Privacy Policy — kAIboard

1. Data Controller

Name: Alessandro Faedda

Type: Individual (independent developer)

Alessandro Faedda is the data controller for personal data collected through the kAIboard app.

2. What Data We Collect

kAIboard is designed following the principle of data minimization. We only collect data strictly necessary for the app to function.

2.1 Automatically Collected Data

Data	Type	Purpose	Legal Basis
Device Array	List of identifiers (e.g., ["android_e19d6c...", "android_175be4..."])	Synchronize subscription and tokens across multiple devices with the same Google Play account	Contract performance (Art. 6.1.b GDPR)
Current Token Usage	Integer (current_usage)	Track shared monthly consumption across all devices	Contract performance (Art. 6.1.b GDPR)
Purchase History	Product ID, purchase date, order ID	Verify purchases and prevent fraud	Contract performance (Art. 6.1.b GDPR)
Text to Translate	Text content	Real-time translation	Contract performance (Art. 6.1.b GDPR)

Multi-Device Synchronization

If you use kAIboard on multiple devices with the same Google Play account:

✅ Subscription shared automatically across all devices
✅ Token balance synchronized in real time
✅ Monthly limit shared (e.g., 250,000 tokens TOTAL, not per device)
✅ Firebase listener updates all devices simultaneously

Data saved for multi-device:

devices: Array of anonymous Android IDs using the same subscription
purchaseToken: Unique key of the Google Play subscription (Firestore document ID)
current_usage: Total token consumption across all devices (single shared counter)

Privacy: The devices array contains ONLY pseudonymized Android IDs (e.g., "android_abc123..."). We do not collect phone numbers, IMEI, or other personal identifiers.

2.1.1 Monthly Subscription Data

If you subscribe to a monthly subscription (e.g., PLUS Plan with 250,000 tokens/month), we save the following additional data:

Data	Type	Purpose	Legal Basis
Subscription Plan	String (e.g., "plus", "pro", "max")	Identify active plan and apply correct token limit	Contract performance (Art. 6.1.b GDPR)
Monthly Token Limit	Integer (e.g., 250000, 500000, 1000000)	Apply maximum tokens included in subscription	Contract performance (Art. 6.1.b GDPR)
Current Token Usage	Integer	Track shared monthly consumption and apply limit	Contract performance (Art. 6.1.b GDPR)
Monthly Reset Date	ISO Date (e.g., "2026-02-01")	Automatic usage reset at beginning of month	Contract performance (Art. 6.1.b GDPR)
Google Play Product ID	String (e.g., "abbonamento_mensile_2500")	Verify subscription validity through Google Play Billing API	Contract performance (Art. 6.1.b GDPR)
Auto-Renewal Status	Boolean	Check if subscription will renew automatically	Contract performance (Art. 6.1.b GDPR)
Subscription Purchase Date	Timestamp	Billing cycle management and disputes	Contract performance (Art. 6.1.b GDPR)
Subscription End Date	ISO 8601 Timestamp (e.g., "2026-02-28T14:30:00Z")	Manage grace period after cancellation (subscription remains active until this date)	Contract performance (Art. 6.1.b GDPR)
"Will Not Renew" Flag	Boolean (will_not_renew)	Indicate if subscription was cancelled but remains valid until expiration	Contract performance (Art. 6.1.b GDPR)
Cancellation Date	Timestamp (cancelled_at)	Track when the user cancelled the subscription	Contract performance (Art. 6.1.b GDPR)

    🔄 AUTOMATIC MONTHLY RESET: The token usage counter is automatically reset on your subscription renewal date (every 30 days from the purchase date). The reset happens in the background even if the app is closed or unused for weeks, via an automatic worker scheduled at 3:00 AM. The monthly limit is restored without any manual intervention.

⚠️ IMPORTANT - SUBSCRIPTION CANCELLATION: If you cancel your subscription, subscription data is retained until the end of the current billing period (Art. 6.1.b GDPR - contract performance). After expiration, you can delete all cloud data through the Privacy screen.

