Privacy Policy

Last updated: April 2025

1. Introduction

This Privacy Policy explains how KodoAI (kodoai.ru) collects, uses, and protects information about you when you use our service.

By using KodoAI, you agree to the practices described in this Policy. If you disagree, please stop using the Service.

2. Data Controller

The data controller for KodoAI is the owner of the KodoAI service.
Contact email: [email protected]

3. What Data We Collect

3.1 Data you provide

• Email address (on registration)
• Display name (optional, in profile settings)
• Password (stored as a bcrypt hash, never in plain text)

3.2 Social login data

• Name, email and account ID from Yandex or VKontakte (when you sign in via OAuth)

3.3 Technical data

• IP address on proxy requests
• Image URLs submitted for processing
• API key usage data (timestamps, request counts)
• Balance and transaction records

3.4 Cookies and local storage

• Session cookie — required to keep you logged in.
• CSRF token — technical cookie to protect against cross-site request forgery.
• localStorage — stores your API key in the browser (on your device only) and remembers your cookie consent choice.

We do not use advertising, analytics, or third-party tracking cookies.

4. How We Use Your Data

• To provide access to the Service and its features
• To identify you when you log in
• To track your balance and service usage
• To process images on your behalf
• To respond to support requests
• To comply with legal obligations

5. Legal Basis for Processing

We process your data on the following legal bases:

• Consent — by registering and using the Service you consent to this Policy.
• Contract performance — processing is necessary to provide the Service.

6. Sharing Data with Third Parties

We share data with third parties only in the following cases:

• Yandex / VKontakte — when you use OAuth login. The OAuth provider sends us only the profile data you authorise.
• Legal requirements — if required by applicable law or lawful authority.

We do not sell or share your data for marketing purposes.

7. Data Retention

Personal data is retained for the lifetime of your account. Upon account deletion, data is removed within 30 days, except where retention is required by law.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data ("right to be forgotten")
• Withdraw consent at any time
• Data portability
• Lodge a complaint with a supervisory authority (e.g., your national data protection authority)

To exercise any of these rights, contact us at: [email protected]

9. Data Security

We apply technical and organisational measures to protect your data: bcrypt password hashing, HTTPS for all connections, CSRF protection, access controls, and API key authentication instead of transmitting credentials.

10. Changes to This Policy

We may update this Policy from time to time. For material changes we will notify you by email or by a notice on the website. The date of the latest revision is shown at the top of this document.

11. Contact

For privacy-related questions: [email protected]