Kdence — Privacy Policy
Effective date: 14 July 2026
Data controller: George Zoiade, Romania.
Contact for privacy matters: privacy@k-dence.app
1. In plain language
Kdence helps you plan and track personal tasks, goals, focus time, and weekly reflections. To make the app work — and to improve it over time — we collect a small amount of information about how you use it. Here's the short version:
- The content of your tasks, goals, reflections, and focus notes never leaves your device unless you sign in to sync it to our servers (Supabase). Even then, it's yours — you can delete it any time.
- We collect anonymous usage events (which screens you open, which buttons you tap) to understand which features actually help people. You can turn this off in Settings, and there's a step during onboarding to make the choice explicit.
- We do not sell your data, we do not share it with advertisers, and we do not use tracking identifiers across other apps or websites.
- You can request a copy of your data or delete your account at any time. Deletion is permanent.
This document explains the details.
2. Who runs Kdence
Kdence is developed and operated as a solo project by:
George Zoiade Romania
Contact for anything privacy-related: privacy@k-dence.app
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Romanian Law 190/2018, I am the data controller for the personal data processed through Kdence.
3. What we collect and why
3.1 Data you enter yourself
When you use Kdence, you create tasks, goals, reflections, and focus sessions. This content lives on your device (in the app's local database). If you're signed in, it's also synced to our cloud database (Supabase) so it survives across devices and reinstalls.
We collect this because it's literally what the app is for. Without it, there's nothing to display.
Legal basis (GDPR Art. 6(1)(b)): performance of the service you asked for.
3.2 Account and profile data
During onboarding we ask a small set of profiling questions:
- Daily available minutes (how much time you have for productive activities)
- Improvement areas (categories like "Health & Fitness", "Learning")
- Work type (employed / self-employed / student / etc.)
- Work schedule (fixed hours, shifts, or flexible)
If you sign in with email or Google, we also collect:
- Email address
- Display name (if you choose one)
- Google user ID (if you use Google Sign-In)
We use this to personalize the app's suggestions (e.g. scheduling advice that matches your work hours) and to sign you in on other devices.
Legal basis (GDPR Art. 6(1)(b)): performance of the service.
3.3 Usage analytics (opt-in during onboarding for EU users, on by default elsewhere)
We record anonymous events about how you interact with the app: which screens you open, which buttons you tap, when you complete a task, when you finish a focus session, when a streak breaks. These events help us understand which features actually help people build habits — and which ones don't.
What the events contain: durable IDs (task ID, category ID), enums (priority, time segment), and numeric counts (elapsed minutes, streak length).
What they never contain: the text of your tasks, goals, or reflections. Payloads are restricted to structural data by design — free-form text never enters the analytics pipeline.
We use two systems to store this:
- Firebase Analytics (Google) — for high-level product metrics and crash reports. Firebase's advertising-identifier collection is explicitly disabled, so this is not "tracking" in the sense of Apple's App Tracking Transparency framework.
- Supabase (our own database) — for detailed product-improvement analysis. Data stays within the EU (Frankfurt region).
You can turn this off at any time in Settings → Privacy → "Share usage data". For users in the EU/EEA, the onboarding flow asks you to explicitly opt in; the default is off.
Legal basis (GDPR Art. 6(1)(a) or (f)): your consent (EU/EEA) or our legitimate interest in improving the product (elsewhere). If you turn it off, we stop collecting these events immediately.
3.4 Diagnostic data
If the app crashes or hits an unexpected error, Firebase Crashlytics records a report so we can find and fix the bug. Reports include the device model, OS version, and a stack trace — no personal content from your tasks or reflections.
Legal basis (GDPR Art. 6(1)(f)): legitimate interest in delivering a working app.
3.5 Data we don't collect
For clarity, here's what Kdence does not collect:
- Your location (precise or approximate)
- Your contacts, calendar, photos, or files
- Your device's advertising identifier (IDFA, GAID)
- Any biometric data
- Your browsing history in other apps
- Data purchased or received from third-party data brokers
4. Who else sees your data
Kdence uses two third-party service providers to operate. Each processes data on our behalf under a written data-processing agreement.
| Provider | Purpose | Where data is stored | Their privacy policy |
|---|---|---|---|
| Supabase (Supabase Inc., USA / EU) | Cloud database + authentication | EU (Frankfurt region) | supabase.com/privacy |
| Firebase / Google (Google LLC, USA) | Crash reports + high-level analytics | Global (Google-controlled) | policies.google.com/privacy |
We do not sell your data to anyone. We do not share your data with advertisers.
For transfers of data outside the EU/EEA (Firebase), the transfers rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent GDPR-approved mechanisms.
5. How long we keep your data
- Data you enter (tasks, goals, focus sessions, reflections): kept for as long as you have an active account. Deleted when you delete your account.
- Analytics events (opted-in users): kept for as long as you have an active account, OR for 24 months from your last activity, whichever comes first. Dormant accounts are cleaned up automatically after 24 months of inactivity.