2.1.2 Grace Period

📅 SUBSCRIPTION CANCELLED BUT STILL ACTIVE

If you cancel your subscription through Google Play, the premium service remains active until the end of the already paid period.

Example:

You purchase a PLUS subscription on January 15, 2026
You cancel on January 20, 2026
✅ Premium remains active until February 15, 2026 (already paid)
✅ Monthly tokens available until expiration
❌ Subscription will NOT renew automatically

Data saved during grace period:

subscription_end: Exact date until which you are entitled to the service
will_not_renew: Flag indicating "cancelled but valid"
cancelled_at: Cancellation timestamp
monthly_limit: Token limit preserved until expiration

When the grace period expires:

Premium is automatically deactivated
Subscription data moved to history (user_subscriptions_history)
Active document (user_subscriptions) deleted
You can delete history via "Delete cloud data"

⚠️ WARNING - REINSTALLATION OR DEVICE CHANGE DURING GRACE PERIOD:

With active subscription (not cancelled): If you uninstall and reinstall the app, or install it on a new device or multiple devices with the same Google account, your subscription and token balance sync automatically. You don't need to do anything — restoration happens automatically on first launch.

With cancelled subscription (grace period): If you reinstall the app on the same device, the system finds your subscription and token balance via Firebase and restores them automatically, even during the grace period. On other devices that already had the app installed with the same account, restoration should happen automatically if the device was already registered in the system.

Important: If during the grace period you install the app on a completely new device that has never had kAIboard with your account, the remaining days and token balance may not be recoverable for security reasons, as the new device is not yet registered in the system. Likewise, if you delete cloud data from the app during the grace period, the deletion is immediate and means permanent forfeiture of the remaining period and token balance.

2.1.3 Subscription History

When a subscription expires or is deleted, we move the data to a history document for GDPR compliance and audit.

Data	Type	Purpose	Retention
Subscription History	Array of objects in user_subscriptions_history/{purchaseToken}	Purchase traceability, audit trail, GDPR compliance	90 days from expiration
Data per Entry	Plan, tokens used/limit, start/end/cancellation dates, cancellation reason, devices	Audit, user support, refund management	90 days from expiration

    🔒 MULTI-DEVICE CONSOLIDATION: History is consolidated by purchaseToken, not by device. All renewals and modifications of the same subscription are grouped in a single document, regardless of the number of devices used.

⚠️ HISTORY DELETION: You can delete history at any time via "Delete cloud data". Deletion is permanent and includes:

✅ Active document (user_subscriptions/{purchaseToken})
✅ History document (user_subscriptions_history/{purchaseToken})
✅ Administrative activity logs (admin_activity_logs/{device_id})
✅ GDPR compliant: lookup by purchaseToken, fallback with devices array

2.1.4 Administrative Activity Logs

To ensure traceability and support in case of disputes, we save a log of main operations related to subscriptions.

Data	Type	Purpose	Retention
Administrative Activity Logs	Array of events in admin_activity_logs/{device_id}	Audit trail for user support Google Play dispute resolution (within 60 days) Fraud prevention and billing disputes Grace period and auto-renewal management	90 days from last modification
Logged Events	Subscription creation Subscription cancellation Subscription expiration Automatic renewal Plan changes	Track modification history for audit and support	90 days from last modification
Details per Event	Timestamp, action, reason, plan, operation details	Information needed to reconstruct timeline in case of disputes	90 days from last modification

⚠️ IMPORTANT - ACTIVITY LOGS: Activity logs contain ONLY operational metadata (when, what, why). They do NOT contain sensitive personal data. They are automatically deleted after 90 days from the last modification and are accessible and deletable via "Delete cloud data".

