Effective date: 27 May 2026
Last updated: 27 May 2026
This Privacy Policy ("Policy") describes the collection, use, disclosure, retention, and protection of Personal Data by Ivan Ostrolutskyi, the controller of personal data within the meaning of Regulation (EU) 2016/679 ("GDPR") and equivalent legislation (the "Service Provider", "we", "us", or "our"), in connection with the mobile software application known as "Kiri" and any related online services, websites, or backend infrastructure operated by the Service Provider (collectively, the "Application" or "Service").
By downloading, installing, accessing, or using the Application, you ("you", "your", or the "User") acknowledge that you have read, understood, and, where consent is the lawful basis for processing under Article 6(1)(a) GDPR or equivalent provisions, affirmatively consent to the practices described in this Policy. If you do not agree with this Policy, you must discontinue use of the Application.
For the purposes of this Policy, the following terms have the meanings set forth below:
1.1. "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR, including without limitation a name, an identification number, location data, or an online identifier.
1.2. "Processing" has the meaning ascribed in Article 4(2) GDPR and includes any operation performed on Personal Data, whether or not by automated means.
1.3. "Sub-processor" means a third-party service provider engaged by the Service Provider to Process Personal Data on its behalf pursuant to a written data-processing agreement.
1.4. "Sensitive Personal Information" means Personal Data in the categories enumerated in Article 9 GDPR and, where applicable, Section 1798.140(ae) of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA").
1.5. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
1.6. "EEA" means the European Economic Area.
The Service Provider acts as the data controller in respect of the Personal Data described herein. Inquiries concerning this Policy, the exercise of Data Subject rights, or any other matter relating to Personal Data may be directed to:
The Service Provider has not appointed a Data Protection Officer ("DPO") under Article 37 GDPR, having determined that the criteria for mandatory designation are not met. The above contact details serve for the exercise of all rights under applicable data-protection legislation.
This Policy applies exclusively to Personal Data Processed by the Service Provider in connection with the Application. It does not govern the data-protection practices of third-party services that may be linked to or integrated with the Application, the operators of which act as independent data controllers and are governed by their own privacy notices, identified in Section 8 below.
The Service Provider Processes the following categories of Personal Data:
Purchase history, current subscription tier, subscription-renewal status, and trial eligibility, mediated by RevenueCat, Inc. and Apple Inc. The Service Provider does not Process payment-card data or banking information; payment instruments are handled exclusively by Apple Inc. through the App Store.
A weekly count of label scans, retained solely to enforce the free-tier quota and prevent abuse of automated extraction features.
When you use the "Scan" feature of the Application, text is extracted from the photographed tea label by means of on-device optical character recognition ("OCR") performed by Apple's Vision framework. The resulting textual string—but not the image itself—is transmitted to the Service Provider's backend and to a language-model sub-processor (Mistral AI) for the limited purpose of matching the text to a tea in the Application's catalog. The image file is not stored, uploaded, or transmitted.
Internet Protocol address, mobile operating system and version, application version, user-agent string, request timestamps, and request paths. This information is collected automatically by the Application's backend infrastructure (Supabase) for the purposes of operational monitoring, security, abuse prevention, and statutory record-keeping.
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly. These tokens are never transmitted to the Service Provider beyond the authentication endpoints that issued them.UserDefaults store on the User's device, and may optionally be synchronized to the User's profile record in the Application's backend.For the avoidance of doubt, the Application does not collect, infer, store, or transmit:
The Service Provider Processes Personal Data only where one or more lawful bases set out in Article 6(1) GDPR (or the equivalent provisions of applicable non-EU legislation) apply. The principal purposes of Processing and corresponding lawful bases are as follows:
| Purpose | Categories of Data | Lawful Basis (GDPR Art. 6(1)) |
|---|---|---|
| Account creation, authentication, and session management | 4.1, 4.7 | (b) Performance of a contract |
| Provision of core Application functionality (shelf, timer, brew logs, custom teas, overrides) | 4.2 | (b) Performance of a contract |
| Premium subscription management and entitlement enforcement | 4.3 | (b) Performance of a contract |
| Enforcement of free-tier scan quota and abuse prevention | 4.4, 4.6 | (f) Legitimate interests (preventing abuse of automated extraction features) |
| On-device OCR and catalog matching for the Scan feature | 4.5 | (b) Performance of a contract |
| Infrastructure security, monitoring, and statutory record-keeping | 4.6 | (f) Legitimate interests; (c) Legal obligation where applicable |
| Communication of essential service notices (e.g., material policy changes, security incidents) | 4.1 | (c) Legal obligation; (f) Legitimate interests |
| Response to support inquiries and feedback you submit | 4.1, voluntarily submitted content | (a) Consent (by affirmative submission); (f) Legitimate interests |
| Compliance with legal obligations, including responses to lawful requests by public authorities | All categories, as applicable | (c) Legal obligation |
The Service Provider does not Process Personal Data for purposes incompatible with those for which it was collected, and does not engage in automated decision-making or profiling producing legal or similarly significant effects within the meaning of Article 22 GDPR.
