Kdence — GDPR Addendum
Effective date: 14 July 2026
About this document: This addendum sits alongside the Privacy Policy and provides the structured legal-basis + user-rights detail required by the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Romania's implementing Law 190/2018.
If anything here conflicts with the Privacy Policy, this addendum is the authoritative source for EU/EEA users.
1. Data controller
The data controller for personal data processed through Kdence is:
George Zoiade Romania
Contact for data-protection matters: privacy@k-dence.app
Kdence is a solo-developed application. There is no separate data-protection officer (DPO) — the developer serves as the direct point of contact for all data-protection matters, which is permitted under GDPR Art. 37 for organizations that do not meet the mandatory-DPO criteria (Kdence does not process special-category data at scale, does not engage in systematic monitoring, and is not a public authority).
2. Legal bases for processing
Under GDPR Art. 6, we process personal data on the following legal bases. Each category of data has one designated legal basis.
| Data category | Purpose | GDPR Art. 6 legal basis |
|---|---|---|
| Task / goal / focus / reflection content you create | Delivering the core service you signed up for | (1)(b) Performance of a contract |
| Onboarding profile (daily minutes, improvement areas, work schedule) | Personalizing the app's suggestions to your context | (1)(b) Performance of a contract |
| Email address (registered users) | Authentication, account recovery, service-critical notifications | (1)(b) Performance of a contract |
| Analytics events (opted-in EU/EEA users) | Understanding which features actually help users build habits, improving the product | (1)(a) Consent |
| Analytics events (users outside the EU/EEA) | Same as above | (1)(f) Legitimate interest in improving the product |
| Crash reports (Firebase Crashlytics) | Diagnosing and fixing bugs | (1)(f) Legitimate interest in delivering a working app |
| Authentication logs | Fraud prevention, security incident investigation | (1)(f) Legitimate interest in service security |
Consent-based processing (analytics events for EU/EEA users): consent is:
- Freely given — the app functions fully without it. You can decline and use every feature.
- Specific — the toggle covers analytics events only, not other processing.
- Informed — the onboarding step explains what analytics events cover and links to this policy before asking.
- Unambiguous — the toggle is off by default; opting in requires a deliberate tap.
- Withdrawable — you can revoke it any time in Settings → Privacy → "Share usage data". Withdrawal is effective from the next event; already-recorded events are retained per the retention policy (see Section 5 of the Privacy Policy) or deleted immediately on request.
Legitimate-interest processing (crash reports, authentication logs): we have conducted a legitimate-interest assessment (LIA) balancing our interest against your rights. Both are low-intrusion, technical operations essential to running a reliable and secure app. If you want to see the LIA reasoning, email privacy@k-dence.app.
3. Your rights under GDPR
Under GDPR Chapter III (Arts. 12-23) and Romanian Law 190/2018, you have the rights listed below. All are exercisable by emailing privacy@k-dence.app. Most are also exercisable directly in-app (see column 3).
| Right (GDPR Article) | What it means | How to exercise |
|---|---|---|
| Right of access (Art. 15) | Get a copy of the personal data we hold about you | Email privacy@k-dence.app |
| Right to rectification (Art. 16) | Correct inaccurate data | Edit your profile in-app, or email privacy@k-dence.app |
| Right to erasure / "right to be forgotten" (Art. 17) | Delete your account and all associated data | In-app: Settings → Danger Zone → Delete Account. Or email privacy@k-dence.app |
| Right to restriction of processing (Art. 18) | Freeze processing while a dispute is resolved | Email privacy@k-dence.app |
| Right to data portability (Art. 20) | Receive your data in a machine-readable format (JSON) | Email privacy@k-dence.app |
| Right to object (Art. 21) | Object to processing based on legitimate interest | For analytics: Settings toggle. For other categories: email privacy@k-dence.app |
| Right to withdraw consent (Art. 7(3)) | Withdraw consent for consent-based processing | Settings → Privacy → "Share usage data" toggle |
| Right not to be subject to automated decisions (Art. 22) | Not applicable — Kdence does not make legally-significant decisions about you automatically | — |
| Right to lodge a complaint (Art. 77) | Complain to a supervisory authority | ANSPDCP (Romania) or your local EU/EEA authority |
Response time: within 30 days of receiving your request, extendable by up to 60 additional days for complex requests (with prior notice explaining the reason).
