Kdence — GDPR Addendum

Effective date: 14 July 2026

About this document: This addendum sits alongside the Privacy Policy and provides the structured legal-basis + user-rights detail required by the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Romania's implementing Law 190/2018.

If anything here conflicts with the Privacy Policy, this addendum is the authoritative source for EU/EEA users.


1. Data controller

The data controller for personal data processed through Kdence is:

George Zoiade Romania

Contact for data-protection matters: privacy@k-dence.app

Kdence is a solo-developed application. There is no separate data-protection officer (DPO) — the developer serves as the direct point of contact for all data-protection matters, which is permitted under GDPR Art. 37 for organizations that do not meet the mandatory-DPO criteria (Kdence does not process special-category data at scale, does not engage in systematic monitoring, and is not a public authority).


Under GDPR Art. 6, we process personal data on the following legal bases. Each category of data has one designated legal basis.

Data category Purpose GDPR Art. 6 legal basis
Task / goal / focus / reflection content you create Delivering the core service you signed up for (1)(b) Performance of a contract
Onboarding profile (daily minutes, improvement areas, work schedule) Personalizing the app's suggestions to your context (1)(b) Performance of a contract
Email address (registered users) Authentication, account recovery, service-critical notifications (1)(b) Performance of a contract
Analytics events (opted-in EU/EEA users) Understanding which features actually help users build habits, improving the product (1)(a) Consent
Analytics events (users outside the EU/EEA) Same as above (1)(f) Legitimate interest in improving the product
Crash reports (Firebase Crashlytics) Diagnosing and fixing bugs (1)(f) Legitimate interest in delivering a working app
Authentication logs Fraud prevention, security incident investigation (1)(f) Legitimate interest in service security

Consent-based processing (analytics events for EU/EEA users): consent is:

Legitimate-interest processing (crash reports, authentication logs): we have conducted a legitimate-interest assessment (LIA) balancing our interest against your rights. Both are low-intrusion, technical operations essential to running a reliable and secure app. If you want to see the LIA reasoning, email privacy@k-dence.app.


3. Your rights under GDPR

Under GDPR Chapter III (Arts. 12-23) and Romanian Law 190/2018, you have the rights listed below. All are exercisable by emailing privacy@k-dence.app. Most are also exercisable directly in-app (see column 3).

Right (GDPR Article) What it means How to exercise
Right of access (Art. 15) Get a copy of the personal data we hold about you Email privacy@k-dence.app
Right to rectification (Art. 16) Correct inaccurate data Edit your profile in-app, or email privacy@k-dence.app
Right to erasure / "right to be forgotten" (Art. 17) Delete your account and all associated data In-app: Settings → Danger Zone → Delete Account. Or email privacy@k-dence.app
Right to restriction of processing (Art. 18) Freeze processing while a dispute is resolved Email privacy@k-dence.app
Right to data portability (Art. 20) Receive your data in a machine-readable format (JSON) Email privacy@k-dence.app
Right to object (Art. 21) Object to processing based on legitimate interest For analytics: Settings toggle. For other categories: email privacy@k-dence.app
Right to withdraw consent (Art. 7(3)) Withdraw consent for consent-based processing Settings → Privacy → "Share usage data" toggle
Right not to be subject to automated decisions (Art. 22) Not applicable — Kdence does not make legally-significant decisions about you automatically
Right to lodge a complaint (Art. 77) Complain to a supervisory authority ANSPDCP (Romania) or your local EU/EEA authority

Response time: within 30 days of receiving your request, extendable by up to 60 additional days for complex requests (with prior notice explaining the reason).

Fee: free of charge for reasonable, well-founded requests. GDPR Art. 12(5) allows us to charge a fee or refuse a request that is "manifestly unfounded or excessive" (e.g. repetitive or vexatious), but in practice we handle this by explaining our reasoning and giving you an opportunity to clarify.

Identity verification: we may ask you to verify your identity before acting on a request (Art. 12(6)) — typically by asking you to confirm the request from the email address associated with your account.


4. Automated decision-making and profiling

Kdence does not make legally-significant or similarly-significant automated decisions about you.

We have considered an intelligence layer that would compute patterns from your own data and surface them to you as insights ("your evening completion rate is 40% vs 92% in the morning"). We may or may not build it — it is not a commitment. If we do, those insights would be:

If a future feature crosses the line into automated decision-making (e.g. an AI that automatically reschedules your tasks without asking), we will:

  1. Update this document to disclose it.
  2. Ensure you have meaningful human intervention available (Art. 22(3)).
  3. Provide an easy way to opt out or override.

5. International data transfers

Kdence's primary data storage is within the EU:

One processor is outside the EU:

For this transfer, we rely on:

If any of the above become invalid (e.g. a future Schrems ruling invalidates SCCs to the US, as happened with Privacy Shield), we will:

  1. Assess whether we can migrate the workload to an EU-based alternative.
  2. If migration is not feasible, disclose the transfer risk in this document and give you the option to delete your account without penalty.

You have the right to a copy of the transfer safeguards on request (Art. 46(2)) — email privacy@k-dence.app.


6. Data breach notification

If a personal-data breach affecting EU/EEA users occurs, we will:

The notification will include: the nature of the breach, categories and approximate number of users affected, likely consequences, measures taken to address the breach, and contact information for further questions.


7. Children's data

Under Romanian Law 190/2018 Art. 8, the age of digital consent is 16. Kdence is not intended for users under 16.

We do not knowingly collect personal data from users under 16. If you believe a child under 16 has provided us with data, please email privacy@k-dence.app and we will delete it and remove the account.


8. Records of processing (Art. 30)

GDPR Art. 30 requires controllers to maintain records of processing activities. Our record is a simple table maintained in the developer's project repository and available on request from a competent supervisory authority. It is not published publicly but is available under Art. 30(4) to authorities on request.

Because Kdence operates below the threshold of Art. 30(5) (fewer than 250 employees, no regular processing of high-risk data), the record-keeping obligation is technically discretionary — but we maintain one anyway as good practice.


9. Complaints and supervisory authority

If you have a complaint about how we process your data, please contact us first at privacy@k-dence.app. We aim to resolve most concerns informally and quickly.

If you remain unsatisfied, you have the right to lodge a complaint with a supervisory authority. For users in Romania, this is:

ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) dataprotection.ro B-dul G-ral. Gheorghe Magheru 28-30 Sector 1, Bucharest 010336, Romania Phone: +40 318 059 211 Email: anspdcp@dataprotection.ro

Users outside Romania but within the EU/EEA may lodge a complaint with the supervisory authority of their country of residence, workplace, or the place of the alleged infringement (GDPR Art. 77(1)).

A directory of EU supervisory authorities is available at: edpb.europa.eu/about-edpb/board/members_en.


10. Changes to this addendum

Material changes to this document (things that affect your rights) will be notified in-app before they take effect. Non-material changes will be published to this page with an updated "Effective date" at the top.


11. Contact

For any GDPR-related question, request, or complaint:

privacy@k-dence.app

Response within 30 days.