What Karanite collects, where it lives, and how to remove it

Karanite is operated by Khaleel Alqallaf, as an individual, from Kuwait. Karanite is not yet incorporated as a company. If that changes, this Privacy Policy will be updated and a new version stamp will replace the one at the top of this page.

For privacy, legal, DMCA, DSA, abuse, takedown, or data-rights requests: email legal@karanite.com with subject prefix Privacy: for data rights or DSAR: for a formal data-subject request. For general support: support@karanite.com.

Public business address: available on request — contact legal@karanite.com.

This Privacy Policy explains how Karanite collects, uses, stores, shares, and deletes personal data when you: visit Karanite public pages; create an account; host a room; join as a player; watch as a spectator; buy Pro Host, Founder Host, or Event Pass; create tournaments; use custom packs or uploads where available; interact with Discord or Twitch integrations; or contact support, legal, privacy, or takedown channels.

Karanite collects the minimum data needed to run live hosted trivia.

• Karanite does not sell personal data.
• Karanite does not run ads.
• Karanite does not use third-party ad trackers.
• Karanite does not send user data to Google Gemini.
• Karanite does not require players or spectators to create accounts.

What we collect depends on how you use Karanite. We deliberately ask for the minimum needed at each role:

• Visitors (no account): standard request metadata that any web server sees — IP address, User-Agent, the page you requested. Used for routing, security, abuse prevention, debugging, and service reliability.
• Account users: when you sign up through Clerk we receive your email, the first and last name you provided, an optional profile image, your Clerk user ID, your account creation date, and your last login date.
• Hosts / Game Masters: the same account data plus the rooms you host — Clerk user ID, room code, room name, selected packs/categories, room settings, host configuration, replay settings, tournament settings where applicable, and any Discord webhook URL / Discord invite / Twitch handle / Twitch URL / stream overlay settings you choose to add.
• Players: the nickname you type when joining a room, your faction choice, your answers and votes during a match, the helper spells your team triggers, your score, timestamps, gameplay state, and replay-visible participation data. Players do not need an account. Signed-in players have this attached to their account battle history.
• Spectators: an optional nickname, the room code, live watch session data, and limited technical diagnostics. Spectators do not need an account. Spectator nicknames are shown in-room but are not intended to appear in replay rosters.
• Pro, Founder, and Event Pass users: Paddle processes payment and billing as Merchant of Record. Karanite receives only entitlement-related data — Paddle customer or transaction identifiers, product or plan name, subscription status, billing period start and end, renewal or cancellation status, payment success or failure status, and refund or dispute status. Karanite does not store full card numbers, full bank details, or complete payment credentials.

Karanite may store room names, tournament names, custom team names, player nicknames, scores, answers, helper spell usage, faction/team choices, timestamps, replay data, battle history, tournament results, host profile information, and public pack information where custom packs are enabled.

Some of this data may be visible to other users or the public. Replays are public by default unless hidden or deleted by the host or removed by Karanite. Public replay pages may be indexed by search engines unless Karanite later adds a noindex setting or the replay is hidden.

Do not use room names, nicknames, tournament names, custom team names, or any public content fields to share private or sensitive information.

Karanite currently does not collect:

• voice recordings;
• in-room free-text chat messages;
• full date of birth;
• full card numbers;
• full bank details;
• advertising identifiers;
• Google Analytics, Meta Pixel, TikTok Pixel, or any similar ad-tracking data;
• user-generated prompts sent to Google Gemini;
• player or room data sent to Google Gemini.

Karanite does not operate a general in-room chat. Interaction is limited to gameplay actions such as answers, helper spells, reactions, and room participation.

Karanite uses data to:

• create and secure accounts;
• host live trivia rooms and run tournaments;
• let players and spectators join rooms;
• calculate scores and display replays;
• maintain battle history;
• provide Pro Host, Founder Host, and Event Pass access;
• process subscription and entitlement status;
• prevent abuse, doxxing, harassment, spam, and fraud;
• moderate reported content;
• investigate technical issues and improve performance;
• respond to support, privacy, refund, and legal requests;
• comply with tax, consumer, legal, and safety obligations.

We do not sell or rent your data. We do not share your account data with advertisers, brokers, or analytics partners. Anonymous product-analytics events live exclusively on Karanite-operated infrastructure and are never exported.