🔒 LEGAL BASIS: Legitimate interest (Art. 6.1.f GDPR) - Necessary for:

Dispute management within 60 days (Google Play requirement)
Technical support and troubleshooting
Fraud prevention in the billing system
Audit trail for operational compliance

Impact on user rights is minimized because:

✅ Pseudonymized data (no direct personal identifiers)
✅ Retention limited to 90 days
✅ Automatic deletion every 24 hours via background cleanup
✅ Manual deletion via "Delete cloud data"

2.2 Data Stored Locally Only (On Device)

The following data is NEVER sent to external servers:

✅ App preferences and settings
✅ Language assigned to each contact (contact ID + language code)
✅ Typed words for personalized suggestions (max 14 days, then automatically deleted)
✅ Translation cache (RAM only, lost when app closes)
✅ Predictive N-gram models (downloaded by user, saved locally)
✅ On-device translation packs (ML Kit, downloaded by user, ~30 MB per language, managed by Google Play Services)
✅ Hunspell dictionaries (copied from assets, saved locally)
✅ Subscription alerts (local notifications about usage)

    📌 PERFORMANCE CACHE: To avoid lag when switching between conversations,
    kAIboard remembers which language you use with your most frequent contacts (~25-30).
    This cache stays on your device and uses less than 1 MB of storage.
    It is kept until app uninstall or manual deletion via the "Delete all local data" button.
    This extended retention is necessary to ensure a smooth experience without 1-3 second delays
    every time you switch chats.

⚠️ IMPORTANT: kAIboard accesses your contacts ONLY to display contact names in the language management interface and to determine the language from the international phone number prefix. Phone numbers and contact names are NEVER sent to our servers.

2.3 Data We DO NOT Collect

kAIboard DOES NOT collect:

❌ Message history
❌ Complete chat content
❌ Phone numbers
❌ Contact email addresses
❌ Precise geographic location
❌ Biometric data
❌ Advertising identifiers

3. How We Use Your Data

3.1 Real-Time Translation

When you use the translation feature:

The text you type is sent to our Cloudflare Worker server (secure relay)
The Worker forwards the text to OpenAI for translation
The translation is returned to the app
⚠️ IMPORTANT: The text is NEVER saved on our servers or OpenAI (transit only in memory)

3.1.1 On-Device Translation (ML Kit)

kAIboard also offers a fully on-device translation mode, without Internet connection:

Language packs (~30 MB each) are downloaded from Google Play Services onto the device
Translations happen entirely on the device — no text is sent to external servers
Google Play Services manages model download and storage
⚠️ PRIVACY: Unlike cloud translation, on-device translation does not transmit any data to third parties. The text stays exclusively on your device

You can manage language packs (download and remove) from the On-Device Translation Packs screen in the app Settings.

3.2 Subscription Backup and Synchronization

Subscription data is saved on Firebase (Google Cloud) to allow you to:

✅ Use your subscription on all your devices with the same Google Play account
✅ Synchronize token consumption in real time across all devices
✅ Restore your subscription if you reinstall the app (only if the subscription is active and auto-renewing)
✅ Keep your balance even after changing phones

⚠️ GOOGLE ACCOUNT REQUIREMENT: Subscription synchronization across multiple devices works ONLY if all devices use the same Google Play account with which you made the purchases. This requirement is enforced by the Google Play Billing API for security reasons and to prevent fraud. If you change your Google account, you will need to repurchase the subscription on the new account.

3.3 Anti-Fraud Protection for Subscriptions

🔒 HOW THE ANTI-FRAUD PROTECTION WORKS

kAIboard uses a protection system based on a shared counter to ensure the integrity of token consumption across all devices.

How it works:

Each subscription is linked to a single Firestore document identified by the purchaseToken from Google Play. All devices with the same Google account read and write the same document, ensuring a single shared consumption counter.

