Privacy
Last updated: June 18, 2026
Plain-language version below. Legal-style policy further down.
What's actually true
- Your data lives on your phone. Calendar, reminders, health, location patterns, journal entries, chat history, and memo edits all stay in a local SQLite file on your device.
- The backend stores only what it has to. Your email (for sign in), subscription status, connected banks, mirrored transactions, and AI usage counters. That's it.
- AI features are off by default for new installs. Until you explicitly turn on a switch for a category, nothing in that category leaves the device for AI use.
- What's tokenized. Bank account names are replaced with opaque IDs before being sent to Claude (you see "Wells Fargo Checking," the AI sees "ACCT_3"), then mapped back on display.
- What's not tokenized. Everything else in an enabled category goes to Claude as-is: contact names, transaction payees, event titles, journal text. We do this so the AI can say "Sarah's birthday is in 3 days" instead of "CONTACT_47's birthday is in 3 days."
- Anthropic doesn't train on it. Claude's API policy excludes training from API traffic.
- Apple is the iCloud sync custodian. Journal entries, workout notes, and briefs sync through your private CloudKit database, end-to-end encrypted by Apple. Neither Koda nor Apple can read this content.
- No analytics SDKs, no ad networks, no third-party trackers. We do not sell, share, license, or otherwise monetize your data.
What we collect
On-device only (never sent anywhere by Koda):
- Calendar events and reminders, read from EventKit
- Health metrics from HealthKit (sleep, workouts, heart rate, activity rings, etc.)
- Contacts (only when you tap a birthday to call or text; read once at tap time, never stored)
- Location visits if you enable location features (coarsened to ~100m, logged locally only)
- Journal entries and workout notes you write
- Memos you add to transactions
- Chat history with the assistant
- Derived patterns and observations Koda's local analysis layer computes from the data above (e.g. "your dining spend is up vs. recent weeks")
Backend (Koda's servers on Supabase):
- Your email or Hide My Email relay
- Subscription state
- Banks you've connected via Plaid, and the transactions / balances they return
- Aggregate usage counters for AI quota enforcement
That's the complete list. Notably not on Supabase: briefs, chat history, journal entries, workout notes, calendar, reminders, contacts, health, location. Briefs sync through Apple's iCloud private database (next section); everything else stays on your device.
iCloud (Apple's private CloudKit, end-to-end encrypted, not visible to Koda):
- Journal entries
- Workout notes
- Briefs
What goes to AI features
When you've enabled an AI access toggle in Settings → Data & privacy, the corresponding category becomes available to Koda's chat and brief features. Here's exactly what each one sends:
Calendar. Event titles, times, locations, attendee names. Reminder titles and due dates. Used for "what's on my day" framing and time-conflict awareness.
Contacts. Names of contacts with upcoming birthdays. Used in the birthdays card and the morning brief.
Health. Daily aggregates only: total sleep, sleep stages, steps, workout count and minutes, HRV, resting heart rate, activity ring closure. No raw HealthKit samples.
Money. Account names (tokenized to opaque IDs before sending), recent transactions including payee names and amounts, monthly spend totals, budget category names.
Location. Approximate current location (city or neighborhood, not precise coordinates). Weather conditions for your area.
About Me. Your free-text notes from Settings → About Me, included in the system prompt so the assistant can use stable facts about you.
Journal. Recent journal entries you've written from wind-down briefs or capture.
The destination for all of these is Anthropic's API. Anthropic does not use API traffic to train models. They're SOC 2 Type II and ISO 27001 certified.
Turning a toggle off means that category's data literally never leaves your device for AI use. The Today / Money / Health tabs in the app continue to work normally; the assistant just won't see that information.
Derived patterns and local analysis
Koda periodically runs analysis on your own data to surface behavioral patterns that would otherwise require you to compare weeks of history yourself. Examples include:
- "Spend on dining is up 38% versus the prior 3 weeks"
- "Sunday sleep tends to run 45 minutes shorter than your usual"
- "8 days since your last workout; usual is every 3 days"
Where the analysis runs. Entirely on your device. The pattern detector reads from your local Koda database, computes findings, and stores them in a local table. None of this analysis runs on our servers and none of it requires a network connection.
Where the patterns are stored. In the same on-device SQLite database that holds the rest of your local data. They're never written to Koda's backend.
