← Back to home
Privacy Policy
Last updated: 9 May 2026 · Operator: OpsKarma — sole proprietorship of Swaraj Dhondge, Mumbai, Maharashtra, India · Contact: privacy@opskarma.com
Plain-English summary. OpsKarma is a free DevOps practice platform run by a small independent operator from Mumbai, India. We collect what we need to run the site (account data, usage, submissions), nothing more. We don't sell your data, we don't run ad networks, and we don't use your content to train AI models. You can email privacy@opskarma.com any time to access, export, or delete your data.
1. Who we are
OpsKarma is a free practice platform for DevOps and SRE engineers, operated as a sole proprietorship of Swaraj Dhondge from Mumbai, Maharashtra, India. We are a small independent operator. This policy explains what personal data we collect when you visit opskarma.com or use the app, how we use it, and what rights you have over it. We are the data controller (and, for Indian law, the Data Fiduciary) for the personal data described below.
2. What we collect
- Account data. Email, hashed password (never the password itself), display name, session cookies.
- Usage data. Problems attempted, submissions, hint unlocks, verdicts, timestamps, aggregate streak counts.
- Simulator transcripts. Commands you run in a session you submit are stored to rebuild the transcript and feed the judge. Commands run in unsubmitted sessions are discarded when the session ends.
- Technical data. IP address (truncated to /24 for IPv4 and /48 for IPv6), user-agent string, approximate region. Used for rate-limiting, abuse detection, and security incident response.
- Cookies. A required session cookie keeps you signed in. Google Analytics cookies are set only if you accept them in the banner. See §9.
We do not knowingly process special-category data (race, ethnicity, political opinions, religion, union membership, genetic, biometric, health, sex life, or sexual orientation under GDPR Art. 9). Please don't include such information in commands, notes, or submissions.
3. How we use it
- To operate the platform: authentication, running the judge, showing your progress.
- To enforce fair use: rate limits, abuse detection, audit logging.
- To improve the product: aggregate usage analytics, error rates.
- To communicate with you: account emails (verification, password reset, submission results) and — only if you opt in — a weekly digest.
We do not sell your data. We do not run third-party ad networks. We do not build profiles of you for external use.
4. We do not use your content to train AI models
Your submissions, transcripts, commands, and notes are not used to train any large language model — ours or any third party's. Inference providers receive the minimum prompt context needed to compute a response and, under their standard terms with us, do not retain customer inputs for training.
5. Legal bases (EEA, UK, Switzerland)
Under the GDPR, UK GDPR, and Swiss FADP we rely on:
- Contract (Art. 6(1)(b)) — to create your account and run the Service you asked for.
- Legitimate interest (Art. 6(1)(f)) — for security, abuse prevention, fraud detection, and product improvement. You can object at any time.
- Consent (Art. 6(1)(a)) — for analytics cookies and any optional marketing emails. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — to retain billing and tax records when required.
6. Automated decisions
The judge produces an automated practice score from your submission. This is a learning aid — it does not produce legal or similarly significant effects under GDPR Art. 22. You can request human review of any automated outcome by emailing privacy@opskarma.com.
7. Sub-processors
We share the minimum necessary data with a small set of sub-processors (cloud host, transactional email, inference providers, analytics on consent, error tracking, CDN/WAF). Each is bound by a Data Processing Agreement (signed directly or accepted as part of their standard customer terms). Email us for the current list.
8. International transfers
Your data may be processed in the United States, the European Union, India, and other regions where our sub-processors operate. Where we transfer personal data of EEA, UK, or Swiss residents to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum), and — where the recipient is certified — the EU–US Data Privacy Framework.
9. Cookies
- Strictly necessary — session cookie (HttpOnly, SameSite=Lax) and CSRF token. Cannot be disabled; without them you can't sign in.
- Analytics — Google Analytics 4. Off by default; set only if you accept in the cookie banner. Honors Global Privacy Control.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
session | OpsKarma | Auth session (HttpOnly) | 30 days |
csrf | OpsKarma | CSRF protection | Session |
cc_cookie | OpsKarma | Records your cookie choices | 6 months |
_ga, _ga_* | Analytics (only on consent) | 2 years |
Change your choice any time via the Cookie preferences link in the footer.
10. Retention
- Account data: kept while your account is active. After deletion we keep a short recovery window, then purge it.
- Submissions and transcripts: while your account is active; deleted on account deletion.
- Audit logs (sign-ins, hint unlocks, admin actions): kept for as long as they remain useful for security investigations, then purged.
- Billing records (if and when paid plans launch): kept for as long as tax law requires.
- Backups: kept on a short rolling window so we can recover from incidents.
11. Your rights
Depending on your location, you have the right to access, correct, delete, export, restrict, or object to our processing of your personal data, withdraw consent, and complain to a supervisory authority. Email privacy@opskarma.com (or, when Settings → Danger zone is live in the app, use it there). Where the law sets a deadline (for example, 30 days under the GDPR or the Indian IT Rules), we follow it. Otherwise we reply as soon as we reasonably can.
12. Region-specific notices
EEA, UK, Switzerland
You may complain to your local data protection authority. We do not currently maintain a paid Article 27 representative in the EU or UK. Until we do, please email privacy@opskarma.com and we will reply as soon as we reasonably can. We rely on the limited processing exemption in GDPR Art. 27(2) but will appoint a representative if we begin large-scale processing of EU residents' data.India
- Grievance Officer (under the IT Rules 2021 and DPDPA 2023): Grievance Officer, OpsKarma · grievance@opskarma.com · statutory response window: 30 days under the IT Rules.
- To withdraw consent for any processing based on consent, email the Grievance Officer.
- Complaints can be escalated to the Data Protection Board of India once it begins operations.
California (CCPA / CPRA)
We do not sell or share personal information as those terms are defined under the CPRA, and we have not done so in the preceding 12 months. California residents may exercise rights to know, delete, correct, and limit. We honor Global Privacy Control (GPC) signals as opt-out requests for analytics cookies. Email privacy@opskarma.com to exercise.Other U.S. states
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Tennessee, Iowa, Delaware, Florida, Montana, Indiana, New Hampshire, Minnesota, Maryland, New Jersey, Kentucky, and Rhode Island have rights to access, correct, delete, port, and opt out of targeted advertising and profiling under their state's comprehensive privacy law. Email privacy@opskarma.com to exercise.Brazil (LGPD)
Encarregado / DPO contact: privacy@opskarma.com. You can complain to the ANPD at gov.br/anpd.13. Children
OpsKarma is not directed at children under 16. If we identify an account as belonging to a child under 16, we will delete it. Email privacy@opskarma.com if you believe a child has created an account.
14. Security
TLS for all traffic, HttpOnly + SameSite cookies, bcrypt password hashing, account lockout, rate limiting, and audit logging. Full details in our security policy.
15. Breach notification
If a breach affects your personal data and creates a high risk to your rights or freedoms, we will notify you and the relevant supervisory authority without undue delay, and within 72 hours where required (GDPR Art. 33–34, India IT Rules CERT-In notification, equivalent local laws).
16. Changes
We update the "Last updated" date above when we change this policy. We will let registered users know about material changes by email before they take effect.
17. Contact
- Operator: OpsKarma — sole proprietorship of Swaraj Dhondge, Mumbai, Maharashtra, India
- General: hello@opskarma.com
- Privacy: privacy@opskarma.com
- Grievance Officer (India): grievance@opskarma.com
- Security: security@opskarma.com
- Operator information / imprint: /imprint