Practical behavior:

Device A purchases PLUS subscription (250,000 tokens/month) → Firestore document created ✅
Device B (same Google Play account) opens the app → Detects the same subscription, connects to the same document ✅
Device A uses 1,000 tokens → current_usage is set to 1,000 in Firestore
Device B receives the update in real time → Sees 249,000 available tokens ✅
Both devices remain active simultaneously, without invalidation ✅

Why it is secure:

✅ Single counter: There is only one current_usage value per subscription, impossible to duplicate
✅ Real-time synchronization: Every consumption is written immediately to Firestore and propagated to all devices via listener
✅ Validity managed by Google Play: Subscription validity is verified through the Google Play Billing API, not modifiable by the user
✅ Unique purchaseToken: Google Play assigns an immutable token to each purchase, used as the key of the Firestore document

Data saved for anti-fraud protection:

purchaseToken: Unique subscription key (Firestore document ID)
devices: Array of pseudonymized Android IDs that have used the subscription
current_usage: Shared counter of tokens consumed in the current month
monthly_limit: Maximum token limit for the subscribed plan

Legal basis: Contract performance (Art. 6.1.b GDPR) — The shared counter is an integral part of the purchased subscription service, necessary to correctly apply the monthly limit across all devices.

    💡 NOTE: Unlike other systems that limit usage to a single device, kAIboard allows you to use your subscription on all your devices simultaneously with the same Google Play account. The only limit is the total monthly consumption included in your plan.

3.4 Purchase Verification

Purchase history is saved to:

✅ Verify in-app purchase validity
✅ Prevent fraud and abuse
✅ Handle refunds and disputes with Google Play

4. Where We Send Your Data

4.1 Third-Party Services

Service	Data Sent	Purpose	Location
Firebase (Google)	Anonymous ID, token usage, purchase history, subscription data, activity logs	Backup, synchronization, audit trail	EU (European servers)
Cloudflare Worker	Text to translate (transit only)	Secure relay for translation	EU (European servers)
OpenAI	Text to translate (transit only)	Translation processing	USA (with Standard Contractual Clauses)
Google Play Billing	Order ID, purchased product	In-app purchase management	EU (Google servers)

4.2 Transfers Outside the EU

Text to be translated is sent to OpenAI (USA) for processing. The transfer is based on:

✅ Standard Contractual Clauses (SCC) approved by the European Commission
✅ OpenAI's public Privacy Policy stating that API data is not used for training
✅ Temporary transit: text is NOT stored (0 seconds storage)

⚠️ IMPORTANT: kAIboard uses OpenAI as a translation service provider via API. Although OpenAI publicly states that API data is not used for training, we do not have a formal Data Processing Agreement (DPA) with OpenAI. We recommend avoiding translation of highly sensitive information (health, financial, legal data).

References:

5. How Long We Keep Your Data

5.1 Automatic Retention Policy

Data Type	Retention Period	Deletion
Active Subscription Data (Firebase)	Until end of current billing period	Automatic deletion when subscription expires + moved to history
Subscription History (Firebase)	90 days from subscription expiration	Automatic deletion + manual deletion via "Delete cloud data"
Activity Logs (admin_activity_logs)	90 days from last modification	Automatic deletion (every 24h) + manual deletion
Purchase History (Firebase)	365 days from purchase	Automatic + manual deletion
Local Data (Device)	Until uninstall	App uninstall + manual deletion
Contact Language Cache (Device)	Until manual deletion or uninstall	"Delete all local data" button
Predictive N-gram Models (Device)	Until manual deletion or uninstall	"Delete all local data" button or removal from Offline Models screen
On-Device Translation Packs (ML Kit)	Until manual deletion or uninstall	"Delete all local data" button or removal from Translation Packs screen
Hunspell Dictionaries (Device)	Until manual deletion or uninstall	"Delete all local data" button
Learned Words (Prediction)	14 days (automatic decay)	Automatic + manual deletion
Translated Text	0 seconds (NEVER saved)	Automatic (memory transit only)
Translation Cache (RAM)	Until app closes	Automatic

    🗑️ AUTOMATIC CLEANUP: The app automatically performs cleanup every 24 hours. Data older than the indicated periods is automatically deleted, even if you no longer use the app.