The Service Provider obtains Personal Data from the following sources:
6.1. Directly from you, when you register for an account, edit your profile, create user content within the Application, submit feedback, or initiate a subscription transaction.
6.2. From federated identity providers, namely Apple Inc. (Sign in with Apple) and Google LLC (Sign in with Google), when you elect to authenticate via single-sign-on; the data relayed is limited to your email address and, where applicable, a name string.
6.3. From the Apple App Store and RevenueCat, Inc., in respect of subscription and transactional metadata necessary to grant and maintain premium entitlements.
6.4. Automatically from your device, in respect of the Server Log Data described in Section 4.6.
The Application is a native iOS application and does not use cookies, web beacons, pixels, fingerprinting, advertising identifiers, or any first-party or third-party tracking software development kits. The Application does not participate in cross-context behavioral advertising and does not "sell" or "share" Personal Data within the meaning of CCPA/CPRA Sections 1798.140(ad) and 1798.140(ah).
The Application does not present a tracking-transparency prompt under Apple's AppTrackingTransparency framework because it does not engage in tracking as defined therein.
The Service Provider engages the following Sub-processors to Process Personal Data on its behalf, each pursuant to a written agreement incorporating data-protection obligations consistent with Article 28 GDPR (or, where executed prior to the entry into force of GDPR-equivalent legislation in the Sub-processor's jurisdiction, with substantially equivalent contractual safeguards):
| Sub-processor | Function | Categories of Data | Privacy Notice |
|---|---|---|---|
| Supabase, Inc. | Backend hosting, database, authentication, edge-function compute, server logging | All categories at Sections 4.1–4.6 | supabase.com/privacy |
| RevenueCat, Inc. | Subscription management and entitlement state | 4.1 (user identifier and email), 4.3 | revenuecat.com/privacy |
| Apple Inc. | Sign in with Apple, App Store in-app purchase, push notifications | 4.1 (email relay), 4.3 | apple.com/legal/privacy/ |
| Google LLC | Sign in with Google (authentication relay only) | 4.1 (email relay during sign-in) | policies.google.com/privacy |
| Mistral AI SAS | Extraction of tea names from OCR-derived text strings | 4.5 (textual string only; no image, no user identifier) | mistral.ai/terms#privacy-policy |
The Service Provider may, in addition, disclose Personal Data to third parties:
8.1. where compelled to do so by a binding legal order, subpoena, court order, or other lawful demand issued by a competent authority;
8.2. where disclosure is reasonably necessary to investigate, prevent, or take action regarding suspected fraud, security incidents, violations of the Application's terms of service, or threats to the rights, property, or safety of the Service Provider, its Users, or any third party;
8.3. in connection with a merger, acquisition, reorganization, financing, or sale of all or substantially part of the Service Provider's assets, provided that the recipient is bound to honor the commitments made in this Policy or affected Users are afforded a meaningful opportunity to delete their data prior to transfer;
8.4. with your prior explicit consent for any purpose not otherwise described in this Policy.
The Service Provider does not sell Personal Data, has not sold or shared Personal Data within the preceding twelve (12) months, and has no intention of doing so in the future.
The Application's primary backend infrastructure is hosted by Supabase, Inc. in the eu-west-1 region. Personal Data may be transferred to, stored in, and Processed in jurisdictions outside your country of residence, including jurisdictions outside the EEA, the United Kingdom, or Switzerland, that may afford a lower standard of data protection than your home jurisdiction.
