Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: When you create an account, we collect your name, email address, and authentication credentials. If you sign in using Apple Sign-In (including Apple's “Hide My Email” relay service) or Google Sign-In, we receive the information you authorize those services to share with us, which typically includes your name and email address.
• Profile Information: You may optionally provide a profile photo or avatar, which is stored on our servers.
• Family Group Data: Information about family groups you create or join, including family group names, member roles, and invite codes.
• Task Data: Task titles, descriptions, due dates, assignees, completion statuses, and related metadata that you create within the Service.
• Shared Lists: Content you create in shared lists, including but not limited to grocery lists, packing lists, and other collaborative lists.
• Sticky Notes: Content you create in sticky notes within the Service.

1.2 Information Collected Automatically

• Device Tokens: When you enable push notifications, we collect device tokens through Firebase Cloud Messaging and/or Amazon Simple Notification Service (AWS SNS) to deliver notifications to your device.
• Device Information: We may collect basic device information necessary for the functioning of the Service, such as device type, operating system version, and app version.

1.3 Information We Do NOT Collect

• Biometric Data: The App supports Face ID and Touch ID for local device authentication. All biometric processing occurs entirely on your device using the operating system's secure enclave. We never receive, transmit, store, or have access to your biometric data.
• Analytics Data: We do not use any third-party analytics SDKs or tracking tools.
• Advertising Data: We do not use any advertising SDKs or ad-tracking technologies. We do not serve advertisements in the Service.
• Location Data: We do not collect your precise or approximate geographic location.
• Cookies: The App does not use cookies. The Website may use strictly necessary cookies for basic functionality, but does not use cookies for tracking, analytics, or advertising purposes.

2. How We Use Your Information

We use the information we collect solely for the following purposes:

• Providing the Service: To create and manage your account, facilitate family group management, enable task creation and management, support shared lists and sticky notes, and deliver push notifications.
• Authentication: To verify your identity when you sign in using Apple Sign-In or Google Sign-In.
• Communication: To send you service-related notifications, including push notifications about task assignments, reminders, and family group updates. We do not send marketing or promotional communications.
• Service Improvement: To maintain, improve, and ensure the security of the Service.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

3. How We Share Your Information

3.1 Within Your Family Group

Information you create within a family group (tasks, shared lists, sticky notes, your name, and profile photo) is visible to other members of that family group. You control which family groups you join and what content you create within them.

3.2 Third-Party Service Providers

We use the following third-party service providers to operate the Service. These providers process your data solely on our behalf and in accordance with our instructions:

All data processed by AWS is stored in the US-East-1 (Northern Virginia) region.

3.3 We Do NOT Share Your Information For

• Advertising or marketing by any third party
• Sale to third parties — We do not sell, rent, lease, or trade your personal information to any third party, under any circumstances
• Data brokering or any similar commercial purpose

3.4 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to:

• Comply with a legal obligation, subpoena, court order, or legal process
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public
• Protect against legal liability

3.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via the Service or email of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

4. Data Storage and Security

4.1 Data Storage

Your data is stored on Amazon Web Services (AWS) infrastructure in the US-East-1 (Northern Virginia) region. AWS maintains industry-leading security certifications, including SOC 1/2/3, ISO 27001, and FedRAMP.

4.2 Security Measures

We implement reasonable and appropriate technical and organizational measures to protect your personal information, including:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
• Encryption at Rest: Data stored in our databases and file storage is encrypted at rest using AES-256 encryption.
• Access Controls: We employ strict access controls and least-privilege principles for access to production systems and data.
• Authentication Security: User authentication is managed through AWS Cognito, which provides secure token-based authentication with industry-standard security practices.
• Local Biometric Security: The App supports Face ID/Touch ID, processed entirely on your device through the operating system's secure enclave, providing an additional layer of local security.

4.3 Security Limitations

While we implement reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee the absolute security of your information. You acknowledge and accept that any transmission of personal information is at your own risk, and we are not responsible for any circumvention of privacy settings or security measures contained on the Service.

5. Data Retention

5.1 Active Accounts

We retain your personal information for as long as your account is active and as needed to provide you the Service.

5.2 Deleted Accounts

When you delete your account (via the DELETE /users/me endpoint in the App), we will:

• Delete your personal account data, including your name, email address, and profile photo
• Remove your association with family groups
• Delete or anonymize your user-generated content (tasks, lists, sticky notes)
• Revoke all authentication tokens and sessions
• Delete your push notification device tokens

Account deletion is processed promptly. Some data may be retained in encrypted backups for a limited period (up to 90 days) before being permanently purged, solely for disaster recovery purposes.

5.3 Legal Retention

We may retain certain information as required by law, for legitimate business purposes (such as fraud prevention), or to resolve disputes.

6. Your Rights and Choices

6.1 All Users

Regardless of your location, you have the right to:

• Access the personal information we hold about you
• Delete your account and associated personal data at any time through the App
• Update your profile information at any time through the App
• Disable push notifications through your device settings
• Withdraw from any family group at any time

6.2 European Economic Area (EEA) Residents — GDPR Rights

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR):

• Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data.
• Right to Erasure (Article 17): You have the right to request deletion of your personal data (“right to be forgotten”). You can exercise this right directly through the App's account deletion feature.
• Right to Restriction of Processing (Article 18): You have the right to request restriction of processing of your personal data under certain circumstances.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Object (Article 21): You have the right to object to processing of your personal data under certain circumstances.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction.