6. Your Rights (GDPR)

Under the GDPR, you have the following rights:

6.1 Right of Access (Art. 15 GDPR)

You can request a copy of all data we hold about you. Subscription data is visible directly in the app.

6.2 Right to Rectification (Art. 16 GDPR)

You can correct inaccurate or incomplete data, for example by changing the language assigned to a contact.

6.3 Right to Erasure (Art. 17 GDPR)

You can delete all your data at any time through the Privacy screen in the app:

✅ Delete cloud data: Removes subscription data, subscription history, purchase history and activity logs from Firebase
✅ Delete learning data: Removes learned words for suggestions (all 13 languages)
✅ Delete all local data: Removes all preferences, data on the device, downloaded models, dictionaries and cache

⚠️ DELETION RESTRICTION WITH ACTIVE SUBSCRIPTION (Art. 17.3.b GDPR):

If you have an active monthly subscription, cloud data deletion is temporarily blocked until you cancel the subscription.

Reason: Subscription data (active plan, token limit, reset date) is necessary for contract performance (Art. 6.1.b GDPR). Early deletion would prevent:

❌ Proper functioning of the purchased monthly service
❌ Token limit synchronization across devices
❌ Automatic token reset at the beginning of the month

How to proceed:

Cancel the subscription through Google Play Store
Wait until the end of the current billing period
Delete cloud data through the app

Immediate deletion: The app automatically redirects you to Google Play to manage your subscription. After cancellation, data deletion will be immediately available.

Deletion during the grace period: Once you have cancelled your subscription, you can delete your cloud data at any time, even during the remaining paid period (grace period). Deletion is immediate and results in the permanent forfeiture of the remaining period and your current token balance. This choice is irreversible.

Legal basis for blocking: Art. 17.3.b GDPR - "The right to erasure shall not apply to the extent that processing is necessary for the performance of a contract to which the data subject is party".

6.4 Right to Data Portability (Art. 20 GDPR)

You can export your data in machine-readable JSON format via the "Export your data (JSON)" button in the Privacy screen. The file includes local data (preferences, learning) and cloud data (subscription, history, activity logs).

6.5 Right to Object (Art. 21 GDPR)

You can object to data processing for legitimate reasons. You can disable translation, crash reports and revoke contact access at any time.

6.6 Right to Lodge a Complaint

You can file a complaint with the competent supervisory authority:

Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) - www.bfdi.bund.de
Italy: Garante per la protezione dei dati personali - www.garanteprivacy.it

7. How to Exercise Your Rights

7.1 Through App (Immediate)

Path: Settings → Privacy & Security

Export your data (JSON): Complete export of local and cloud data in machine-readable format (Art. 15 + Art. 20)
Delete cloud data: Subscription data + subscription history + purchase history + activity logs (irreversible - requires subscription cancellation if active)
Delete learning data: Learned words (13 languages)
Delete all local data: All preferences, downloaded models, dictionaries, cache (restarts app)

7.2 Request via Email

To exercise other rights, write to: support@kaiboard.eu

We will respond within 30 days of your request (Art. 12 GDPR).

8. Data Security

We implement technical and organizational measures to protect your data:

🔒 Encryption in transit: HTTPS/TLS 1.3 for all communications
🔒 Encryption at rest: Firebase uses AES-256 encryption
🔒 Local database encryption: The learning database is encrypted with AES-256 via hardware-backed Android Keystore
🔒 Firebase Security Rules: Access limited to data owner only (default deny)
🔒 Pseudonymous ID: No direct personal data (name, email, phone)
🔒 Data minimization: We only collect what's strictly necessary
🔒 Automatic deletion: Data deleted after the indicated retention periods (90-365 days)
🔒 Protected API Key: The OpenAI API key is never exposed in the client, it is stored as a secret in the Cloudflare relay

