Privacy Policy

Last updated: May 9, 2026

At Koi, we believe building better habits is an act of self-care. Your pond is your own. We designed Koi so that your personal data stays on your device, your identity stays anonymous, and your journey remains private. This policy explains the small amount of data we do handle and why. If anything is unclear, please contact us.

This Privacy Policy explains how Koi ("we", "our", or "the App") handles information. By using the App, you agree to the practices described in this policy.

Information Stored on Your Device

The majority of your data in Koi is stored locally on your device and never leaves it. This includes:

  • The habits you create, track, and complete, along with your goals and progress
  • Journal entries you write within the app
  • Images and voice notes you choose to add to reflections and goal journals
  • Records of meditation, breathing exercises, and timer sessions you complete
  • Your notification settings, sound, and haptic feedback preferences

Data Storage

Your personal data, including habits, goals, reflections, and media, is stored locally on your device and is not transmitted to any external servers. Your local data remains on your device unless you choose to back it up using your device's backup services (such as iCloud or Google Cloud).

A small amount of data is stored on our servers to enable social features and anonymous analytics. See the sections below for details.

Analytics & Error Reporting

To improve the app and fix bugs, Koi collects a small amount of anonymous data. The data we collect includes:

  • Anonymous usage events (such as completing a habit or starting a session) with platform, locale, app version, and subscriber status. These events contain no name, email, phone number, or account ID, and cannot be linked back to you.
  • Crash reports and performance data including device model, OS version, and app version. Personal data collection is disabled. IP addresses are scrubbed server-side. No screenshots, console logs, or HTTP headers are included.
  • Subscription status and purchase validation, processed through Apple App Store and Google Play. We do not receive or store your payment details.

We use analytics solely to understand how the app is used, fix bugs, and improve features. We never sell your personal information. When we run ad campaigns, we use attribution providers to measure whether they work. See the Ad Attribution section below for details.

Third-Party Service Providers

We use a limited number of trusted service providers to operate the app:

When your device connects to any of these providers, your IP address is transmitted as part of normal network communication. This happens for every networked app and website. We keep our list of providers minimal and retain only what's necessary.

  • Supabase: hosts social feature data (friend profiles, connections, invites, vibes), anonymous analytics events, and a device identifier used solely to prevent abuse of one-time promotional offers
  • Sentry: receives crash reports and error data to help us identify and fix bugs
  • RevenueCat: manages subscription status and purchase validation. To match purchases to the ad campaigns that brought you to Koi, RevenueCat also receives your IP address, device identifiers (IDFA on iOS, IDFV on iOS, advertising ID on Android), AppsFlyer device ID, and device/OS version. Your payment details are handled entirely by Apple or Google
  • Vercel: hosts this website. This does not apply to the mobile app
  • AppsFlyer: helps us measure the performance of our mobile ad campaigns. Receives your IP address, device identifiers (IDFA, IDFV, Android advertising ID), and basic event signals such as installs and purchases.
  • Meta: helps us measure the performance of ads we run on Facebook and Instagram. From our website, Meta receives your IP address, browser user agent, and Meta's own cookie identifiers.
  • TikTok: helps us measure the performance of ads we run on TikTok. From our website, TikTok receives your IP address, browser user agent, and TikTok's own cookie identifiers.

We do not sell your data or share it with data brokers. The only parties that receive data are the service providers listed above.

Ad Attribution

When we run ads on Meta, TikTok, or other platforms, we share the minimum information needed to understand whether those ads are working. This helps us avoid wasting money on campaigns that don't reach people who would benefit from Koi.

Our attribution providers (listed above) may receive your device's advertising identifier and basic signals about your interactions with our app or website. They never receive your name, journal entries, habits, photos, voice notes, or anything else you have created in the app.

You can limit this at any time:

  • iOS: Settings → Privacy & Security → Tracking, then toggle off for Koi
  • Android: Settings → Google → Ads, then opt out of ads personalisation
  • Website: click "Decline" on the cookie consent banner

We never build cross-site advertising profiles of you, and we never sell your data.

