Kokoro — Privacy Policy
Last updated: 12 May 2025
Your privacy matters. This Policy explains what personal data we collect, how we process it, and your rights under the EU General Data Protection Regulation (“GDPR”) and Spanish Ley Orgánica 3/2018 (LOPD‑GDD).
1. Who is the data controller?
Kokoro Project
Email: [email protected]
(A formal legal entity will be added when incorporated.)
2. What data we collect
| Category | Examples | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account data | Email, username, password hash | Contract §6 (1)(b) |
| Usage data | API calls, feature clicks, IP address, timestamps | Legitimate interest §6 (1)(f) (security & analytics) |
| Integration data | Data you authorise from Google Calendar, Linear, etc. | Consent §6 (1)(a) |
| Diagnostic logs | Error traces via Sentry | Legitimate interest §6 (1)(f) |
| Subscription data | Customer ID, plan, status (no card numbers) | Contract §6 (1)(b) |
| Cookies | First‑party cookies for session auth; PostHog analytics cookie (random ID) | Legitimate interest §6 (1)(f); Consent where required |
We do not intentionally collect special‑category data (Art. 9) or children’s data (<16 yrs).
3. How we use your data
- Provide and secure the Service
- Respond to support requests
- Monitor performance & fix bugs
- Send essential service emails (account activity, billing, changes)
- Create aggregated, anonymised statistics
- Comply with legal obligations
We do not sell or rent your personal data.
4. Sharing & subprocessors
We share personal data only with:
| Recipient | Purpose | Safeguard |
|---|---|---|
| Stripe | Subscription billing | SCCs / EU DPF |
| Cloudflare | CDN & DDoS protection | SCCs / EU DPF |
| PostHog (EU cluster) | Product analytics | Data hosted in EU |
| Sentry (EU cluster) | Error monitoring | Data hosted in EU |
A full, current list is kept at [ /LEGAL/SUBPROCESSORS.md ].
5. International data transfers
Primary servers are located in the European Union.
Where data is processed outside the EEA (e.g., Cloudflare, Stripe), we rely on:
- Standard Contractual Clauses (SCCs), and/or
- Participation in the EU–US Data Privacy Framework.
6. Data retention
| Data | Retention period |
|---|---|
| Hosted integration data | Deleted within 30 days of account deletion or subscription cancellation |
| Account & billing records | 5 years (Spanish tax law) |
| Analytics logs | 12 months (aggregated thereafter) |
7. Your GDPR rights
You may access, correct, delete, restrict, or export your personal data and object to certain processing.
To exercise any right, email [email protected] from the address linked to your account.
If we decline your request, you can complain to the Spanish Data Protection Authority (AEPD) or your local supervisory authority.
8. Cookies & tracking
| Cookie | Purpose | Duration |
|---|---|---|
kokoro_session | Keeps you logged in | Session |
ph_* (PostHog) | Product analytics | 1 year |
cf_clearance | Cloudflare security | Up to 30 days |
A banner on first visit lets EU/EEA users opt in/out of analytics cookies.
9. Security
- HTTPS everywhere; HSTS enabled
- Encryption at rest & in transit
- Firewall‑segmented infrastructure
- Regular vulnerability scans and annual third‑party penetration testing
- Least‑privilege access controls
10. Changes to this Policy
We will post any changes here and notify you via email or in‑app notice at least 14 days in advance for material changes.
11. Contact
Questions or concerns?
Email [email protected] with the subject “Privacy Inquiry.”