← Back

Privacy Policy

Last updated: June 11, 2026

1. Controller

Good Karma UG (haftungsbeschränkt), Bohlenweg 34, 63739 Aschaffenburg, Germany, represented by Julia Reis (the "Controller") is responsible for the processing of personal data within the Orbitsflow app (the "Service"). Contact: julia@gogoodkarma.com.

2. Scope

This policy explains which personal data we collect when you use the Service, why we process it, on what legal basis, who receives it, and what rights you have under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

3. Data we process

  • Account data: email address, password hash, display name. When you sign in with Google, we additionally receive your Google account email and basic profile (name, profile picture).
  • Planning data you create: events, locations, notes, contacts, speakers, travel legs, and uploads (such as passes or photos) that you choose to add.
  • Sharing data: when you create a share link, viewers' chosen display name, their interest reactions, and presence pings while they view the page.
  • Technical data: IP address, user-agent, timestamps, and basic request logs needed to operate and secure the Service.

4. Purposes and legal basis

  • Providing the Service and your account (Art. 6 (1) (b) GDPR — performance of a contract).
  • Operating the share link, presence indicator and interest reactions (Art. 6 (1) (b) GDPR).
  • Security, abuse prevention and debugging (Art. 6 (1) (f) GDPR — legitimate interests).
  • Complying with legal obligations such as accounting or lawful requests (Art. 6 (1) (c) GDPR).

5. Recipients and processors

We use the following processors who act on our behalf under data processing agreements (Art. 28 GDPR):

  • Lovable / Supabase — application hosting, authentication and database (EU region).
  • Google LLC — Google Maps for displaying locations, and Google Sign-In if you choose it.

When data is transferred outside the EU/EEA, we rely on the EU Standard Contractual Clauses and additional safeguards where required.

6. Storage period

We store account and planning data for as long as your account exists. You can delete events, uploads and your account at any time. Server-side logs are kept for up to 30 days for security purposes. Share-link presence pings older than 24 hours are routinely deleted.

7. Your rights

You have the right to:

  • access your personal data (Art. 15 GDPR);
  • request rectification (Art. 16) or erasure (Art. 17);
  • restrict processing (Art. 18) and object to processing (Art. 21);
  • data portability (Art. 20);
  • withdraw consent at any time without affecting prior processing;
  • lodge a complaint with a supervisory authority — in Bavaria the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach.

To exercise your rights, write to julia@gogoodkarma.com.

8. Cookies and local storage

We use strictly necessary cookies and browser storage to keep you signed in, remember your share-link password (per session), and store UI preferences. We do not use advertising or tracking cookies.

9. Security

We protect your data with TLS in transit, encryption at rest where supported by our processors, row-level security on the database, and least-privilege access for our team.

10. Changes

We may update this policy to reflect changes in the Service or applicable law. The current version is always available at this page.