Privacy Policy

Last updated: 2 April 2026

TL;DR

We connect to your Gmail in read-only mode, find only your Zomato order confirmation emails, extract order data from them, and show you fun insights. We never read any other emails. We never sell your data. You can delete everything any time.

1. What we access

KartKarma requests read-only access to your Gmail account via Google OAuth (scope: gmail.readonly).

We search only for emails matching Zomato order confirmations using the queryfrom:noreply@zomato.com subject:order. No other emails are ever accessed, read, or stored.

2. What we store

For each Zomato order email we find, we extract and store:

  • Restaurant name
  • Order date and time
  • Items ordered
  • Order total amount
  • Order status (delivered / cancelled)

We do not store the full email body, email content beyond order details, or any other personal information from your Gmail.

Your order data is stored in a secure, encrypted PostgreSQL database hosted on Neon (AWS Asia Pacific — Singapore).

3. How we use your data

Your data is used only to generate the insights, scores, and badges shown on your personal KartKarma dashboard.

We do not:

  • Sell your data to any third party
  • Share your data with advertisers
  • Use your data to train AI or ML models
  • Send you marketing emails
  • Show your data to other users

4. Google API compliance

KartKarma's use of Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Your Google account data is used only to provide the core features of KartKarma — parsing your Zomato order history and showing you personalised insights. It is not transferred to any other app or used for any purpose unrelated to KartKarma's stated functionality.

5. Data retention & deletion

Your order data is retained for as long as you use KartKarma.

To request deletion of all your data, email us at privacy@kartkarma.app. We will permanently delete all records associated with your account within 7 days.

You can also revoke KartKarma's Gmail access at any time from your Google Account Permissions page. Revoking access stops any future syncs but does not automatically delete previously stored order data.

6. Security

All data is transmitted over HTTPS. Your Google OAuth access token is stored server-side only for the duration of your session (JWT, not persisted). Database connections use SSL.

7. Changes to this policy

We may update this policy as the product evolves. We will update the "Last updated" date at the top. Continued use of KartKarma after any changes constitutes acceptance of the updated policy.

8. Contact

Questions, data requests, or concerns: privacy@kartkarma.app

← Back to KartKarma