Where Personal Data of Data Subjects located in the EEA, the United Kingdom, or Switzerland is transferred to a third country not benefiting from an adequacy decision of the European Commission, the Information Commissioner's Office, or the Swiss Federal Data Protection and Information Commissioner, the Service Provider relies on one or more of the following transfer mechanisms recognized under Articles 44–49 GDPR (or their UK and Swiss equivalents):
9.1. the Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914, supplemented where required by the UK International Data Transfer Addendum;
9.2. binding corporate rules approved by competent supervisory authorities;
9.3. derogations under Article 49 GDPR (including, where applicable, your explicit consent, performance of a contract, or compelling legitimate interests, all subject to the conditions therein); or
9.4. such other transfer mechanism as may from time to time be recognized as valid under applicable law.
You may obtain a copy of the safeguards in place for international transfers by contacting the Service Provider at the email address set forth in Section 2.
The Service Provider retains Personal Data only for so long as is necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. The principal retention periods are:
| Category | Retention Period |
|---|---|
| Account Data (4.1) | For the duration of your account, plus twelve (12) months thereafter, unless a longer period is required by law |
| User Content (4.2) | Until you delete the relevant entry or your account; in the latter case, in accordance with Section 11 below |
| Subscription Data (4.3) | For the duration of the subscription, plus the period required for accounting, tax, and consumer-rights compliance (typically five to ten years depending on jurisdiction) |
| Usage Counters (4.4) | Rolling window of fifty-two (52) weeks |
| Image-Derived Text (4.5) | Up to twenty-four (24) months, in pseudonymized form, for catalog-quality improvement; you may request earlier deletion |
| Server Log Data (4.6) | Up to ninety (90) days for operational logs; longer where retention is required to investigate a security incident or comply with a legal obligation |
| Aggregated and Anonymized Data | Retained indefinitely, as it no longer permits identification of a Data Subject |
| Data the retention of which is required by law | For the period mandated by the applicable law |
Upon expiry of the relevant retention period, Personal Data is securely deleted or irreversibly anonymized.
You may permanently delete your account and all associated Personal Data from within the Application via Settings → Account → Delete Account. Upon receipt of a deletion request initiated through this in-application mechanism, the Service Provider shall:
11.1. delete your authentication record, profile, shelf entries, brew logs, custom teas, brewing-parameter overrides, purchase logs, and weekly scan counters from active systems within a reasonable period not exceeding thirty (30) days;
11.2. retain a minimal subset of data where, and only for so long as, retention is strictly necessary to comply with a legal obligation (e.g., tax records relating to subscription transactions), to resolve a dispute, or to enforce the Service Provider's agreements;
11.3. ensure that data resident in encrypted system backups is purged in accordance with the ordinary backup-rotation cycle, which does not exceed ninety (90) days.
You may also exercise your right to deletion at any time by contacting the Service Provider at the address set forth in Section 2.
The Service Provider implements appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as required by Article 32 GDPR. Such measures include, without limitation:
12.1. transport-layer encryption (TLS 1.2 or higher) for all communications between the Application and the Service Provider's backend;
12.2. encryption at rest of Personal Data stored in the backend database;
12.3. storage of authentication tokens on the User's device exclusively within the iOS Keychain, with device-local accessibility attributes preventing iCloud synchronization;
12.4. row-level security policies enforced at the database layer, restricting access to each User's Personal Data to that User and to authorized service accounts acting on behalf of the Service Provider;
12.5. principle of least privilege in respect of administrative access;
12.6. logging and monitoring of administrative actions and authentication events;
12.7. periodic review of access permissions and security configurations.
No method of transmission over the internet or method of electronic storage is, however, one hundred percent secure, and the Service Provider cannot guarantee absolute security.
In the event of a Personal Data breach within the meaning of Article 4(12) GDPR, the Service Provider shall:
13.1. notify the competent supervisory authority without undue delay and, where feasible, not later than seventy-two (72) hours after having become aware of it, in accordance with Article 33 GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons;
13.2. where the breach is likely to result in a high risk to the rights and freedoms of Data Subjects, communicate the breach to the affected Data Subjects without undue delay, providing the information specified in Article 34(2) GDPR, in accordance with Article 34 GDPR;
13.3. document each breach and the remedial measures taken, in accordance with Article 33(5) GDPR.
