Privacy Policy

Privacy Policy for Kithora

Last updated: March 2026

Welcome to Kithora. We believe that your private moments, plans, and data belong to you. That's why we built Kithora as a local-first application. Unlike conventional cloud apps, we don't store your personal data on central servers to analyze or sell it. Your device is your vault.

This privacy policy explains how we collect, use, and protect data when you use our mobile application and our website. The data controller within the meaning of the GDPR is:

Arndt Lehmann
Glück-Auf-Straße 41, 09394 Hohndorf, Germany
Email: [email protected]

1. The Local-First Principle & Data Storage

Kithora is based on a decentralized architecture. This means:

No Accounts: You don't need to create a user account with an email or phone number. We don't know your identity.
Local Storage: All content (Koras, Steps, Finances, Photos) is primarily stored locally on your device.
Encrypted Backups: Your data is encrypted and stored in our sync infrastructure so you can restore it on a new device. We have no access to the unencrypted content.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) — local storage and encrypted synchronization are an essential part of the service you use.

2. Synchronization & Encryption

To exchange data between different devices (e.g., within a group), Kithora uses an encrypted sync infrastructure.

Encrypted Data Only: Our sync servers act as blind couriers. They store and transmit encrypted data packets without being able to read the content.
End-to-End Encryption (E2E): All data that leaves your device is encrypted. Only the devices in your group (Kith) possess the key to decrypt it.
Persistent Storage: Encrypted data is stored on our servers to enable synchronization between devices and restoration on new devices. Since the data is end-to-end encrypted, neither we nor any third parties can read the content.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3. Hosting & Server Logs

Our website and services are operated on our own or rented servers within the EU. Each time our website or app services are accessed, the following data is automatically recorded in server log files:

IP address of the accessing device
Date and time of access
Requested URL / endpoint
Amount of data transferred
Browser type and version (for web access)
Operating system

This data is processed exclusively to ensure smooth operation, detect and prevent attacks, and for technical optimization. It is not merged with other data sources. Log files are automatically deleted after 30 days.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and stability of the service).

No external CDN services (Content Delivery Networks) are used. All resources required for the website (fonts, scripts, stylesheets) are served directly from our own server. This means no data is transferred to third-party servers when accessing our website.

4. Cookies

Our website uses only technically necessary cookies:

Session Cookie: Used to associate your session and is deleted when you close your browser.
CSRF Token Cookie: Protects forms against Cross-Site Request Forgery attacks. Deleted when you close your browser.

These cookies are strictly necessary for the operation of the website. No tracking, analytics, or advertising cookies are used. Therefore, no separate consent is required.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest) in conjunction with § 25(2) No. 2 TDDDG (technically necessary cookies).

5. Subscriptions & Purchases (RevenueCat)

To manage subscriptions (Kithora Premium, Hero Sponsorship) and in-app purchases, we use the service provider RevenueCat, Inc., 633 Tarava St Ste 101, San Francisco, CA 94116, USA.

Anonymous Device ID: To verify and restore your purchase status (e.g., "Free", "Premium", "Hero"), we transmit an anonymized device ID or a generated app user ID to RevenueCat.
No Personal Data: We do not transmit names, email addresses, or content from your Koras to RevenueCat.
Payment processing is handled entirely through the Google Play Store or Apple App Store. Kithora does not store credit card data.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — provision and management of your subscription).

Third-country transfer: RevenueCat is based in the USA. The data transfer is based on the EU-US Data Privacy Framework (Art. 45 GDPR), insofar as RevenueCat is certified, and additionally on Standard Contractual Clauses (Art. 46(2)(c) GDPR). RevenueCat processes exclusively anonymized device IDs; establishing a personal reference is not possible for RevenueCat.

6. Use of Artificial Intelligence (AI)

Kithora offers optional AI features (e.g., analysis of PDF crew lists, travel planning, budget optimization). Processing is carried out by external AI service providers. Kithora automatically selects the appropriate provider for your request.