Permissions

Koi requests the following device permissions:

  • To send you habit reminders, goal reminders, and daily check-in notifications at times you choose
  • To provide haptic feedback when you interact with the app (can be disabled in settings)
  • To let you take and attach photos in reflections and goal journals
  • To let you record and attach voice notes in reflections and goal journals
  • To let you select and attach existing images from your photo library in reflections and goal journals
  • To calculate local sunrise and sunset times for Koi's Solar Time features

Camera, microphone, and photo library access are optional and only used when you choose to create or attach media in the app.

Location Data

Koi may request access to your device's location to power the Solar Time feature, which calculates local sunrise and sunset times and uses them to shape your in-app experience.

  • Your approximate geographic coordinates (latitude and longitude), accessed only while the app is in use
  • Solely to compute sun position and local solar times on your device
  • All location calculations happen entirely on-device. Your location is never sent to our servers, stored remotely, or shared with any third party
  • You can withdraw location permission at any time in your device's Settings under Privacy & Security, Location Services, then Koi. If you decline or revoke this permission, Solar Time features may be unavailable or fall back to a default experience

Social Features

When you use Koi's social features, the following data is stored on our servers:

  • Your display name, koi variant, and accessories, so friends can see your profile
  • Your friend code, so others can add you as a friend
  • Your friend connections, to enable your friends list and vibes
  • Invite codes you create, including which koi you chose to gift, and your referral reward progress
  • Vibes (emoji reactions) you send to friends, including the recipient, emoji type, and read status

Koi does not require an email, password, or any personal information to create an account. Social features require an internet connection.

Data Sharing

We do not sell or rent your personal information, and we do not share it with data brokers. The only third parties that receive data are the service providers listed above, and only the minimum needed to operate the app and measure ad performance.

Data Retention

We retain your data only as long as needed to provide the service:

  • Local data (habits, goals, reflections, media, sessions) is stored on your device until you delete it or uninstall the app
  • Social data (profile, friends, invites, vibes) is stored on our servers until you delete your account
  • Analytics events are retained in aggregate form. Individual events are not linked to identifiable users
  • Crash reports are retained by Sentry according to their data retention policy (typically 90 days)
  • When you delete your account, all server-side data is permanently and immediately removed. Uninstalling the app permanently deletes all local data

Security

We take reasonable measures to protect the data we handle. All data transmitted between the app and our servers uses encrypted connections (HTTPS/TLS). Server-side data is hosted on infrastructure with industry-standard security practices. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

International Data Transfers

Our service providers (Supabase, Sentry, RevenueCat) may process data in countries other than your own, including the United States. By using the App, you consent to the transfer of the limited data described in this policy to these providers. We ensure our providers maintain appropriate data protection standards.

Your Rights

You have the following rights regarding your data:

  • Right to access: you can view all your data within the app at any time
  • Right to deletion: you can delete your account and all server-side data from within the app, and uninstall to remove all local data
  • Right to correction: you can edit your profile, habits, goals, and reflections at any time
  • Right to portability: your local data is stored on your device and accessible through your device's backup services

To exercise any of these rights or if you have questions, contact us at koi.calm.app@gmail.com.

Because Koi accounts are anonymous and we do not collect identifying information, we may be unable to verify your identity for data access requests beyond what is already available to you in the app.

Your Control

You have full control over your data:

  • Edit or delete individual habits, goals, and reflections at any time
  • Disable notifications globally or for specific habits and goals
  • Toggle sound effects and haptic feedback in settings
  • Delete your account at any time using the in-app option. This permanently removes all server-side data (profile, friends, invites, and vibes)
  • Remove individual friends at any time
  • Uninstalling the app permanently deletes all local data. Since accounts are anonymous, uninstalling means you lose access to your account

Children's Privacy

Koi is not directed at children under 13. Our analytics and crash reports do not contain your name, email, or phone number. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided personal information to us, please contact us and we will take steps to delete it.

Changes to This Policy

We may update this policy from time to time. If we make material changes to how we handle your information, we will update this page and change the "Last updated" date above.

Contact

If you have questions about this policy, please contact us.