If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights in respect of your Personal Data, subject to the conditions and limitations set forth in the GDPR or applicable national law:
14.1.1. Right of access (Art. 15 GDPR) — to obtain confirmation as to whether Personal Data concerning you is being Processed, and, where that is the case, access to such Personal Data and the information specified in Article 15(1) GDPR;
14.1.2. Right to rectification (Art. 16 GDPR) — to obtain the rectification of inaccurate Personal Data and the completion of incomplete Personal Data;
14.1.3. Right to erasure ("right to be forgotten") (Art. 17 GDPR) — to obtain the erasure of Personal Data concerning you where one of the grounds set out in Article 17(1) GDPR applies;
14.1.4. Right to restriction of Processing (Art. 18 GDPR) — to obtain restriction of Processing where one of the conditions set out in Article 18(1) GDPR applies;
14.1.5. Right to data portability (Art. 20 GDPR) — to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit such data to another controller;
14.1.6. Right to object (Art. 21 GDPR) — to object, on grounds relating to your particular situation, at any time to Processing of Personal Data concerning you which is based on Article 6(1)(e) or (f) GDPR;
14.1.7. Right not to be subject to automated individual decision-making (Art. 22 GDPR) — including profiling producing legal or similarly significant effects (the Service Provider does not engage in such Processing);
14.1.8. Right to withdraw consent (Art. 7(3) GDPR) — where Processing is based on consent, you may withdraw such consent at any time, without affecting the lawfulness of Processing carried out prior to withdrawal;
14.1.9. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) — without prejudice to any other administrative or judicial remedy, in the Member State of your habitual residence, place of work, or place of the alleged infringement.
To exercise any of the foregoing rights, contact the Service Provider at the email address set forth in Section 2. The Service Provider shall respond without undue delay and in any event within one (1) month of receipt of the request, in accordance with Article 12(3) GDPR.
If you are a "consumer" within the meaning of Section 1798.140(i) CCPA/CPRA and a resident of the State of California, you have the following rights:
14.2.1. Right to know what categories and specific pieces of Personal Information have been collected, the categories of sources, the business or commercial purposes for collecting, the categories of third parties with whom the information is shared, and the categories of Personal Information sold or disclosed for a business purpose (the Service Provider does neither);
14.2.2. Right to delete Personal Information collected from you, subject to the exceptions in Section 1798.105(d) CCPA/CPRA;
14.2.3. Right to correct inaccurate Personal Information maintained by the Service Provider;
14.2.4. Right to opt out of the sale or sharing of Personal Information — the Service Provider does not sell or share Personal Information and has not done so in the preceding twelve (12) months;
14.2.5. Right to limit the use and disclosure of Sensitive Personal Information — the Service Provider does not Process Sensitive Personal Information for purposes that would trigger this right;
14.2.6. Right of non-retaliation and non-discrimination for the exercise of any of the foregoing rights.
To exercise these rights, contact the Service Provider at the email address set forth in Section 2 or via the in-Application Account Deletion mechanism described in Section 11. The Service Provider will verify your identity to the extent reasonably possible before responding to a request.
You may designate an authorized agent to make a request on your behalf in accordance with Section 1798.135(c) CCPA/CPRA and the regulations promulgated thereunder.
Residents of other jurisdictions (including, without limitation, Brazil under the Lei Geral de Proteção de Dados, Quebec under An Act to modernize legislative provisions as regards the protection of personal information, Virginia under the Virginia Consumer Data Protection Act, and Colorado, Connecticut, Utah, and other U.S. states with comprehensive privacy statutes) may have analogous rights under applicable local law. Such rights may be exercised by contacting the Service Provider at the email address set forth in Section 2.
The Application carries an age rating of 4+ in the Apple App Store, which pertains exclusively to the suitability of the Application's content and does not constitute an invitation for children to create accounts.