- Aggregate analytics (counts, funnels — no user ID attached): kept indefinitely for product research.
- Crash reports: kept for 90 days (Firebase default).
- Authentication records: kept for as long as your account exists, plus 30 days after deletion for fraud-prevention purposes, then permanently deleted.
You can trigger immediate deletion at any time — see Section 7.
6. Where your data is stored
- On your device: in the app's local SQLite database (Drift). Encrypted at rest by the operating system.
- In our cloud (only if you're signed in): Supabase in the EU Frankfurt region. Encrypted at rest by Supabase and in transit via TLS.
- Firebase / Crashlytics: Google's global infrastructure. Encrypted at rest and in transit.
- In your device's own backup: if you use your platform's device backup — Android Backup (to your Google Drive) or iCloud Backup on iOS — the app's local database is included, so your data survives a phone upgrade or a new device. This is your backup, not ours: we have no access to it and cannot read, restore, or delete it. Android backups are end-to-end encrypted with your device's lock-screen PIN or pattern, which Google cannot read. Apple's iCloud Backup is encrypted in transit and at rest, and is end-to-end encrypted only if you have turned on Advanced Data Protection. You can exclude Kdence from device backups in your operating system's settings.
7. Your rights
Under GDPR and Romanian Law 190/2018, you have the following rights over your personal data. You can exercise any of them by emailing privacy@k-dence.app. We respond within 30 days (extendable by 60 more days if the request is complex, with prior notice).
- Right of access — you can ask us for a copy of everything we hold about you.
- Right to rectification — if any of it is wrong, we'll fix it.
- Right to erasure — you can ask us to delete your account and all associated data. You can also do this in-app via Settings → Danger Zone → Delete Account (this is the fastest path).
- Right to restriction of processing — you can ask us to freeze processing while a dispute is resolved.
- Right to data portability — you can ask for your data in a machine-readable format.
- Right to object — you can object to processing based on legitimate interest. For the analytics opt-out, use the Settings toggle; it takes effect immediately.
- Right to withdraw consent — where processing is based on consent (EU/EEA analytics), you can withdraw it at any time via Settings.
- Right to lodge a complaint — if you're unhappy with how we've handled your data, you can complain to the Romanian data-protection authority (ANSPDCP) at dataprotection.ro or your local EU data-protection authority.
Requests are free of charge. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse — but this is rare and we'll explain the reason.
More detail: the GDPR Addendum sets out the legal basis for each category of processing and the precise mechanism for exercising each right. For EU/EEA users, it is the authoritative source wherever it and this policy differ.
8. What happens when you delete your account
When you tap Settings → Danger Zone → Delete Account:
- All your tasks, goals, focus sessions, reflections, categories, and profile data are permanently deleted from the local device and from our Supabase database. This is immediate and irreversible.
- Your analytics event history is purged from our Supabase
user_engagement_eventstable. - Your Firebase Analytics record is anonymized (Google's data-retention controls handle the final deletion within 60 days).
- Your authentication record is retained for 30 days for fraud-prevention purposes, then permanently deleted.
- You'll be signed out on all devices.
If you'd rather delete a specific piece of data (a single task, goal, etc.) without deleting your whole account, use the in-app delete on that item.
9. Children
Kdence is not intended for children under 16. This is aligned with Romanian Law 190/2018 Art. 8, which sets the digital-consent age at 16.
By using Kdence, you confirm you are at least 16 years old, or that you have permission from a parent or legal guardian.
If you're a parent or guardian and you believe your child under 16 has provided us data, please email privacy@k-dence.app and we will delete it.
10. Cookies and tracking technologies
The Kdence mobile app does not use cookies.
Our public marketing website (k-dence.app), if any, may use minimal privacy-friendly analytics (e.g. server-side counts). Any cookies used there will be disclosed in a separate cookie notice on the site itself.
We do not use tracking pixels, ad networks, or cross-app tracking identifiers.
11. Security
We take reasonable technical and organizational measures to protect your data:
- Data in transit is encrypted with TLS (HTTPS everywhere).
- Data at rest is encrypted by the underlying storage (device OS, Supabase, Firebase).
- Access to production databases is restricted to the developer (George Zoiade) via strong authentication.
- We do not store passwords in plain text — authentication is handled by Supabase's built-in secure password hashing.
No system is perfectly secure. In the event of a data breach affecting your personal data, we will notify you and the Romanian data-protection authority (ANSPDCP) within 72 hours of discovery, as required by GDPR.
12. Changes to this policy
We may update this policy from time to time — for example, when we add new features or change service providers. Material changes will be communicated in-app before they take effect. Non-material updates (typos, clarifications) will be published to this page with an updated "Effective date" at the top.
Older versions of this policy are archived in the app's public repository.
13. Contact
For anything privacy-related — questions, requests, complaints — email:
privacy@k-dence.app
Response time: within 30 days of your request.
If you're not satisfied with our response, you can lodge a complaint with:
ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) dataprotection.ro B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
Or your local EU/EEA data-protection authority if you're outside Romania.