~/kotia.app_ ~/kotia.app_

Privacy Policy

Last updated: February 25, 2026

1. Data Controller

The data controller responsible for processing your personal data is:

Ilia Grezin

Obchodná 559/37, 811 06 Bratislava-Staré Mesto, Slovak Republic

IČO (Business ID): 54382394

Email: hello@kotia.app

2. Data We Collect

When using kotia.app, we collect the following data:

  • Account data (legal basis: contract): name, email, avatar via Google OAuth 2.0
  • Generated content (legal basis: contract): request topics and created articles
  • Token usage (legal basis: contract): history of free and paid token consumption
  • Technical data (legal basis: legitimate interest): IP address, browser type, device information for security and service stability
  • Analytics data (legal basis: consent): usage patterns via Google Analytics, collected only with your consent

3. How We Use Data

We use your data for the following purposes:

  • Service delivery (contract): providing AI content generation, managing your account, processing token transactions
  • Payment processing (contract): processing payments via Stripe
  • Service improvement (legitimate interest): analyzing usage patterns to improve service quality
  • Communication (legitimate interest): sending important service notifications about your account
  • Analytics (consent): understanding how users interact with our platform via Google Analytics
  • AI model training: your prompts and generated content are NOT used to train any AI models. Third-party providers (Google Gemini, DeepSeek) process your data solely for content generation per their own privacy policies

4. Data Storage and Retention

Your data is stored securely with the following standards:

  • Data encryption in transit (TLS/SSL)
  • Regular encrypted backups
  • Limited data access (administrators only)

Retention periods:

  • Account data: retained until you delete your account
  • Generated content: retained until you delete your account or specific articles
  • Technical logs: retained for 90 days
  • Payment records: retained for 10 years (legal obligation)
  • Analytics data: retained for 14 months (Google Analytics default)

5. Third-Party Services

We share data with the following third-party processors:

  • Google OAuth 2.0: authentication — processes name, email, avatar
  • Google Gemini API: AI content generation — processes article topics and prompts
  • DeepSeek API: AI content generation — processes article topics and prompts
  • Stripe: payment processing — processes payment card data
  • Google Analytics: website analytics — processes anonymized usage data (with consent only)
  • Hetzner: hosting infrastructure — stores all data (servers in EU, Germany)

Privacy policies of our processors:

6. International Data Transfers

Your data is primarily stored within the European Union (Hetzner, Germany). Some third-party services may process data outside the EU:

  • Google services (OAuth, Gemini, Analytics): data may be processed in the US under the EU-US Data Privacy Framework
  • DeepSeek: data may be processed in China under Standard Contractual Clauses (SCCs)
  • Stripe: data may be processed in the US under the EU-US Data Privacy Framework

All international transfers are protected by appropriate safeguards in accordance with GDPR Chapter V.

7. Cookies

We use the following categories of cookies:

Essential cookies (always active):

  • Session cookie — maintains your login session (httpOnly, secure, sameSite: lax)
  • Preferences — remembers your theme and language settings

Analytics cookies (require your consent):

  • _ga, _ga_* — Google Analytics cookies for understanding site usage (duration: up to 2 years)

You can manage your cookie preferences at any time through the cookie settings in the footer of our website.

8. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15): obtain a copy of your personal data
  • Right to rectification (Art. 16): correct inaccurate personal data
  • Right to erasure (Art. 17): request deletion of your personal data
  • Right to restriction (Art. 18): restrict the processing of your data
  • Right to data portability (Art. 20): receive your data in a machine-readable format
  • Right to object (Art. 21): object to processing based on legitimate interest
  • Right regarding automated decisions (Art. 22): not be subject to solely automated decision-making
  • Right to withdraw consent (Art. 7): withdraw consent at any time without affecting prior processing

To exercise your rights, contact us at: hello@kotia.app

You also have the right to lodge a complaint with the supervisory authority:

Úrad na ochranu osobných údajov Slovenskej republiky

Hraničná 12, 820 07 Bratislava 27, Slovak Republic

dataprotection.gov.sk

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to: know what personal information we collect and how it is used; request deletion of your personal data; opt out of the sale of personal information. We do not sell your personal information to third parties. To exercise these rights, contact hello@kotia.app with "Privacy Request" in the subject line.

9. Security

We implement the following security measures:

  • Rate limiting for DDoS protection
  • Validation of all input data
  • SQL injection protection (parameterized queries)
  • CORS policy for CSRF protection
  • Regular security audits

10. Policy Changes

We may update this privacy policy. We will notify you of significant changes via email or service notifications. The latest version is always available at this page.

In the event of a data breach affecting your personal data, we will notify affected users and relevant authorities within 72 hours of discovery, in accordance with applicable law.

11. Contact

For privacy questions, contact us:

Back to home