Privacy Policy

Effective Date: February 17, 2026 · Last Updated: February 17, 2026

BDKM LLC ("we," "us," or "our") operates the Kori mobile application ("Kori" or the "App"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use Kori.

By using Kori, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the App.

1. Information We Collect

Account Information

When you create an account, we collect:

• Email address
• Display name (optional)
• Timezone (detected automatically)

Journal & Mood Data

When you use the App's journaling features, we store:

• Journal entries (text content and rich text formatting)
• Mood ratings and mood factors
• Gratitude entries
• Tags and categories you assign
• Entry metadata (timestamps, word count, source type)

Health & Wellness Data

If you use our wellness features, we collect:

• Sleep journal: Bedtime, wake time, sleep duration, quality rating, dream notes, sleep factors
• Breathing exercises: Session type, duration, completion status
• Routines: Morning and evening routine completions and streaks
• Goals: Goal titles, descriptions, milestones, check-in reflections, progress data
• Custom activities and mood scales you create

Media

You may optionally attach media to your entries:

• Photos (up to 5 per entry, stored in cloud storage)
• Videos (compressed, with generated thumbnails)
• Voice recordings (up to 2 minutes each, used for transcription)

Location & Weather Data (Opt-In)

If you enable entry enrichment in Settings (disabled by default):

• GPS coordinates (latitude and longitude)
• Location name (city, region — via on-device reverse geocoding)
• Weather conditions and temperature (via Open-Meteo, a free weather API)

We only access your location while the App is in use, and only when you have explicitly enabled this feature.

Device & Crash Data

To improve App stability, we collect:

• App crash reports and error logs (via Firebase Crashlytics)
• Device type, operating system version, and App version
• Your Kori user ID (to correlate crash reports — not your email)

Crash reporting is disabled in debug/development builds.

Purchase & Subscription Data

If you subscribe to Kori Plus or Kori Pro:

• Subscription tier and status (active, expired, cancelled)
• Transaction identifiers (from Apple App Store or Google Play)
• Subscription period dates

We do not collect or store your payment card details. All payments are processed by Apple or Google.

Reminders

If you create reminders:

• Reminder message text
• Scheduled time
• Completion status

Reminders are delivered via local notifications on your device. We do not use push notification services or collect notification tokens.

2. How We Use Your Information

We use your information to:

• Provide the service: Store and sync your journal entries, mood data, and wellness records across your devices
• Power AI features: Generate journaling prompts, detect mood from entries, summarize your journals, suggest entry titles, and provide reflections and pattern insights
• Transcribe voice notes: Convert your voice recordings to text
• Track your progress: Calculate streaks, XP, badges, and wellness trends
• Process subscriptions: Verify your subscription status and unlock premium features
• Improve reliability: Identify and fix crashes and bugs via crash reports
• Enrich entries (opt-in): Add location and weather context to your journal entries

We do not use your data for advertising. We do not sell your personal information.

3. AI & Voice Processing

Kori uses artificial intelligence to enhance your journaling experience. Here is how it works:

• AI features (prompts, summaries, mood detection, reflections, pattern analysis) are processed by OpenAI's GPT-4o-mini model.
• Voice transcription is processed by OpenAI's Whisper speech-to-text model.
• Your data is sent from the App to our secure server (Supabase Edge Functions), which then forwards it to OpenAI's API for processing. Only the minimum necessary content is sent (e.g., entry text for mood detection, audio for transcription).
• We do not use your data to train AI models. OpenAI's API data usage policy applies to data processed through their services.

You can use Kori without AI features — they are optional and can be avoided by not tapping AI-related buttons (sparkle icon, voice transcription).

4. Third-Party Services

We use the following third-party services to operate Kori:

Service	Purpose	Privacy Policy
Supabase	Database, user authentication, file storage	supabase.com/privacy
OpenAI	AI journaling features, voice transcription	openai.com/privacy
Firebase Crashlytics	Crash reporting and error logging	firebase.google.com/support/privacy
Open-Meteo	Weather data (no API key, no user tracking)	open-meteo.com/en/terms
Apple App Store	iOS subscription payments	apple.com/legal/privacy
Google Play	Android subscription payments	policies.google.com/privacy

These services process data according to their own privacy policies. We encourage you to review them.

5. Data Storage & Security

We take the security of your data seriously:

• Encryption in transit: All data transmitted between the App and our servers uses HTTPS/TLS encryption.
• Encryption at rest: Your data is stored on Supabase servers with encryption at rest enabled.
• Access control: Row-Level Security (RLS) policies ensure you can only access your own data. No other user can view your entries.
• Authentication: Your account is protected by email and password. You can optionally enable biometric authentication (Face ID, fingerprint) or a PIN code, which are stored securely on your device only.
• Offline data: Journal entries are cached locally on your device (encrypted SQLite database) for offline access and synced to our servers when you reconnect.
• Media storage: Photos, videos, and voice recordings are stored in private cloud storage buckets. Access requires authenticated, time-limited signed URLs.

6. Data Retention & Deletion

• Active data: Your data is retained as long as your account is active.
• Deleted entries: When you delete a journal entry, it is soft-deleted and permanently purged from our servers after 30 days. During this period, you may be able to recover it.
• Account deletion: You may request account deletion by contacting us at privacy@heykori.app. Upon request, we will permanently delete all your data — including entries, media, and account information — within 30 days.
• Backup exports: You can export all your data at any time using the in-app backup feature. Exported files are saved to your device and are not stored on our servers.
• Crash data: Crash reports are retained by Firebase according to Google's data retention policies (typically 90 days).

7. Your Privacy Rights

Depending on where you live, you may have additional rights regarding your personal information.

United States — California (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how we use it
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights

Canada (PIPEDA)

If you are a Canadian resident, you have the right to:

• Access your personal information we hold
• Request correction of inaccurate information
• Withdraw consent for data processing (note: some features may become unavailable)
• File a complaint with the Office of the Privacy Commissioner of Canada

United Kingdom (UK GDPR)

If you are a UK resident, you have the right to:

• Access your personal data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Data portability (export your data in a portable format — available via in-app backup)
• Restriction of processing
• Object to processing
• File a complaint with the Information Commissioner's Office (ICO)

Legal basis for processing (UK GDPR): We process your data based on (a) your consent when you create an account and use the App, (b) performance of our contract with you (providing the journaling service), and (c) our legitimate interest in improving App stability (crash reporting).

Australia (Privacy Act 1988)

If you are an Australian resident, you have the right to:

• Access your personal information
• Request correction of inaccurate information
• File a complaint with the Office of the Australian Information Commissioner (OAIC)

To exercise any of these rights, contact us at privacy@heykori.app.

8. Children's Privacy

Kori is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@heykori.app and we will promptly delete it.

Users between the ages of 13 and 18 should review this Privacy Policy with a parent or guardian before using the App.

9. International Data Transfers

Our servers are hosted by Supabase, which operates data centers in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. By using Kori, you consent to this transfer. We ensure appropriate safeguards are in place to protect your data in accordance with applicable privacy laws.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through an in-app notice before the changes take effect. The "Last Updated" date at the top of this policy will be revised accordingly.

We encourage you to review this Privacy Policy periodically.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

BDKM LLC
Email: privacy@heykori.app
Website: https://heykori.app

---

This privacy policy applies to the Kori mobile application published by BDKM LLC on the Apple App Store and Google Play Store.