Privacy Policy

Last updated: 21 May 2026  ·  Effective: 21 May 2026

This policy describes how the Kofa mobile app, the Kofa Raycast extension, and the backend service at api.kofa.dev (together, "Kofa") collect, use, store, and disclose information. Kofa is built and operated by Petar Yovkov, a sole developer based in the European Union (the "Operator", "we", "us").

1. Information we collect

1.1 Identity (from Google Sign-In)

When you sign in with Google we receive — and store — the following from your Google account: your Google account identifier (sub), email address, and display name. We use the OpenID Connect openid, email and profile scopes for this. We do not receive your Google password.

1.2 Task content (you provide)

Anything you type into Kofa: task titles, notes, scheduled dates and times, durations, and a color tag.

1.3 Google Calendar events (optional, read-only)

If — and only if — you explicitly connect a Google Calendar account inside Kofa, we request the https://www.googleapis.com/auth/calendar.events.readonly scope. We use this scope solely to read events from the primary calendar of each account you connect, so we can display those events alongside your tasks on the Kofa timeline. We never create, modify, or delete calendar events.

To enable refreshing events after the access token expires, Google issues us a refresh token, which we store encrypted at rest using symmetric encryption (Fernet / AES-128-CBC + HMAC-SHA256). We never share, sell, or expose this token outside the Kofa backend.

1.4 Personal access tokens you mint

Inside the mobile app you can mint personal access tokens (PATs) for use by external integrations such as the Kofa Raycast extension. Tokens are shown in cleartext only once at creation and stored on our backend as SHA-256 hashes (not recoverable). You can revoke any token at any time from the same screen.

1.5 Operational data

Standard web-server access logs at api.kofa.dev (IP address, timestamp, request path, response code, user-agent) are retained for up to 30 days for security and abuse-prevention purposes only.

1.6 What we do not collect

• No advertising identifiers.
• No analytics SDKs (no Firebase Analytics, no Google Analytics, no third-party tracking).
• No crash-reporting SDKs.
• No contacts, photos, location, microphone, camera, or device storage data.
• No biometric data.
• No data from children under the age of 16.

2. How we use information

• Identity — to authenticate you and associate your tasks with your account.
• Task content — to render it back to you across your devices.
• Calendar events — to display them inline on your day timeline.
• Access tokens — to authenticate API requests from integrations you set up.
• Access logs — to detect abuse and diagnose service issues.

We do not use any of the above for advertising, profiling, or training machine-learning models. We do not sell, rent, or trade your data.

3. Google API Services User Data Policy — Limited Use disclosure

Kofa's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy , including the Limited Use requirements. Specifically:

• We use Google Calendar data only to display your events alongside your tasks inside Kofa.
• We do not transfer Google Calendar data to others except as necessary to provide or improve the user-facing features, comply with applicable law, or as part of a merger or acquisition.
• We do not use Google Calendar data for serving advertisements.
• We do not allow humans to read your Google Calendar data, except (i) with your specific consent, (ii) for security purposes, (iii) to comply with applicable law, or (iv) when the data has been aggregated and anonymized in a way that does not identify any individual.

4. Sharing with third parties

We share data only with the infrastructure providers strictly required to operate Kofa:

• Neon (Postgres database hosting) — stores all account, task, and connected-calendar records.
• DigitalOcean (compute) — hosts the api.kofa.dev backend container.
• Cloudflare (Pages and DNS) — hosts the kofa.dev static site.
• Google — when you sign in or connect a Calendar account, we communicate with Google's APIs on your behalf.

Each provider acts as a sub-processor under their own terms. We do not share data with any advertiser, broker, or analytics vendor.

5. Where data is stored

The Neon Postgres database and the DigitalOcean droplet hosting api.kofa.dev are located in the European Union. Data is transmitted to and from the backend over HTTPS only.

6. Retention

• Tasks, account profile, and connected-calendar records are retained until you delete them or close your account.
• Refresh tokens for connected Google Calendar accounts are deleted immediately when you disconnect that account inside Kofa.
• Web-server access logs are retained for up to 30 days, then permanently deleted.

7. Your rights and how to exercise them

You can do the following at any time, free of charge:

• Access and export — request a copy of the personal data we hold about you.
• Delete — request deletion of your account and all associated tasks, calendars, and tokens. To request deletion, email yovkov@gmail.com from the address associated with your account and we will complete the deletion within 30 days.
• Disconnect Google services — at any time, revoke Kofa's access at myaccount.google.com/permissions. After revocation, Kofa can no longer read your Calendar events; we will also delete any stored refresh token for that account on next sync.
• Revoke personal access tokens — open the Kofa mobile app → Settings → Personal access tokens → revoke individual tokens.
• Lodge a complaint with your local data-protection authority. EU users may contact their national supervisory authority directly.

8. Security

We use TLS for all data in transit and encrypt sensitive credentials (Google OAuth refresh tokens, personal-access-token hashes) at rest. Access to the production database is restricted to the Operator and to Neon's automated systems.

9. Children

Kofa is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided data to Kofa, contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Material changes will be announced inside the mobile app and on this page at least 14 days before they take effect.

11. Contact

Petar Yovkov, Operator and data controller.  Email: yovkov@gmail.com.