Privacy Policy

Koda is a personal project by Oleksandr Zinchenko (Ukraine), with no legal entity at the time of publication of this document. Contact for all data-related questions: support.koda@gmail.com.

Koda processes three categories of data:

• Account data: email and Google ID obtained during sign-in via Google Sign-In. Name and avatar are not stored on the server.
• User content: habits, completion logs, tasks, calendar events, subtasks, reminders, interface settings, attached files (up to 10 MB each). You enter all of this yourself.
• Google Calendar data (optional): if you connect Google Calendar sync, Koda performs one-way reads of events from your selected calendars within a window of today..today+90 days. Koda does not write back to Google.

Koda does not collect: contacts, photo library, precise location, microphone, usage data of other apps, advertising identifiers.

Purposes of processing and corresponding legal bases under Art. 6(1) GDPR:

• Performance of a contract (Art. 6(1)(b) GDPR) — email/Google ID for sign-in and synchronization, user content for the app's operation, Google Calendar data to display events, processing of payments for Pro/Lifetime
• Legitimate interests (Art. 6(1)(f) GDPR) — correspondence with our support team about your requests, detection of abuse and protection of the service
• Consent (Art. 6(1)(a) GDPR) — for future optional services (e.g., analytics, crash reports, AI coach in Phase 4). Consent can be withdrawn at any time via the app's settings

We do not use your data for advertising, profiling, sale to third parties, or training AI models.

All data is stored in a secured Supabase database (region eu-central-1, Frankfurt, Germany). Attached files live in Supabase Storage with owner-only access (Row Level Security). Each user sees only their own data — isolation is enforced at the database level through RLS policies user_id = auth.uid().

The connection between the app and the server uses TLS. Passwords are not stored (sign-in is via Google OAuth only).

Koda uses the following third-party services, each with its own policy:

• Google (Sign-In + Calendar API): for authentication and optional reading of events. policies.google.com/privacy
• Supabase (Supabase Inc., USA; infrastructure in eu-central-1, Frankfurt): database storage, authorization, file storage. supabase.com/privacy
• Google Play Billing (Google Ireland Ltd. / Google LLC): payment processing for Pro and Lifetime. Koda does not receive card numbers — only subscription status.

We list services that will appear in future releases ahead of time (e.g., RevenueCat for subscription management, Sentry or Firebase Crashlytics for opt-in crash reports, an LLM API provider for the AI coach in Phase 4). They are not used until they are actually integrated.

Koda's primary database is located within the European Union (Supabase, Frankfurt). However, some services we use operate in the USA or other countries outside the EEA — in particular, Google (Sign-In, Calendar API, Play Billing) and the parent company of Supabase.

Transfers of personal data to such countries take place on the basis of the European Commission's Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework, which Google and key Supabase subprocessors have joined. This ensures a level of protection equivalent to GDPR.

• While your account is active — all data is retained
• After account deletion — full removal within 30 days
• Supabase backups — up to 7 days, then automatically overwritten

Under Chapter III of GDPR, you have the right at any time to:

• Access (Art. 15) — see your data inside the app, or write to us and receive a JSON export within 30 days
• Rectification (Art. 16) — any field is editable in the app
• Erasure (Art. 17) — Settings → Delete account. Everything is removed within 30 days
• Restriction of processing (Art. 18) — write to support; while a dispute is being resolved, data will only be stored, not processed
• Data portability (Art. 20) — receive your data in a structured format (JSON) and transfer it to another service
• Objection (Art. 21) — against any processing based on legitimate interests; we will stop unless we have overriding lawful grounds
• Withdraw consent (Art. 7(3)) — for optional services (analytics, crash reports, AI coach)
• Revoke Google Calendar permission — within the app, or via myaccount.google.com/permissions
• Lodge a complaint with a supervisory authority (Art. 77) — to the data protection authority in your country (for users in the EU — your national DPA; for Ukraine — Ukrainian Parliament Commissioner for Human Rights)

To exercise your rights, write to support.koda@gmail.com. We respond within 30 days (a GDPR requirement).

Koda is not intended for children under 13. We do not knowingly collect data from anyone under 13. If you are a parent and discover that your child has created an account, write to support and we will delete it.

We may update this document. The date at the top reflects the most recent revision. We will notify you in-app or by email before material changes (new categories of data, new third parties) take effect.

For any privacy-related questions, write to support.koda@gmail.com. We respond within 7 days.