9. Device Identifiers and Android Permissions

9.1 Device Identifiers Used

kAIboard uses the following identifiers to generate the anonymous device ID:

Identifier	Type	Purpose	Persistence
Android ID	Settings.Secure.ANDROID_ID	Generate unique and stable device ID	Persists across app reinstallations (same signing key). Changes after a device factory reset.
Install Referrer ID	Google Play Install Referrer API	Fallback if Android ID unavailable	Persists across reinstalls (if installed from Play Store)
Local UUID	java.util.UUID	Final fallback (sideload only)	Does NOT persist (lost on uninstall)

⚠️ FACTORY RESET: After a device factory reset, the anonymous identifier (Install ID) is regenerated. The active subscription is automatically restored by Google Play on the first app launch. Local data (preferences, contact languages, learned words) are lost and not recoverable, unless a backup was made before the reset.

⚠️ PRIVACY NOTE: The Android ID is a unique device identifier. kAIboard uses it ONLY to generate the anonymized pseudonymous ID (format: "android_[hash]"). The raw Android ID is NEVER sent to our servers or third parties.

9.2 App Permissions

Permission	Purpose	Mandatory
Contacts	Assign language to each contact for automatic keyboard switching	❌ No (optional)
Accessibility	Detect active chat app to automatically change language	❌ No (optional)
Notifications	Quick replies from lockscreen with correct language	❌ No (optional)
Microphone	Voice dictation (recording only when you press microphone button)	❌ No (optional)
Internet	Real-time translation and cloud backup	✅ Yes (for translation features)

⚠️ SECURITY NOTE: Android's security warning for keyboards is standard for all third-party keyboards, it does not mean kAIboard reads or saves your messages. You can verify the source code or contact us for more information.

10. Crash Reports (Optional)

kAIboard can send anonymous crash reports to Firebase Crashlytics ONLY if you explicitly enable the option.

What Crash Reports Include:

✅ Stack trace (error path in code)
✅ App version and operating system
✅ Device model
✅ Runtime information (memory, CPU)

What They DO NOT Include:

❌ Typed text
❌ Chat content
❌ Contact names
❌ Messages

Legal basis: Explicit consent (Art. 6.1.a GDPR)

How to disable: Settings → Crash reports (optional) → Disable. Disabling stops future sending and deletes reports not yet sent on the device. Reports already sent to Firebase remain on the backend and cannot be deleted from the phone.

11. Minors

kAIboard is not intended for children under 13 years of age. We do not knowingly collect data from minors. If you are a parent and discover that your child has provided data, contact us to delete it.

12. Changes to Privacy Policy

We may update this Privacy Policy periodically. We will notify you of any substantial changes through:

📧 Email (if provided)
📱 In-app notification
🌍 Updated date at the top of this document

Continued use of the app after changes constitutes acceptance of the new Privacy Policy.

13. Legal Basis for Processing

Processing of your data is based on:

Art. 6.1.b GDPR - Contract performance: Subscription management, multi-device synchronization, shared token counter, purchase history, translation
Art. 6.1.a GDPR - Consent: Crash reports (optional)
Art. 6.1.f GDPR - Legitimate interest:
- Purchase security
- Protection of billing system from abuse
- Administrative activity logs (audit trail)

📋 LEGITIMATE INTEREST ASSESSMENT (Art. 6.1.f GDPR):

Administrative activity logs are necessary for:

✅ Dispute management within 60 days (Google Play requirement)
✅ Technical support and troubleshooting
✅ Fraud prevention in the billing system

Impact on user rights is minimized because:

✅ Users can delete the logs via "Delete cloud data"
✅ The system uses only pseudonymized data (no direct personal data)
✅ The logic is transparent and documented in this Privacy Policy
✅ Retention limited to 90 days with automatic deletion