Legal

Privacy Policy

GryphonHeart LLC · Effective: [INSERT DATE BEFORE PUBLISHING]

The short version: Koda is built around the principle that your conversations are private. We collect the minimum data necessary to run the service. We do not sell your data, run ads, or build behavioural profiles. Messages in E2EE channels are encrypted on your device — we cannot read them.

This Privacy Policy explains what information GryphonHeart LLC (“Koda,” “we,” “us,” or “our”) collects, how we use it, and the choices you have. By using the Koda Service, you agree to the practices described in this Policy.

1. What We Collect

1.1 Account information

When you create an account, we collect your username, email address, and password (stored as a hashed, irreversible value — we never store your password in plaintext). You may optionally provide a display name, avatar, and status message.

1.2 Message content

In channels and direct messages where end-to-end encryption (E2EE) is active, message content is encrypted on your device before transmission. We store only the ciphertext. We cannot read your messages, and we do not attempt to.

In channels where E2EE is not active (such as certain public announcement channels where a server operator has explicitly disabled it), message content is stored on our servers and is readable by GryphonHeart in the course of operating the Service and responding to legal obligations.

1.3 Technical and operational data

We collect limited technical information necessary to operate the Service, including:

  • IP addresses (used for security, rate limiting, and fraud prevention; not linked to message content)
  • Device type and operating system (used for debugging and compatibility)
  • Application version (used for compatibility and support)
  • Connection timestamps (used for session management and security)
  • Error reports and crash logs (used to identify and fix bugs)

1.4 Server and community data

If you create or administer a server on Koda, we store server names, descriptions, channel configurations, roles, and member lists. This information is necessary to operate the community features of the Service.

1.5 Payment information

If you make or receive payments through the Koda Marketplace, payment processing is handled by a third-party payment processor (currently Stripe). GryphonHeart does not store full payment card numbers. We receive and retain transaction records including amounts, dates, and status for accounting and legal purposes.

2. What We Do Not Collect

  • We do not collect or store your voice or video call content. Voice channels route encrypted audio that we cannot decode.
  • We do not build behavioural profiles for advertising.
  • We do not sell your personal data to any third party.
  • We do not run advertisements on Koda. There is no ad targeting system.
  • We do not use tracking pixels, advertising cookies, or third-party analytics that share your data with advertisers.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Koda Service
  • Authenticate your account and keep it secure
  • Detect and prevent fraud, abuse, and violations of our Terms
  • Process transactions and manage marketplace activity
  • Respond to your support requests and communications
  • Send you transactional emails (account security alerts, password resets)
  • Improve the performance and reliability of the Service
  • Comply with applicable legal obligations

We do not use your information for targeted advertising, and we do not share your data with advertising networks.

4. How We Share Your Information

We do not sell, trade, or rent your personal information. We may share your information in the following limited circumstances:

4.1 Service providers

We use a limited number of trusted third-party service providers to help operate the Service, including payment processing (Stripe), email delivery, and cloud infrastructure. These providers are contractually required to use your data only to provide services to us and may not use it for their own purposes.

4.2 Legal requirements

We may disclose your information if required to do so by law or in the good-faith belief that such disclosure is necessary to comply with a legal obligation, protect the rights or safety of GryphonHeart or its users, or investigate potential violations of our Terms.

Because E2EE message content is encrypted and we do not possess the decryption keys, we cannot provide the plaintext content of E2EE messages to law enforcement even under legal compulsion.

4.3 Business transfers

In the event of a merger, acquisition, or sale of GryphonHeart LLC, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.

5. Data Retention

We retain your account information for as long as your account is active. If you close your account, we will delete your personal data within 90 days, except where we are required to retain it for legal or tax purposes.

Message content stored in E2EE channels (ciphertext) is retained as long as the server exists. Server owners may delete channels and their history at any time. Non-E2EE message content is also retained while the server exists and may be deleted by server owners.

6. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal data, including the right to:

  • Access: request a copy of the data we hold about you
  • Correction: request that we correct inaccurate data
  • Deletion: request that we delete your account and associated data
  • Portability: receive your data in a portable format
  • Objection: object to certain processing of your data

To exercise any of these rights, contact us at privacy@koda.fyi. We will respond to verifiable requests within 30 days.

7. Security

We implement technical and organisational security measures to protect your information. These include end-to-end encryption for message content, hashed password storage, TLS for all data in transit, and access controls limiting which GryphonHeart personnel can access production systems.

No security measure is perfect. If you believe your account has been compromised, contact us immediately at security@koda.fyi.

8. Children’s Privacy

The Koda Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it promptly. If you believe a child under 13 is using the Service, contact us at privacy@koda.fyi.

9. International Data Transfers

GryphonHeart LLC is based in the United States. If you use the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to such transfer.

10. Cookies

The Koda desktop application does not use third-party advertising cookies. If you access Koda via a web browser, we use session cookies strictly necessary for authentication. We do not use tracking or analytics cookies that share data with third parties.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the Service or by email at least 14 days before the changes take effect. Your continued use of the Service after that date constitutes acceptance of the updated Policy.

12. Contact

For privacy-related questions or requests:

Privacy requests
privacy@koda.fyi
Security concerns
security@koda.fyi
General contact
support@koda.fyi
Mailing address
GryphonHeart LLC
[INSERT ADDRESS]