Fee: free of charge for reasonable, well-founded requests. GDPR Art. 12(5) allows us to charge a fee or refuse a request that is "manifestly unfounded or excessive" (e.g. repetitive or vexatious), but in practice we handle this by explaining our reasoning and giving you an opportunity to clarify.
Identity verification: we may ask you to verify your identity before acting on a request (Art. 12(6)) — typically by asking you to confirm the request from the email address associated with your account.
4. Automated decision-making and profiling
Kdence does not make legally-significant or similarly-significant automated decisions about you.
We have considered an intelligence layer that would compute patterns from your own data and surface them to you as insights ("your evening completion rate is 40% vs 92% in the morning"). We may or may not build it — it is not a commitment. If we do, those insights would be:
- Informational only — they suggest, they don't decide.
- Reversible — you can dismiss any insight, and you control whether the analytics feeding them are collected at all.
- Locally computed — the rule engine runs on your device against your own data. No cross-user profiling.
If a future feature crosses the line into automated decision-making (e.g. an AI that automatically reschedules your tasks without asking), we will:
- Update this document to disclose it.
- Ensure you have meaningful human intervention available (Art. 22(3)).
- Provide an easy way to opt out or override.
5. International data transfers
Kdence's primary data storage is within the EU:
- Supabase (main database and authentication) — data resides in the Frankfurt, Germany region.
One processor is outside the EU:
- Firebase / Google (analytics, crash reports, Google Sign-In) — global Google infrastructure; effectively USA.
For this transfer, we rely on:
- European Commission Standard Contractual Clauses (SCCs) — the current baseline mechanism under GDPR Art. 46(2)(c). Google publishes SCC agreements that we accept as part of using their services.
- Data Privacy Framework (DPF) — Google is certified under the EU-US Data Privacy Framework.
If any of the above become invalid (e.g. a future Schrems ruling invalidates SCCs to the US, as happened with Privacy Shield), we will:
- Assess whether we can migrate the workload to an EU-based alternative.
- If migration is not feasible, disclose the transfer risk in this document and give you the option to delete your account without penalty.
You have the right to a copy of the transfer safeguards on request (Art. 46(2)) — email privacy@k-dence.app.
6. Data breach notification
If a personal-data breach affecting EU/EEA users occurs, we will:
- Within 72 hours of becoming aware, notify ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) as required by GDPR Art. 33.
- Without undue delay, notify affected users directly (via email and in-app notification) if the breach is likely to result in a high risk to their rights and freedoms (Art. 34).
- Publish a public notice on our website if we cannot reach all affected users individually.
The notification will include: the nature of the breach, categories and approximate number of users affected, likely consequences, measures taken to address the breach, and contact information for further questions.
7. Children's data
Under Romanian Law 190/2018 Art. 8, the age of digital consent is 16. Kdence is not intended for users under 16.
We do not knowingly collect personal data from users under 16. If you believe a child under 16 has provided us with data, please email privacy@k-dence.app and we will delete it and remove the account.
8. Records of processing (Art. 30)
GDPR Art. 30 requires controllers to maintain records of processing activities. Our record is a simple table maintained in the developer's project repository and available on request from a competent supervisory authority. It is not published publicly but is available under Art. 30(4) to authorities on request.
Because Kdence operates below the threshold of Art. 30(5) (fewer than 250 employees, no regular processing of high-risk data), the record-keeping obligation is technically discretionary — but we maintain one anyway as good practice.
9. Complaints and supervisory authority
If you have a complaint about how we process your data, please contact us first at privacy@k-dence.app. We aim to resolve most concerns informally and quickly.
If you remain unsatisfied, you have the right to lodge a complaint with a supervisory authority. For users in Romania, this is:
ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
dataprotection.ro
B-dul G-ral. Gheorghe Magheru 28-30
Sector 1, Bucharest 010336, Romania
Phone: +40 318 059 211
Email: anspdcp@dataprotection.ro
Users outside Romania but within the EU/EEA may lodge a complaint with the supervisory authority of their country of residence, workplace, or the place of the alleged infringement (GDPR Art. 77(1)).
A directory of EU supervisory authorities is available at: edpb.europa.eu/about-edpb/board/members_en.
10. Changes to this addendum
Material changes to this document (things that affect your rights) will be notified in-app before they take effect. Non-material changes will be published to this page with an updated "Effective date" at the top.
11. Contact
For any GDPR-related question, request, or complaint:
privacy@k-dence.app
Response within 30 days.