Where GDPR or UK GDPR applies, Karanite relies on the following legal bases:

• Contract (Art. 6(1)(b)): account creation, authentication, hosting and joining rooms, gameplay functionality, replays and battle history, paid entitlements, billing-related account state, Event Pass and Pro access.
• Legitimate interests (Art. 6(1)(f)): security, abuse and fraud prevention, basic server logs, technical diagnostics, moderation, support, service reliability, basic error monitoring (Sentry with Session Replay disabled).
• Consent (Art. 6(1)(a)): non-essential analytics storage, optional product analytics through self-hosted PostHog, optional browser storage where consent is required, cookie banner preferences. You can change your cookie choices at any time through Cookie Settings.
• Legal obligation (Art. 6(1)(c)): billing and tax records, responding to lawful requests, handling disputes, DMCA / takedown records, moderation and safety records where legally necessary.

We use the following independent vendors to operate Karanite. Each one processes a specific slice of data for a defined purpose. We keep their data processing terms / DPAs on file internally; this is the public summary.

What this table tells you: Clerk, Vercel, Name.com, Railway, Sentry, and Google Workspace act as data processors under standard terms. Paddle is special — as Merchant of Record they act as an independent controller for payments, so their own privacy notice governs billing data they hold directly. PostHog is self-hosted on our Railway instance, so no separate vendor receives analytics events. Discord and Twitch only see information if a host opts in (see section 11). Google Gemini is used only for offline trivia generation — no user data, room data, nicknames, answers, analytics, or replay data is ever sent to Gemini. If we add a new vendor that materially changes how data is processed, we will update this table and the policy version stamp before the change goes live.

Paddle (paddle.com) is the Merchant of Record for Karanite. When you buy Pro Host, Founder Host, or Event Pass, Paddle processes the transaction, billing information, tax, invoices, currency conversion, refunds, and payment disputes.

Paddle may process billing data as an independent controller under its own privacy notice. Karanite receives only the information needed to grant and manage access — transaction ID, plan, billing period, subscription status, and entitlement state. Card numbers, full billing addresses, and bank identifiers stay with Paddle.

Refund handling, cancellation, and the EU 14-day withdrawal posture are documented separately in our Refund Policy.

Hosts can optionally add a Discord webhook URL, Discord invite or server link, Twitch handle, Twitch URL, or stream overlay settings to their room. These are host-directed integrations: if a host configures them, certain room information (room title, code, link, host-facing message, configured Twitch/Discord link) may be sent to or displayed through those third-party services. Discord and Twitch process that information under their own privacy notices, not ours.

What we deliberately do not send to Discord webhooks: player emails, internal account identifiers, IP addresses, or individual private stats. The webhook payload is limited to room-level facts.

Karanite uses essential cookies and local storage for authentication, room continuity, security, and payment flows. These are necessary for the service and cannot be disabled through Karanite. We use analytics storage only with your consent where required by law. You can change your choices at any time through Cookie Settings.

We do not run third-party analytics, advertising trackers, session-recording pixels, retargeting tags, Google Analytics, Meta Pixel, TikTok Pixel, or Vercel Analytics. PostHog is open-source software running on Karanite's own Railway infrastructure — your event data never leaves Karanite-operated systems.

Karanite is operated from Kuwait. Its infrastructure and vendors are located in several jurisdictions, including Kuwait, the European Union, the United States, and the United Kingdom.

• Railway database and server region: europe-west4 (Belgium).
• Paddle: United Kingdom.
• Clerk, Vercel, Sentry, Discord, Twitch / Amazon, Google Workspace, GitHub, Google services: generally United States or global infrastructure.
• Vercel Domains uses Name.com as the downstream ICANN-accredited registrar of record (US).

Where required, Karanite relies on vendor data-processing terms, standard contractual clauses, and other lawful transfer mechanisms. Karanite does not transfer data internationally for advertising or resale.

• Active room state: cleared 1 hour after room ends.
• Idle rooms: auto-archived after 1 hour idle.
• Archived rooms / replays: retained until host account deletion. Hosts can delete a replay from their account; doing so removes it from public view immediately.
• Battle history: stays attached to your account until you delete the account.
• Player nicknames: kept with replay; cleared when replay is deleted.
• Spectator data: cleared with replay or room data.
• Custom packs: kept as long as your account exists; removed when you delete the account.
• Analytics events (PostHog, self-hosted): up to 12 months, then aggregated and event-level rows pruned.
• Sentry logs: 90 days, then auto-purged.
• Account data: until account deletion.
• Deleted account data: anonymised within 30 days, hard-deleted within 90 days where possible.
• Paddle billing records: retained by Paddle, typically 7 years for tax and legal obligations.
• Moderation reports: 3 years.
• DMCA / takedown records: 3 years.
• Admin audit logs: 3 years.