Legal Basis for Processing: We process your personal data on the following legal bases:

• Performance of a Contract (Article 6(1)(b)): Processing necessary to provide the Service pursuant to our Terms and Conditions.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Service and ensuring security, where those interests are not overridden by your rights.
• Consent (Article 6(1)(a)): Where you have given consent, such as enabling push notifications.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable law.

International Data Transfers: Your data is stored on servers located in the United States. If you are located in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) and/or other lawful transfer mechanisms approved by the European Commission to ensure an adequate level of protection for your personal data when transferred to the United States.

To exercise any of your GDPR rights, please contact us at privacy@kunba.app. We will respond to your request within 30 days.

6.3 California Residents — CCPA/CPRA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business purpose for collecting the information, and the categories of third parties with whom we share the information.
• Right to Delete: You have the right to request deletion of your personal information. You can exercise this right directly through the App's account deletion feature.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA/CPRA. Therefore, there is no need to opt out.

Categories of Personal Information Collected (per CCPA §1798.140):

Do Not Sell or Share My Personal Information: We do not sell or share (as defined by the CCPA/CPRA) your personal information to third parties for monetary or other valuable consideration.

To exercise any of your CCPA/CPRA rights, please contact us at privacy@kunba.app. We will verify your identity and respond within 45 days.

7. Children's Privacy (COPPA Compliance)

7.1 General Policy

The Service is designed for family use. We do not knowingly collect personal information directly from children under the age of 13 (or under the age of 16 in the EEA). Children do not create their own accounts.

7.2 Parent-Managed Accounts

Parents or legal guardians may create and manage accounts for their children as part of a family group. In such cases:

• The parent or legal guardian is solely responsible for providing any personal information related to the child.
• The parent or legal guardian provides verifiable consent by creating and managing the child's account.
• The parent or legal guardian can review, modify, or delete the child's information at any time through the App or by contacting us.
• We collect only the minimum information necessary for the child to participate in the family group (name and task-related data).

7.3 Parental Rights

Parents and legal guardians have the right to:

• Review personal information collected from or about their child
• Request deletion of their child's personal information
• Refuse further collection or use of their child's personal information

To exercise these rights, contact us at privacy@kunba.app.

7.4 Discovery of Unauthorized Collection

If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information as quickly as possible. If you believe we have collected information from a child without parental consent, please contact us immediately at privacy@kunba.app.

8. Push Notifications

We use Firebase Cloud Messaging (FCM) and Amazon Simple Notification Service (AWS SNS) to deliver push notifications to your device. Push notifications may include alerts about task assignments, due dates, family group activity, and other service-related updates.

• Push notifications are optional. You may enable or disable them at any time through your device settings or the App settings.
• We store your device token solely for the purpose of delivering push notifications. Device tokens are deleted when you disable notifications or delete your account.
• We do not use push notifications for marketing or advertising purposes.

9. Third-Party Links and Services

The Service may contain links to third-party websites or services that are not owned or controlled by us. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices of any third-party services. We encourage you to review the privacy policies of any third-party services you access.

10. Limitation of Liability

To the maximum extent permitted by applicable law, in no event shall Kunba, its owners, operators, affiliates, licensors, service providers, employees, agents, officers, or directors be liable for any indirect, incidental, special, consequential, punitive, or exemplary damages arising out of or related to any breach of this Privacy Policy, any unauthorized access to or use of your personal information, or any loss or destruction of data, whether based on warranty, contract, tort (including negligence), strict liability, or any other legal theory, whether or not we have been advised of the possibility of such damages.

Our total liability for any claims arising out of or related to this Privacy Policy shall not exceed the greater of (a) the amount you have paid us in the twelve (12) months preceding the event giving rise to the claim, or (b) one dollar ($1.00 USD).

11. Indemnification

You agree to indemnify, defend, and hold harmless Kunba, its owners, operators, affiliates, licensors, service providers, employees, agents, officers, and directors from and against any and all claims, damages, obligations, losses, liabilities, costs, and expenses (including but not limited to attorney's fees and legal costs) arising from or related to: (a) your use of the Service; (b) your violation of this Privacy Policy; (c) your violation of any rights of a third party; or (d) any content you submit, post, or transmit through the Service.

12. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time and for any reason. We will notify you of any material changes by:

• Posting the updated Privacy Policy within the App
• Updating the “Last Updated” date at the top of this Privacy Policy
• Sending a notification through the App, where appropriate

Your continued use of the Service after any modification to this Privacy Policy constitutes your acceptance of the modified Privacy Policy. If you do not agree to the modified Privacy Policy, you must discontinue your use of the Service and delete your account.

We encourage you to review this Privacy Policy periodically.

13. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of New Jersey, United States of America, without regard to its conflict of law provisions, except where superseded by applicable data protection laws (such as the GDPR for EEA residents).

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

For GDPR-related inquiries, you may also contact our Data Protection contact at privacy@kunba.app.

We will endeavor to respond to all legitimate inquiries within a reasonable timeframe and in any event within the time periods required by applicable law.