDA and other applicable data protection laws)
1. Data Controller
Karma Corporation a.s. - Máchova 439/27, Vinohrady - 120 00 Praha - Czech Republic.
The Data Controller is Karma Corporation a.s., having its registered office at - Máchova 439/27, Vinohrady - 120 00 Praha - Czech Republic, e-mail: [contact email].
For any matters relating to this Privacy Policy or the processing of personal data, the Controller may be contacted at the above addresses.
2. Scope of Activity and Purpose of the Service
The website (the “Service”) provides interactive and digital content intended exclusively for adults (18+), through:
• a chat platform based on generative artificial intelligence technologies;
• the provision of customized digital images and paid content;
• user assistance, payment processing, and account management services.
Such services may involve the processing of personal data, including certain special categories of data within the meaning of Article 9 GDPR, processed only upon the explicit consent of the data subject.
3. Categories of Personal Data Processed
The Controller may process the following categories of data:
1. Identification and contact data
(e-mail address, username, payment details, billing information).
2. Browsing and technical data
(IP address, device identifiers, cookies, usage logs, session metadata).
3. Interaction and preference data
collected pseudonymously through use of chat or content-generation functions.
4. Payment data
managed by third-party providers (e.g. Stripe, PayPal) acting as independent controllers or processors.
5. Security and abuse prevention data
(system logs, anti-fraud and anti-abuse measures).
The Controller does not intentionally collect or retain sensitive identifying information unless strictly necessary for the performance of the Service and with the user’s explicit consent.
4. Purpose and Legal Basis for Processing
| Purpose of Processing | Legal Basis | Reference |
|---|---|---|
| a) Service provision and account management | Performance of a contract or pre-contractual measures | Art. 6(1)(b) GDPR |
| b) Compliance with accounting and tax obligations | Legal obligation | Art. 6(1)(c) GDPR |
| c) Processing of special categories of data (preferences, adult-related content) | Explicit consent of the data subject | Art. 9(2)(a) GDPR |
| d) Security, fraud prevention, and legal defense | Legitimate interest of the Controller | Art. 6(1)(f) GDPR |
| e) Statistical analysis and service improvement | Consent or legitimate interest if anonymized | Art. 6(1)(a)/(f) GDPR |
| f) Promotional and marketing activities | Consent | Art. 6(1)(a) GDPR |
5. Methods of Processing and Automated Logic
Processing is carried out electronically and in compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, integrity, and confidentiality.
The platform uses generative artificial intelligence systems for automated content creation.
Such systems operate based on algorithmic models trained on data sets that do not allow direct identification of users.
Interactions are processed in pseudonymized or anonymized form for analytical or operational purposes.
No automated decision-making producing legal or similarly significant effects occurs, within the meaning of Article 22 GDPR.
6. Nature of Data Provision and Consequences of Refusal
Providing mandatory data is necessary to access the Service.
Failure to provide such data may render it impossible to use certain features or complete transactions.
Optional data provided for marketing or personalization purposes are subject to freely given, explicit, and revocable consent.
7. Data Retention
Data will be retained in accordance with the following criteria:
• Contractual and billing data: up to 10 years, pursuant to civil and tax obligations;
• Browsing and technical logs: up to 12 months;
• Generated content and interaction data: up to 12 months after last activity or until consent withdrawal;
• Anonymized or aggregated data: indefinitely.
8. Data Disclosure and Recipients
Personal data may be disclosed to the following categories of recipients:
• entities acting as Data Processors (hosting, AI technology providers, payment processors, analytics, customer support);
• independent Data Controllers (e.g. payment gateways, financial institutions);
• public authorities and supervisory bodies, where required by law;
• legal, administrative, and IT consultants assisting the Controller.
The updated list of Processors is available upon request from the Controller.
9. International Data Transfers
Data transfers outside the European Economic Area (EEA) are carried out in compliance with Chapter V of the GDPR:
• to countries covered by an adequacy decision by the European Commission (Art. 45 GDPR);
• through Standard Contractual Clauses (SCCs) adopted under Art. 46(2)(c) GDPR, complemented by supplementary security measures;
• or, where applicable, with the explicit consent of the data subject (Art. 49(1)(a) GDPR).
The Controller continuously monitors the level of data protection ensured by non-EEA recipients.
10. Data Subjects’ Rights
Data subjects may exercise, at any time, the rights provided under Articles 15–22 GDPR, including:
• right of access to their data;
• right to rectification and erasure;
• right to restriction of processing;
• right to data portability;
• right to object to processing;
• right to withdraw consent.
Requests shall be sent to [dedicated privacy email address].
Data subjects have the right to lodge a complaint with the Data Protection Authority or the competent supervisory authority in their country of residence.
For non-EU residents, equivalent rights apply under:
• CCPA/CPRA (California),
• UK Data Protection Act 2018 / UK GDPR,
• PIPEDA (Canada),
• and other applicable local laws.
11. Data Security
The Controller adopts technical and organizational measures appropriate to the risk, including:
• encryption of data in transit and at rest;
• access control and strong authentication;
• pseudonymization of sensitive data;
• continuous system monitoring and audits;
• personnel training and confidentiality undertakings.
12. Age Restrictions
The Service is strictly reserved for adult users (18 years or the legal age of majority in the user’s country).
The Controller does not knowingly process personal data of minors.
If a minor’s data are inadvertently collected, such data will be promptly deleted.
13. Relationship with Artificial Intelligence Providers
The Controller may rely on third-party AI technology providers for content generation.
Such providers act as Data Processors, bound by written agreements ensuring GDPR and equivalent international compliance.
The AI systems used do not train on users’ identifiable personal data, and any such information is processed only in anonymized or pseudonymized form.
14. Updates to this Privacy Policy
This Privacy Policy may be amended to reflect legal or technological developments.
Any changes will be published on the website with the updated “Last Revised” date.
Continued use of the Service after such updates shall constitute acceptance of the revised Policy.
15. Contact Details
For any information, clarification, or to exercise data protection rights, please contact:
- [dedicated privacy email]
- Karma Corporation a.s. - Máchova 439/27, Vinohrady - 120 00 Praha - Czech Republic.
16. Legal Notice
This document constitutes a privacy notice pursuant to Article 13 of Regulation (EU) 2016/679 and corresponding international legislation.
References to “adult content” are understood solely as a description of services directed to an adult audience.