Some data may be retained longer if required for legal claims, fraud prevention, tax obligations, abuse investigations, security incidents, or regulatory obligations.

Depending on your location, especially if you are in the EEA, UK, or a GDPR-equivalent jurisdiction, you may have rights to:

• access your data;
• correct your data;
• delete your data;
• export your data;
• object to processing;
• restrict processing;
• withdraw consent;
• complain to a data protection authority.

Karanite will generally honour privacy requests from all users where reasonably possible, even where GDPR does not strictly apply.

To make a request, email legal@karanite.com with subject Privacy: or DSAR:. Karanite aims to respond to data-rights requests within 30 days.

You can delete your account from your account page. Account deletion may delete or remove your Clerk identity, cancel active subscriptions where applicable, detach your account from past rooms, anonymise battle history, and hide or remove host-associated data where required.

Karanite preserves billing, audit, fraud, legal, and moderation records where legally necessary. Some public content, replays, or aggregated statistics may remain in anonymised form.

You can reject analytics through the cookie banner. You can change your choice later through Cookie Settings in the site footer.

If you reject analytics:

• PostHog does not initialize;
• no PostHog analytics cookies or storage are set;
• analytics events are not sent.

Essential storage remains active because Karanite needs it for sign-in, room continuity, security, and payment flows.

Karanite is intended for users aged 16 and older. You must be at least 18 to purchase Pro Host, Founder Host, Event Pass, or any paid service. Both ages are confirmed by a one-checkbox acknowledgement during signup and checkout — we do not collect a full date of birth.

Karanite does not knowingly collect data from users below the required age. If a parent or guardian believes a minor below the required age has used Karanite, contact legal@karanite.com with subject Minor:. Karanite will review the request and delete or anonymise the account and related data where appropriate.

Karanite uses reasonable technical and organisational measures to protect data:

• authentication through Clerk;
• production hosting through Vercel and Railway;
• database-backed access controls;
• encrypted Discord webhook storage where configured;
• admin moderation logs;
• error monitoring;
• abuse reporting;
• limited data collection;
• separation of payment data through Paddle.

No online service can guarantee perfect security. If you believe your account or Karanite data has been compromised, contact legal@karanite.com.

If Karanite becomes aware of a personal-data breach, we will investigate promptly.

Where GDPR requires notification, Karanite will notify the relevant supervisory authority within 72 hours where legally required. Where a breach is likely to create a high risk to affected users, Karanite will notify affected users where legally required.

Karanite uses paid Google Gemini tools to generate draft trivia questions and explanations offline. Those drafts are human-reviewed before publication.

Google Gemini does not receive user data, account data, room data, player nicknames, answers, analytics events, or replay data. The prompts contain generic content-generation requests only.

AI-assisted content disclosure is explained further in Karanite's Trademarks & Credits notice.

If you believe Karanite content infringes copyright, exposes personal data, violates law, or creates safety concerns, use /legal/takedown or email legal@karanite.com.

Suggested subject prefixes:

• DMCA: — copyright complaints.
• Report: — illegal content or DSA reports.
• Abuse: — doxxing, harassment, personal-data exposure.
• Privacy: — privacy / data-rights requests.

Karanite may update this Privacy Policy from time to time. The current revision is shown at the top of the page (currently version 2026-05-24) and the corresponding wording in the in-app /info Privacy section is kept in sync.

When material changes are made, Karanite will update the “Last updated” date and, where required by law, notify users or request renewed consent. If you continue using Karanite after a Privacy Policy update becomes effective, the updated policy applies to your use of the service.

For privacy, legal, DMCA, DSA, abuse, takedown, or data-rights requests: legal@karanite.com. For general support: support@karanite.com.

Use these subject prefixes where possible:

• Privacy: — access, deletion, export, correction.
• DSAR: — formal data-rights request.
• DMCA: — copyright complaint.
• Report: — illegal content.
• Abuse: — doxxing, harassment, personal-data exposure.
• Minor: — parent / guardian deletion request.
• Refund: — billing or refund issue.