Privacy Policy

Effective Date: March 26, 2026 · Last Updated: March 26, 2026

Introduction

BDKM LLC (“we,” “us,” or “our”) operates the Kori mobile application (“Kori” or the “App”). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use Kori.

By using Kori, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the App.

1. Information We Collect

Account Information

Email address
Display name (optional)
Timezone (detected automatically)

Journal & Mood Data

Journal entries (text and rich text formatting)
Mood ratings and mood factors
Gratitude entries
Tags and categories
Entry metadata (timestamps, word count, source type)

Health & Wellness Data

Sleep journal (bedtime, wake time, duration, quality, dream notes, sleep factors)
Breathing exercise sessions
Morning/evening routine completions
Goals, milestones, and check-in reflections
Custom activities and mood scales

Media

Photos (up to 5 per entry)
Videos (compressed, with thumbnails)
Voice recordings (up to 2 minutes, used for transcription)

Location & Weather (Opt-In)

If you enable entry enrichment in Settings (disabled by default):

GPS coordinates
Location name (via on-device reverse geocoding)
Weather conditions and temperature (via Open-Meteo)

Device & Crash Data

App crash reports and error logs (via Firebase Crashlytics)
Device type, OS version, and app version
Your Kori user ID (not your email)

Purchase & Subscription Data

Subscription tier and status
Transaction identifiers from Apple App Store or Google Play
We do not collect or store your payment card details

Reminders

Reminder message text, scheduled time, and status
Delivered via local notifications only (no push notification tokens collected)

2. How We Use Your Information

Provide the service: Store and sync your data across devices
Power AI features: Generate prompts, detect mood, summarize journals, suggest titles, and provide reflections
Transcribe voice notes: Convert recordings to text
Track your progress: Calculate streaks, XP, badges, and wellness trends
Process subscriptions: Verify status and unlock premium features
Improve reliability: Identify and fix crashes via crash reports
Enrich entries (opt-in): Add location and weather context

We do not use your data for advertising. We do not sell your personal information.

3. AI & Voice Processing — Third-Party Data Sharing

Kori uses a third-party AI service (OpenAI, L.L.C.) to enhance your journaling experience. AI features are optional and require your explicit consent before any data is shared with OpenAI. You will be asked whether you want to enable AI features when you first use the app, and you can change this choice at any time in Settings.

What data is shared with OpenAI

Journal entry text — for mood detection, summaries, reflections, pattern analysis, title suggestions, and prompt generation
Voice recordings — sent to OpenAI’s Whisper model for speech-to-text transcription
Mood and wellness data — for pattern analysis and personalized insights
Goals and vision board text — for milestone suggestions and AI-generated captions

How data is transmitted

Your data is sent from the App to our secure server (Supabase Edge Functions), which forwards only the minimum necessary content to OpenAI’s API for processing. Data is encrypted in transit using HTTPS/TLS.

How OpenAI uses your data

OpenAI processes your data only to generate a response to the specific request.
Your data is NOT used to train OpenAI’s AI models. We use the OpenAI API, which does not use submitted data for model training.
OpenAI may retain API inputs for up to 30 days for abuse monitoring, after which they are deleted. See OpenAI’s privacy policy for details.

Your control

You can use Kori fully without AI features. Disable them at any time in Settings > AI Features. When AI is disabled, no data is sent to OpenAI.

4. Third-Party Services

We use the following third-party services:

Service	Purpose
Supabase	Database, authentication, and file storage
OpenAI	AI journaling features and voice transcription
Firebase Crashlytics (Google)	Crash reporting and error logging
Open-Meteo	Weather data (no API key, no user tracking)
Apple App Store / Google Play	Subscription payments

These services process data according to their own privacy policies.

Third-party data protection: We only share your personal data with third-party services that provide the same or equal level of data protection as described in this Privacy Policy. Our third-party service providers, including OpenAI and Supabase, are contractually obligated to process your data securely, use it only for the purposes we specify, and not sell or use it for their own purposes such as advertising or model training. We have reviewed their privacy practices and confirmed they meet or exceed the data protection standards we apply to your information.

5. Data Storage & Security

Encryption in transit: All data uses HTTPS/TLS encryption
Encryption at rest: Supabase servers with encryption enabled
Access control: Row-Level Security ensures you can only access your own data
Authentication: Email/password with optional biometric or PIN (stored on-device only)
Offline data: Cached locally for offline access and synced when online
Media storage: Private cloud storage with time-limited signed URLs

6. Data Retention & Deletion

Active data: Retained while your account is active
Deleted entries: Soft-deleted, permanently purged after 30 days
Account deletion: Request via Settings > Account > Delete Account, or email privacy@heykori.app — all data purged within 30 days
Backup exports: You can export all your data at any time using the in-app backup feature
Crash data: Retained by Firebase per Google’s retention policies (typically 90 days)

For full instructions, see our Account Deletion page.

7. Your Privacy Rights

United States — California (CCPA/CPRA)

Right to know what personal information we collect
Right to request deletion
Right to opt out of sale (we do not sell your data)
Right to non-discrimination

Canada (PIPEDA)

Right to access your personal information
Right to request correction of inaccurate information
Right to withdraw consent
Right to file a complaint with the Privacy Commissioner of Canada

United Kingdom (UK GDPR)

Right to access, rectification, erasure, data portability, restriction, and objection
Right to file a complaint with the ICO
Legal basis: consent, contract performance, and legitimate interest

Australia (Privacy Act 1988)

Right to access and correction
Right to file a complaint with the OAIC

To exercise any of these rights, contact us at privacy@heykori.app.

8. Children’s Privacy

Kori is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@heykori.app.

Users between 13 and 18 should review this policy with a parent or guardian.

9. International Data Transfers

Our servers are hosted by Supabase in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. By using Kori, you consent to this transfer.

10. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share limited data with:

Service providers: Third-party services listed above, bound by confidentiality agreements, solely to provide the App’s services
Legal requirements: If required by law, regulation, or legal process
Safety: To protect the rights, property, or safety of BDKM LLC, our users, or the public

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through an in-app notice. The “Last Updated” date at the top will be revised accordingly.

12. Contact Us

If you have questions about this Privacy Policy, please contact us:

BDKM LLC
Email: privacy@heykori.app
Website: heykori.app