Privacy Policy
This Privacy Policy explains what personal data KoiFi collects, why we collect it, how we use and protect it, who we share it with, and the rights you have. We built KoiFi to keep your financial life on your device first — privacy is a design principle, not an afterthought.
The short version. Your financial data lives on your device first and syncs encrypted. Every bank and wallet connection is read-only — we can never move your money. We do not sell your personal data. We use a small set of trusted providers to run the app (hosting, AI, payments, crash reporting), listed in Section 6.
Contents
1Who we are
KoiFi (“KoiFi”, “we”, “us”, “our”) is a personal-finance application built in Ukraine. The data controller responsible for your personal data is Private Entrepreneur Liudmyla Oganova, 44-50 Oresta Vaskyla St., Apt. 40, Kyiv 03179, Ukraine.
For any privacy question or to exercise your rights, contact us at hello@koifi.app (privacy requests: privacy@koifi.app). Data-protection matters are handled by our privacy team at that address.
2Scope
This Policy applies to the KoiFi mobile apps (iOS and Android), the koifi.app website and waitlist, and related services (together, the “Service”). It does not apply to third-party services you connect to KoiFi (such as your bank or a blockchain), which are governed by their own privacy policies.
3Information we collect
a. Information you give us
- Account & profile: email address, display name, and authentication details. Passwords are handled by our authentication provider and stored only as secure hashes; if you use social sign-in (e.g. Apple, Google), we receive a basic identifier and email.
- Financial information you enter: transactions, income and expenses, budgets, accounts, portfolios and holdings, goals, debts, habits, notes, and the spaces (personal, family, group) you create or join.
- Receipts & images you scan or upload for expense capture.
- Content you send us: messages to support, conversations with the in-app AI companion, and feedback.
- Waitlist: if you join our waitlist, your email address and language preference.
b. Information from your connected accounts
- Bank connections are read-only. With your authorization we import account balances and transactions through the bank's own API or a licensed aggregator. We cannot initiate payments or move funds.
- Crypto wallets use public addresses only. We read publicly available on-chain data (balances, transactions) for addresses you add. We never ask for, receive, or store private keys or seed phrases.
- Market & price data (quotes, exchange rates, news) is general reference data and is not personal to you.
c. Information collected automatically
- Device & app data: device model, operating system, app version, language and region, and settings needed to run the app.
- Diagnostics: crash reports and error logs (via our error-monitoring provider) to keep the app stable. We scrub financial values and personal identifiers from these logs.
- Usage analytics: we use Google Analytics to understand aggregate usage and improve the app and website. It sets cookies and collects usage, device and approximate-location (IP-derived) data. We do not use it for advertising or to build advertising profiles, and — where the law requires — we ask for your consent before enabling analytics cookies.
- Anti-abuse: for the website/waitlist we may process a hashed IP address and basic request metadata to prevent spam and abuse. We do not store your raw IP for the waitlist.
d. Billing information
Subscriptions are purchased and processed by Apple and Google through their in-app purchase systems (managed for us via our subscription provider). We receive your subscription status (tier, renewal, entitlement) but not your full card number or payment credentials — those are handled by the app stores.
Sensitive data. Financial information is sensitive. We ask you not to enter special-category data (such as health, political, or religious information) into free-text fields. If you choose to, you consent to our processing it to provide the Service.
4How & why we use your information — and our legal bases
Where the GDPR (and Ukraine's Law “On Personal Data Protection”) applies, we rely on the legal bases below.
| We use data to… | Legal basis |
|---|---|
| Create your account and provide the core app (tracking, budgets, portfolios, goals, sync) | Performance of a contract |
| Import data from bank/wallet connections you set up | Contract / your consent |
| Run AI features you invoke | Consent / contract |
| Process subscriptions and prevent payment fraud | Contract / legitimate interests |
| Keep the Service secure, stable and free of abuse; debug crashes | Legitimate interests |
| Send service and security notices; respond to support | Contract / legitimate interests |
| Send optional product news or push notifications | Consent (withdrawable anytime) |
| Comply with legal, tax and accounting obligations | Legal obligation |
| Waitlist sign-up and launch updates | Consent |
We only use your information for the purposes described here or purposes compatible with them, and we practice data minimization.
5AI features
KoiFi includes an AI companion and AI-assisted features (for example, categorizing transactions, reading receipts, and answering questions). When you use these features, the relevant content — such as your message or a snapshot of the data needed to answer — is sent through our secure server to our AI provider (Anthropic) to generate a response.
- We send only what is needed for the feature, over encrypted connections.
- Our AI provider (Anthropic) processes this content to return a result and, under its API terms, does not use your inputs or outputs to train its models.
- AI output is for information and education only, may be inaccurate or incomplete, and is not financial, investment, tax or legal advice. We do not use AI to make decisions that produce legal or similarly significant effects about you without human involvement.
