Privacy Policy
Last updated: May 29, 2026 · Effective: May 29, 2026
This Privacy Policy explains how Anmar Aljarad (the operator of the Kimu app — “Kimu,” “we,” “us,” or “our”) collects, uses, shares, and protects your personal data when you use the Service. It applies to users worldwide and includes specific information for users in the European Economic Area / United Kingdom (GDPR), the United States (including California), and the Republic of Korea (PIPA).
The short version. We collect the information you give us (account, profile, content) and information generated as you use Kimu (activity, device, and usage data). We use it to run the app, personalize your feed, keep the community safe, and improve the Service. We use trusted service providers (analytics, hosting, crash reporting, push, and AI content tools) but we do not sell your personal data. You can delete your account and data at any time.
1. Who is responsible for your data
The data controller is Anmar Aljarad, operator of Kimu. For any privacy question or request, contact support@kmoonproject.com.
2. Information we collect
Information you provide
- Account & authentication: email address and a password (hashed, never stored in plain text), or — if you use social sign-in — a provider identifier and the basic profile details that Apple, Google, Kakao, or Naver share with us (typically your name and email).
- Profile: username, display name, biography, profile photo and background image, and optionally your birthday, gender, and phone number.
- Content: posts (text, photos, videos), comments, direct messages, polls you vote in, and feedback or support requests (including any screenshot you attach).
Information generated through your use
- Social & engagement activity: follows, blocks, the idols and groups you “stan,” likes, Sarang you send or receive, points earned or exchanged, and content reports you submit.
- Purchases: records of in-app purchases (product, store transaction identifier, amount, currency, and time). Payment is handled by Apple or Google; we do not receive your card details.
- Device & technical data: device model, operating-system version, app version, language/locale, IP address (recorded with login sessions), and push-notification device tokens.
- Usage & analytics data: in-app events and interactions (for example, screens viewed and features used), tied to your account identifier, plus crash and diagnostic data when the app encounters an error.
- Advertising identifiers: on iOS we access the advertising identifier (IDFA) only if you permit it through Apple’s App Tracking Transparency prompt; on Android the advertising ID (AAID) may be used by analytics. You can reset or limit these at the operating-system level.
We do not collect precise or approximate location, health, financial-account, contacts, or browsing-history data.
3. How we use your information
- Provide the Service — create and secure your account, display your profile and content, deliver messages, run the Sarang/points economy and in-app purchases.
- Personalize your feed — generate recommendations and rank content (the “For You” feed), using your activity and content signals.
- AI content understanding — to label and organize posts (e.g., detect which idols or topics a post is about, detect language, assess quality), we send post images and captions to an AI vision model operated by Anthropic via OpenRouter. To triage and route support, we send feedback text and any attached screenshot to an AI model via OpenRouter.
- Notifications — send push notifications you’ve enabled.
- Safety & moderation — detect, review, and act on abuse, reports, and violations.
- Analytics & improvement — understand how the app is used and improve it.
- Communications & support — send verification emails and respond to you.
- Legal — comply with law and enforce our Terms.
4. Service providers and third parties we share with
We share personal data with the service providers below, who process it on our behalf under contract. We do not sell your personal data. Each provider has its own privacy policy.
| Provider | Purpose | Data involved | Region |
|---|---|---|---|
| Supabase (PostgreSQL) | Primary database | All account, profile & content data | EU (Frankfurt) |
| Railway | Application hosting | Data in transit during processing | EU (Amsterdam) |
| Cloudflare R2 & CDN | Media storage & delivery | Photos, videos, avatars, screenshots (public-readable by URL) | Global edge |
| PostHog | Product analytics | Usage events + account identifier | EU |
| Google Firebase (FCM & Analytics) | Push notifications & analytics | Device push token, app instance & advertising identifiers | Google (global) |
| Sentry | Crash & error reporting | Diagnostics: device model, OS, app version, error context | US |
| OpenRouter → Anthropic (Claude) | AI content tagging & feedback triage | Post images + captions; feedback text + screenshots | US |
| Resend | Transactional email | Email address + verification code | US / EU |
| Apple & Google | In-app purchase & sign-in | Purchase/transaction data; sign-in profile basics | Global |
| Kakao & Naver | Social sign-in | Sign-in identifier, name, email (if shared) | South Korea |
We may also disclose data to comply with law, enforce our Terms, protect rights and safety, or in connection with a business transfer (e.g., merger or acquisition), in which case we will require the recipient to honor this Policy.