When the patterns are included in AI requests. When you have an AI feature toggle on (Settings → Data & privacy → AI access), Koda includes relevant patterns in the prompt sent to Anthropic alongside the underlying data — the same way calendar events or transaction details are included for that category. Each pattern is tied to one data domain (sleep patterns require Health on, spend patterns require Money on, etc.), and patterns from disabled domains are filtered out before any AI call.
When the patterns are deleted. Patterns refresh every time Koda syncs, so each pattern overwrites the previous one for its category. Account deletion via Settings → Delete account removes every stored pattern alongside the rest of your local data.
Why this matters. A derived pattern (a behavioral profile) is in some ways more identifying than the raw data it came from — "this user's dining spend correlates with stressful work weeks" is a more concentrated observation than any single transaction row. We surface this analysis explicitly so you know it's happening, even though no new data leaves your device because of it.
Third parties
We use these external services. Each one is named here so you know exactly who touches what.
Apple. Sign in with Apple for authentication. HealthKit, EventKit, CoreLocation, and CloudKit for on-device data and Apple-encrypted sync. Apple WeatherKit for forecasts. StoreKit 2 for subscription billing. Apple's privacy policy applies to data it handles.
Plaid. Bank connections. You enter bank credentials directly into Plaid's interface; Koda never sees them. Plaid sends transaction and balance data to our backend. Plaid is SOC 2 Type II audited and certified to ISO 27001, ISO 27018, and ISO 9001.
Supabase. Our backend infrastructure. Stores account email, subscription state, connected banks, mirrored transactions, and AI usage counters. Per-row security policies enforce that only your account can read your data. SOC 2 Type II audited. Data at rest is AES-256 encrypted; in transit, TLS 1.2 or higher.
Anthropic. Claude API for the chat and brief features (Premium only). Receives only the data categories you've enabled in Settings → Data & privacy. No training on API traffic. SOC 2 Type II and ISO 27001 certified.
We do not integrate with: Google Analytics, Mixpanel, Amplitude, Segment, Facebook, Branch, Adjust, AppsFlyer, Firebase, Sentry, or any other behavior-tracking or attribution service.
Children
Koda is not intended for users under 13. We don't knowingly collect data from anyone under 13, and we don't market or design the app for children. If you believe a child has created a Koda account, email privacy@hellokoda.app and we'll delete the account and any associated data. Users in jurisdictions with a higher minimum digital-consent age (the EU is 13 to 16 depending on the country) should follow their local minimum.
Notifications
Koda can send notifications to keep you informed about your day, your money, and a few life events that are easy to miss. Every notification type is off by default and independently controllable — turning one on doesn't turn on the others.
What notifications Koda can send:
- Daily brief is ready — at the time of day you choose
- Weekly recap is ready — Sunday evening
- Heads-up the day before a birthday — at 9 AM the day before a contact's birthday
- Bank needs reconnection — when one of your linked bank connections needs you to re-authenticate
Local-only. All Koda notifications are generated on your device. We do not run a push-notification server, and Koda does not register for Apple Push Notification Service (APNs). Nothing about which notifications you receive or when you receive them is ever transmitted to our servers.
Permission timing. iOS asks for notification permission only when you toggle your first Koda notification on — never at app launch and never during onboarding. If you don't enable any notifications, the system permission prompt never appears.
How to change it later. Open Koda → Settings → Notifications to turn individual notification types on or off at any time. You can also revoke Koda's notification permission entirely in iOS Settings → Notifications → Koda.
Your rights
- See what we have: Settings → Data & privacy shows row counts for the data Koda has stored about you. Settings → Data & privacy → Where your data goes is the comprehensive disclosure.
- Export: export of your local data is on the roadmap. Contact us in the meantime and we'll help.
- Delete your account: Settings → Delete account permanently removes everything stored on our backend, signs you out, and unlinks your bank connections. This action is final.
- Disconnect a bank: Settings → Banks → tap institution → Disconnect (Premium only). Removes the bank from our backend and revokes Plaid's access token.
- Stop iCloud sync: turn off iCloud Drive in iOS Settings, or turn off Koda specifically in iOS Settings → Apple ID → iCloud.
Changes
If we change this policy, the "last updated" date above changes too. Substantive changes (new third party, new data category, change to what we send) trigger an in-app notice the next time you open Koda.
Contact
Privacy questions: privacy@hellokoda.app
General support: support@hellokoda.app
Security disclosures: security@hellokoda.app
Legal notices: legal@hellokoda.app
Legal entity: Tectonic MVMT Labs LLC