Privacy Policy

Last updated: March 26, 2026

1. Introduction

Oda Tecnologia Ltda ("we", "us", or "our") operates kinoki ("the Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Service.

We are committed to protecting your privacy and handling your data transparently. This policy is designed to comply with applicable data protection laws, including the Brazilian General Data Protection Law (LGPD), the European General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

2. Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Username
  • Password (stored securely using cryptographic hashing)
  • Display name (optional)
  • Bio (optional)
  • Profile photo (optional)

If you sign in using Google, we receive your name and email address from Google. We do not receive or store your Google password.

Content You Create

When you use the Service, you may create:

  • Tree records (names, species, acquisition dates, descriptions)
  • Care logs (pruning, repotting, wiring, and other activities with notes and images)
  • Reminders for upcoming care
  • Tags for organizing your collection
  • Photos of your trees

Usage Information

We collect limited usage data to improve the Service, including page views and feature interactions. This data is collected via PostHog, hosted in the European Union. We do not use automatic data collection (autocapture). Only explicitly defined events are tracked.

Technical Information

Our infrastructure automatically collects:

  • IP address
  • Browser type and version
  • Operating system
  • Request timestamps

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and secure your account
  • Display your content on your public profile (according to your plan and privacy settings)
  • Sync your data across your devices
  • Send you account-related emails (verification, magic links, security alerts)
  • Analyze usage patterns to improve the Service (in aggregate, anonymized form)
  • Enforce our Terms of Service and respond to reports
  • Comply with legal obligations

We do not sell your personal information to third parties. We do not use your data for advertising.

4. Legal Basis for Processing

Under the LGPD and GDPR, we process your personal data based on the following legal grounds:

  • Contract execution: Processing necessary to provide the Service you signed up for, including account management, content storage, and data synchronization.
  • Legitimate interest: Analytics to improve the Service, security measures, and fraud prevention.
  • Consent: Optional analytics cookies. You can withdraw consent at any time.
  • Legal obligation: Compliance with applicable laws and regulations.

5. How We Share Your Information

We share your information with third-party service providers who help us operate the Service:

  • Cloudflare (hosting, database, image storage): All service data is processed on Cloudflare's infrastructure.
  • PostHog (analytics and feature flags): Usage events and device information. Data is hosted in the European Union.
  • Resend (email delivery): Your email address and email content for verification and magic link emails.
  • Google (authentication): Your email and name, only if you choose to sign in with Google.
  • Paddle (payment processing): Your email and payment information, only if you subscribe to a paid plan.

These providers process data on our behalf and are contractually required to protect your information. We may also share your information if required by law, to protect our rights, or to prevent fraud or security threats.

Public Content

Content on your public profile (trees, care logs, username, display name, avatar, bio) is visible to anyone who visits your profile page. On the free plan, all trees are public. With a paid plan, you can set individual trees as private.

6. Cookies and Tracking Technologies

We use the following cookies:

  • Session cookie (essential): Maintains your login session. This cookie is necessary for the Service to function and does not require consent.
  • Analytics cookies (optional): PostHog uses cookies to understand usage patterns and improve the Service. These cookies are processed in the EU.

We do not use advertising cookies or third-party tracking pixels.

7. Data Storage and Security

Your data is stored on Cloudflare's infrastructure, including account data and content in Cloudflare D1 (database) and images in Cloudflare R2 (object storage).

We implement appropriate technical and organizational measures to protect your data, including:

  • Encrypted connections (HTTPS/TLS) for all data in transit
  • Hashed passwords (never stored in plain text)
  • Access controls and authentication for all data access

While we take reasonable steps to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain your data for as long as your account is active. You can delete your account at any time from the Account tab in Settings, or by visiting our account deletion page at /account-deletion. Deletion is immediate and permanent. All your personal data and content will be removed from our systems. Backup copies may take up to 30 days to be fully purged.

We may retain certain anonymized or aggregated data that cannot be used to identify you for analytical purposes.

Account Deletion

You can delete your account at any time from the Account tab in Settings, or by visiting our account deletion page if you no longer have access to your account.

When you delete your account, the following data is permanently removed: all trees and their details, care logs and journal entries, reminders, photos and images, your profile and account information.

If you have an active paid subscription, it will be automatically canceled upon account deletion. Paddle, our payment processor, may retain payment records independently as the Merchant of Record, in accordance with their own data retention policies.

9. Your Rights

All Users

Regardless of your location, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and associated data (available in Settings or via the account deletion page)
  • Export your data (available in the Account tab in Settings)

LGPD (Brazil)

If you are in Brazil, you also have the right to:

  • Confirmation of the existence of data processing
  • Information about public and private entities with whom your data is shared
  • Revocation of consent
  • Opposition to processing based on legitimate interest
  • Data portability
  • Filing a complaint with the ANPD (Autoridade Nacional de Proteção de Dados)

GDPR (European Economic Area)

If you are in the EEA, you also have the right to:

  • Restriction of processing
  • Data portability
  • Object to processing based on legitimate interest
  • Withdraw consent at any time
  • Lodge a complaint with your local supervisory authority

CCPA (California)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and share
  • Request deletion of your personal information
  • Non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us at the email address below.

10. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has created an account, we will take steps to delete the account and associated data.

11. International Data Transfers

Your data may be processed in countries other than your own, as our infrastructure providers operate globally. When data is transferred internationally, it is protected by appropriate safeguards including standard contractual clauses and the service providers' data protection commitments.

Analytics data is processed by PostHog in the European Union.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the Service or by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Data Protection Officer

In compliance with the LGPD, our Data Protection Officer (Encarregado) can be contacted at:

Oda Tecnologia Ltda
Email: victor@odatec.dev

For any privacy-related questions, concerns, or requests, please reach out to us at the email above.

See also our Terms of Service.