Privacy Policy (Kikis)
Effective Date: [YYYY-MM-DD β fill in the actual deployment date] Version: 1.0
Kikis ("we", "us", "our") takes your privacy seriously. This policy explains what data we collect, why, and how we handle it. We comply with applicable laws including GDPR (EU), CCPA (California), and South Korea's Personal Information Protection Act (PIPA).
1. Data We Collect and Why
1.1 At Sign-Up
| Data | Source | Purpose |
|---|---|---|
| Email address | Google/Apple Sign-In or direct entry | Account identification, password reset |
| Name or display name | OAuth provider metadata | Profile display |
| Profile picture (optional) | User upload | Profile display |
| Learning language / native language | User selection | Personalized content |
Apple Sign-In note: If you choose "Hide My Email", Apple provides us with a relay address. We never see your actual Apple ID email.
1.2 During Use
| Data | Purpose |
|---|---|
| Search queries (text) | AI translation and kiki generation; cache |
| Saved kikis (expressions, patterns, sentences) | Your vault content; learning progress |
| Learning history (last reviewed, success rate) | SM-2 spaced-repetition algorithm |
| Device info (iOS/Android, OS version, app version) | Compatibility, crash diagnostics |
| FCM push token | Notification delivery (if you opt in) |
| Subscription state | Subscription management |
1.3 Optional (only when you actively use)
| Data | Purpose | Storage |
|---|---|---|
| Voice input (STT) | Pronunciation evaluation, voice search | Processed and discarded; not stored |
| Camera/photo (OCR) | Extract text from images | Processed and discarded |
| Connect posts / comments | Community feature | Until you delete |
2. Third-Party Service Providers
Kikis uses these external services to function. Each has its own privacy policy.
| Service | Provider | Data Shared | Location |
|---|---|---|---|
| Authentication, DB, serverless functions | Supabase Inc. (USA) | Full account & content | USA (us-east) |
| Push notifications | Firebase Cloud Messaging / Google LLC | FCM token only | USA |
| Google Sign-In | Google LLC | OAuth credentials | USA |
| Apple Sign-In | Apple Inc. | OAuth credentials | USA |
| AI translation / kiki generation | Google Gemini (Google LLC) | Search text (PII-stripped) | USA / EU |
| Speech-to-text | Google Cloud Speech | Voice data (discarded after processing) | USA |
| Pronunciation evaluation | Microsoft Azure Speech | Voice data (discarded after processing) | User's region |
| Subscription management | RevenueCat Inc. | Anonymous user ID, subscription state | USA |
| App analytics (optional) | None β no third-party analytics in the current beta | β | β |
Each provider's privacy policy:
- Supabase: https://supabase.com/privacy
- Firebase: https://firebase.google.com/support/privacy
- Google: https://policies.google.com/privacy
- Apple: https://www.apple.com/legal/privacy/
- RevenueCat: https://www.revenuecat.com/privacy
- Microsoft Azure: https://www.microsoft.com/privacy/privacystatement
3. Data Retention
| Data | Retention |
|---|---|
| Account info, vaults, kikis, learning history | Until account deletion (or earlier upon user request) |
| Connect posts / comments | Until user deletion |
| Payment & subscription history | 5 years (commercial law requirement in some jurisdictions) |
| Voice / image input | Discarded immediately after processing |
| Push tokens | Until user uninstalls or token invalidates |
| Backup data | 30 days after account deletion (in case of re-signup) β auto-purged |
4. Your Rights
You can exercise these rights anytime:
- Access β view your profile in the app's "Profile Settings"
- Correction β edit your profile in "Profile Edit"
- Deletion (account closure) β in-app "Delete Account" or email support@my-kiki.app (or actual operational email)
- Restrict processing β email request
- Data portability β request a JSON export of your vault
- Withdraw consent β uninstall the app and request data deletion
We respond within 7 days.
EU/UK users have additional GDPR rights including the right to lodge a complaint with your local supervisory authority.
California residents have additional CCPA rights including the right to know what categories of personal information we collect and the right to opt out of "sale" (we do not sell your data).
5. Children Under 14
Kikis is intended for users 14 and older. We do not knowingly collect data from children under 14. If we discover a user is under 14, their account is deleted immediately. Children in jurisdictions where the legal age is higher (e.g. 16 under GDPR without parental consent) should obtain such consent.
6. Cookies and Tracking
Mobile app does not use cookies. We also do not use:
- iOS IDFA (advertising identifier)
- Android Advertising ID
- App Tracking Transparency (ATT) prompts β we do not track across apps or websites
7. Security
- In-transit encryption: TLS 1.2+ (HTTPS)
- At-rest encryption: provided by Supabase
- Access control: Supabase Row-Level Security (RLS)
- Passwords: hashed (never stored in plaintext)
- Periodic security review
8. Changes to This Policy
If this policy changes materially we will notify you via in-app notice and/or email. For substantial changes affecting your rights, we may re-prompt for consent.
9. Contact Us
For privacy questions or requests:
- Email: support@my-kiki.app (or actual operational email)
- Response time: within 7 business days
Data Protection Officer:
- Name: [fill in actual DPO name]
- Email: privacy@my-kiki.app (or actual email)
10. International Data Transfers
Your data may be transferred to, processed in, and stored in the United States and other countries where our service providers operate. By using Kikis you consent to this transfer. For EU/UK users, we rely on the relevant Standard Contractual Clauses or equivalent safeguards.
Last Updated: [YYYY-MM-DD]
For the Korean version see privacy-policy-template-ko.md. In
case of conflict between the two versions, the Korean version
governs for Korean users; the English version governs for all
others.