6.1 AI Service Providers Used

Google (Alphabet Inc.) — Headquarters: Mountain View, CA, USA.
OpenAI, Inc. — Headquarters: San Francisco, CA, USA.
Anthropic, PBC — Headquarters: San Francisco, CA, USA.
Moonshot AI (Beijing Moonshot Technology Co., Ltd.) — Headquarters: Beijing, China.
Z-AI — Headquarters: China.

6.2 Data Processing

Processing: When you use an AI feature, the relevant data (e.g., the text of an uploaded PDF or your budget data) is sent to the respective service provider for processing.
No Training: The transmitted data is used exclusively to fulfill your request. It is not permanently stored and is not used to train AI models (zero data retention for API usage).
Transparency: AI analyses only take place when you actively trigger a corresponding function (e.g., "Scan manifest" or "Optimize budget").
Automatic Routing: Kithora automatically selects the optimal provider based on availability and suitability. You do not select the provider yourself.

Legal basis: Art. 6(1)(a) GDPR (consent) — you actively and voluntarily trigger each AI processing.

6.3 Third-Country Transfer

USA (Google, OpenAI, Anthropic): Data transfer is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR). All three providers are additionally covered by the EU-U.S. Data Privacy Framework.
China (Moonshot AI, Z-AI): Data transfer is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR). Please note that China does not have an adequate level of data protection as recognized by the European Commission. Data is used exclusively for request processing and is not permanently stored.

7. App Permissions

For Kithora to function, we need access to certain features of your device:

Camera: For scanning and photographing receipts and documents. Only at your request.
Photo Library: For uploading photos to the Chronicle or for AI analyses. Only at your request.
Notifications: For optional push notifications about group activities.

Legal basis: Art. 6(1)(a) GDPR (consent) — you actively grant each permission through your operating system.

8. Third-Party Services

Kithora uses the following third-party services:

RevenueCat, Inc. (San Francisco, USA): Subscription management (see section 5).
Google (Alphabet Inc.) (Mountain View, USA): AI service provider for optional AI features (see section 6).
OpenAI, Inc. (San Francisco, USA): AI service provider for optional AI features (see section 6).
Anthropic, PBC (San Francisco, USA): AI service provider for optional AI features (see section 6).
Moonshot AI (Beijing Moonshot Technology Co., Ltd.) (Beijing, China): AI service provider for optional AI features (see section 6).
Z-AI (China): AI service provider for optional AI features (see section 6).
Apple App Store / Google Play Store: For processing payments for subscriptions and in-app purchases. Apple's and Google's respective privacy policies apply additionally.

9. Your Rights (Art. 15-21, 77 GDPR)

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR): You have the right to request information about the personal data we process about you.
Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate data.
Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your data, provided no legal retention obligations apply.
Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of processing of your data.
Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format.
Right to object (Art. 21 GDPR): You have the right to object to the processing of your data at any time for reasons arising from your particular situation, insofar as the processing is based on Art. 6(1)(f) GDPR.

Since Kithora is a local-first application and does not store personal data on central servers that can be attributed to you, traditional data access or deletion requests are generally not applicable. Your data is stored encrypted — only you and your group can decrypt it. When you delete the app, the local data is removed from your device.

To exercise your rights, contact us at: [email protected]

10. Right to Lodge a Complaint with a Supervisory Authority

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data is unlawful. The supervisory authority responsible for us is:

Saxon Data Protection and Transparency Commissioner
(Sächsischer Datenschutz- und Transparenzbeauftragter)
Devrientstraße 5
01067 Dresden, Germany
Phone: +49 351 85471-101
Website: www.datenschutz.sachsen.de

11. Children

Kithora is not intended for children under the age of 16. Since we do not collect accounts, we cannot verify the age of users. The use by minors is the responsibility of their legal guardians.

12. Changes to This Privacy Policy

We reserve the right to update this privacy policy in the event of changes to the app or the legal situation. You can always find the current version in the app and on our website.

13. Contact

Arndt Lehmann
Glück-Auf-Straße 41, 09394 Hohndorf
Email: [email protected]