The Service Provider does not knowingly collect Personal Data from natural persons under the age of sixteen (16) years, or such higher age threshold as may be required by the law applicable to the User's place of habitual residence (collectively, "Minors"). Where the law applicable to a User requires parental or guardian consent for the Processing of a Minor's Personal Data, the Application is not intended for use by such Minor in the absence of such consent.
If the Service Provider becomes aware that Personal Data of a Minor has been collected without the requisite consent, the Service Provider shall take reasonable steps to delete such Personal Data without undue delay. A parent or legal guardian who believes that a Minor under their care has provided Personal Data to the Service Provider may contact the Service Provider at the address in Section 2 to request deletion.
The Application complies with the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501–6506 ("COPPA"), to the extent applicable.
The Application requests access to the device camera solely for the purpose of capturing tea-label imagery for on-device optical character recognition, as described in Section 4.5. The captured imagery is Processed locally on your device; no images are uploaded to, transmitted to, or retained by the Service Provider or any Sub-processor. The Service Provider does not access the device camera at any time other than when you affirmatively invoke the Scan feature.
The Application also requests permission to deliver local notifications, exclusively to alert you to the completion of brewing timers you have initiated. The Application does not utilize the Apple Push Notification service to deliver remote notifications and does not collect or transmit push notification tokens.
The Application does not request access to your location, contacts, calendars, photo library, microphone, health data, or any other protected resource not enumerated above.
The Service Provider does not engage in automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. Algorithmic features of the Application (including catalog matching following Scan operations and recommendation generation for premium subscribers) operate on aggregated and pseudonymized inputs and do not produce decisions with legal or similarly significant effects upon Data Subjects.
The Service Provider may amend this Policy from time to time to reflect changes in legal requirements, the Application's functionality, or the Service Provider's data-processing practices. When the Service Provider makes a material change to this Policy:
18.1. the revised Policy will be posted within the Application and at the canonical URL at which this Policy is published, with a revised "Last updated" date;
18.2. where the change materially diminishes the rights of Data Subjects, the Service Provider will, to the extent reasonably practicable, provide advance notice of not less than thirty (30) days, including by means of an in-Application notice or, where contact details permit, by direct communication to registered Users;
18.3. where the change relies on Processing for which consent is the lawful basis, the Service Provider will solicit renewed consent prior to commencing the new Processing.
Continued use of the Application following the effective date of an amended Policy constitutes acknowledgement of the revised Policy. Where you do not agree with an amended Policy, your sole remedy is to cease use of the Application and request deletion of your account in accordance with Section 11.
Prior versions of this Policy are retained by the Service Provider and may be obtained upon request directed to the email address set forth in Section 2.
This Policy is governed by, and shall be construed in accordance with, the laws of the Republic of Poland, without regard to its conflict-of-laws provisions, except to the extent that the data-protection law applicable to your habitual residence affords you mandatory rights that may not be derogated from by contract, in which case such mandatory rights shall prevail to the extent of any conflict.
Nothing in this Section limits any non-waivable right you may have to bring an action before a court of competent jurisdiction or to lodge a complaint with the data-protection supervisory authority of your habitual residence, place of work, or place of the alleged infringement, as provided by Article 77 GDPR or equivalent law.
If any provision of this Policy is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired, and the invalid, illegal, or unenforceable provision shall be deemed modified to the minimum extent necessary to render it valid, legal, and enforceable while reflecting the original intent of the Service Provider to the greatest extent permitted by law.
This Policy, together with any document expressly incorporated herein by reference and any in-Application notice expressly designated as forming part of the Service Provider's privacy framework, constitutes the entire understanding between you and the Service Provider concerning the Processing of Personal Data in connection with the Application.
All inquiries, requests, and notices under this Policy shall be directed to:
Ivan Ostrolutskyi
Email: getkiriapp@gmail.com
The Service Provider shall acknowledge receipt of substantive requests within a reasonable period and shall respond substantively within the timeframes prescribed by applicable law (without undue delay and in any event within one month under Article 12(3) GDPR; within forty-five days under Section 1798.130(a)(2) CCPA/CPRA, extendable as provided therein).
This Policy has been drafted to reflect data-protection requirements understood by the Service Provider to apply as of the effective date set forth above. It does not constitute legal advice. Users are encouraged to consult qualified legal counsel for advice specific to their circumstances.