Public by design. Your profile and posts are visible to other users, and uploaded media is served from public storage and can be opened by anyone with the direct link. Please share accordingly.
5. International data transfers
Kimu is operated from the United Arab Emirates and relies on providers located in the European Union (Supabase, Railway, PostHog), the United States (Sentry, OpenRouter/Anthropic, Resend, Google), and South Korea (Kakao, Naver). When we transfer personal data across borders, we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses and equivalent mechanisms — to protect it.
6. Legal bases (GDPR / UK GDPR)
If you are in the EEA or UK, we process your personal data on these legal bases:
- Performance of a contract — to provide the Service you signed up for (account, content, messaging, purchases).
- Consent — for optional features such as analytics/advertising identifiers where required, optional profile fields, and push notifications. You may withdraw consent at any time.
- Legitimate interests — to keep the Service safe, prevent abuse, and improve and analyze the app, balanced against your rights.
- Legal obligation — to comply with applicable law.
7. Your rights and choices
Depending on where you live, you may have the right to access, correct, delete, or receive a copy of your personal data (portability), to object to or restrict certain processing, and to withdraw consent. To exercise these rights, use the in-app controls or email support@kmoonproject.com. We will respond within the period required by applicable law.
- Delete your account and data at any time from Settings → Account → Delete Account, or as described on our account-deletion page.
- Manage notifications in app settings and your device settings.
- Limit advertising identifiers through Apple’s App Tracking Transparency (iOS) or your Android ad-settings (reset/opt out).
EEA / UK
You have the right to lodge a complaint with your local data-protection authority. We hope you’ll contact us first so we can help.
United States (California & similar states)
We do not sell your personal information for money. Some uses of advertising identifiers with analytics partners may be considered “sharing” for cross-context behavioral advertising under California law; you can opt out by declining App Tracking Transparency on iOS or resetting/limiting your advertising ID on Android. You have the right to know, access, delete, and correct your personal information, and not to be discriminated against for exercising these rights. To make a request, email support@kmoonproject.com.
Republic of Korea (PIPA)
We process personal data with consent or another lawful basis under the Personal Information Protection Act, and we provide rights to access, correct, delete, and suspend processing of your personal data. Korean social sign-in (Kakao, Naver) shares only the basic profile data you authorize. Contact support@kmoonproject.com to exercise these rights.
8. Children
Kimu is for users aged 13 and older and is not directed to children under 13; we do not knowingly collect personal data from them. In the EEA/UK and other regions with a higher digital-consent age (often 16), users below that age need verifiable parental or guardian consent. If you believe a child has provided us data without proper consent, contact support@kmoonproject.com and we will delete it.
9. Data retention
We keep your personal data while your account is active and as needed to provide the Service. When you delete your account, we delete or irreversibly anonymize your personal data from our active systems immediately (see the account-deletion page for exactly what is removed). Residual copies in routine encrypted backups are purged within 30 days. We may retain limited records for longer only where required by law (for example, to meet financial or legal-compliance obligations) or to resolve disputes and enforce our agreements.
10. Security
We protect your data with measures including encryption in transit (HTTPS/TLS), hashing of passwords, access controls, and reputable infrastructure providers. No method of transmission or storage is perfectly secure, but we work to safeguard your information and to address vulnerabilities responsibly.
11. Cookies and similar technologies
The Kimu app does not use advertising cookies. We and our providers use device and software identifiers (such as push tokens, app-instance identifiers, and — with your permission — advertising identifiers) to operate, secure, and analyze the Service, as described above. These public legal pages are served as static web pages and do not set tracking cookies.
12. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you in the app. Your continued use of Kimu after an update means you accept the revised Policy.
13. Contact us
Anmar Aljarad — operator of Kimu
Email: support@kmoonproject.com