6How we share information — and our providers
We do not sell your personal data and we do not share it for cross-context behavioral advertising. We share information only with the service providers (processors) that help us run KoiFi, and only as needed. Each is bound by a data-processing agreement.
| Provider | Purpose |
|---|---|
| Supabase | Cloud hosting, database, authentication, encrypted sync |
| Anthropic | AI companion and AI-assisted features |
| RevenueCat + Apple / Google | Subscription management, in-app purchases, app delivery |
| Apple (APNs) / Google (FCM) | Push notifications |
| Sentry | Crash and error monitoring (financial values scrubbed) |
| Resend | Transactional and waitlist emails |
| CoinGecko, Alpha Vantage, Fixer.io | Market prices, FX rates, news (reference data) |
| Google (Google Analytics) | Aggregate usage analytics (cookie-based, consent-gated) |
| Your bank / aggregator | Read-only import of accounts and transactions you connect |
We may also disclose information (a) to comply with law, legal process or a lawful government request; (b) to enforce our terms or protect the rights, safety and property of KoiFi, our users or others; and (c) in connection with a merger, acquisition or asset sale, in which case we will notify you and this Policy will continue to protect your data.
7International data transfers
KoiFi is built in Ukraine and some of our providers operate outside your country, including in the EU/EEA, the United Kingdom and the United States. Where we transfer personal data across borders, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, UK IDTA/addendum, or an adequacy decision, as applicable. You may request a copy of the relevant safeguards using the contact details below.
8Data retention
We keep personal data only as long as needed for the purposes above:
- Account & app data: for as long as your account is active.
- After deletion: when you delete your account we delete or irreversibly anonymize your personal data within 30 days, except where we must retain limited records to meet legal, tax or accounting obligations, resolve disputes, or enforce our agreements.
- Backups: residual copies in encrypted backups are purged on our normal backup rotation.
- Diagnostics/analytics: retained for a limited period in aggregate/de-identified form.
- Waitlist: until launch or until you unsubscribe.
9Security
We use technical and organizational measures appropriate to the sensitivity of financial data, including:
- Encryption in transit (TLS) and at rest; the on-device database is encrypted (SQLCipher).
- Row-Level Security enforcing strict per-space data isolation at the database.
- Secrets such as bank tokens stored in a dedicated secure vault, never on your device in plain form.
- Optional biometric app lock and one-tap privacy blur on monetary values.
- Least-privilege access controls and monitoring.
No method of transmission or storage is 100% secure. You are responsible for keeping your device and credentials safe; please use a strong password and enable device security. If a breach affects your rights, we will notify you and the relevant authority as required by law.
10Your rights
Subject to applicable law, you have the right to:
- Access a copy of your personal data;
- Rectify inaccurate or incomplete data;
- Erase your data (“right to be forgotten”) — you can delete your account in the app;
- Restrict or object to certain processing, including processing based on legitimate interests;
- Portability — receive your data in a portable format and export it;
- Withdraw consent at any time, without affecting prior processing;
- Not be subject to solely automated decisions with legal or similarly significant effects.
To exercise any right, email hello@koifi.app (or privacy@koifi.app). We respond within the timeframe required by law (generally one month under the GDPR). You may also lodge a complaint with your local data protection authority — in Ukraine, the Ukrainian Parliament Commissioner for Human Rights (Ombudsman); in the EU, your national supervisory authority.
US residents: where the CCPA/CPRA or similar state laws apply, you have rights to know, delete, correct and opt out of “sale”/“sharing” (we do not sell or share your data as those terms are defined), and not to be discriminated against for exercising them.
11Children
KoiFi is intended for adults and is not directed to children under 18 (and in any case not to children under the age of digital consent in your country). We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.
12Cookies & local storage
The koifi.app website uses your browser's local storage to remember your language choice and waitlist status (essential; not cookies). We also use Google Analytics, which sets cookies to measure aggregate usage. Where consent is required (for example in the EU/EEA, the UK and Ukraine), we ask for it before setting non-essential analytics cookies, and you may decline or withdraw consent at any time without affecting essential functionality. We do not use advertising or cross-site tracking cookies. The mobile app stores data locally on your device to work offline.
13Third-party links & services
The Service may link to or integrate with third-party sites and services (your bank, blockchains, app stores, news sources). We are not responsible for their content or privacy practices; review their policies before using them.
14Changes to this Policy
We may update this Policy as the Service evolves or the law changes. We will post the new version here with an updated “Last updated” date and, for material changes, provide additional notice (in-app or by email). Your continued use after changes take effect means you accept the updated Policy.
15Contact us
Questions, requests, or complaints about privacy:
KoiFi — Private Entrepreneur Liudmyla Oganova
44-50 Oresta Vaskyla St., Apt. 40, Kyiv 03179, Ukraine
Email: hello@koifi.app · Privacy: privacy@koifi.app
See also our Terms & Conditions. This document is provided for transparency and does not itself constitute legal advice.