legal · privacy

privacy policy

last updated: 10 may 2026

kolorz is built around something personal — how you feel. this page explains exactly what we collect, what we don't, who else touches your data, and how to delete it. plain language, no dark patterns.

the short version

who we are

kolorz is operated by krasava eood, a single-member limited liability company registered in bulgaria. for the purposes of the eu general data protection regulation (gdpr), krasava eood is the data controller for the personal data described in this policy.

our registered postal address is available on request — please email hello@kolorz.com.

what data we collect

we group what we collect into a few clear categories.

identifiers

  • an anonymous device identifier assigned by kolorz the first time you open the app — this lets us store your auras without requiring a login.
  • if you choose to sign in with apple or google, we receive your email address and display name from the provider. you can use kolorz fully without ever signing in.

your emotion content

  • the text you type when capturing a feeling at a moment of the day.
  • the resolved emotion matched from our card library, the moment it belongs to (morning / afternoon / evening / night), and the capture time.

this is the most personal data we hold. we treat it carefully — see section 4 for how it's processed.

subscription data

  • your subscription state (free / pro, current period, renewal status) — managed via apple or google's billing systems and surfaced through revenuecat.
  • we never see your payment card. apple and google handle that directly.

usage data (analytics)

  • events about how you use the app: which screens you visit, which features you tap, how long flows take, whether you complete onboarding, etc.
  • we use posthog (eu instance) for this. event data is linked to your anonymous device id, not to your name or email.
  • ip addresses are anonymized at ingestion; we do not store your full ip with your events.
  • posthog also captures session recordings — anonymous playback of in-app navigation — so we can spot ux issues and crashes. sensitive inputs (your emotion text fields) are masked by default. recordings are retained for 30 days and then automatically deleted.

diagnostic data

  • error events and crash details from inside the app, so we can find and fix bugs.

device info

  • operating system + version, device model, language, timezone.

push tokens

  • only if you opt in to notifications — a token from apple (apns) or google (fcm) so we can send you moment-aligned reminders.

how we use your data

  • operate the service. matching your emotion text to a card, building your color story, showing your readings.
  • sync across devices. if you sign in, we keep your aura history available wherever you log in.
  • send notifications you asked for. moment reminders, monthly story prompts.
  • improve product quality. aggregated, anonymized usage patterns help us see what works and what doesn't.
  • process pro ai insights. if you're a pro subscriber, we send curated content to openai to generate the path / spectrum / period reflection layers.
  • handle subscriptions. verify your purchase, restore it across devices, manage renewals.

we do not use your data for advertising. we don't have an advertising business.

ai processing of emotion text

some of the deeper pro layers — the path, the spectrum, daily / weekly / monthly insights — are generated by a large language model from openai.

  • only pro subscribers trigger ai processing. on the free tier, no emotion text leaves our infrastructure for ai purposes.
  • we send curated context (your emotion match, related card data, recent history) — not your raw account identifiers.
  • per openai's api data usage policy, content sent through the api is not used to train openai's models.
  • we never use your emotion content for advertising, model training of our own, or any purpose beyond delivering the reading you asked for.

sub-processors

kolorz works with a small number of trusted services. each one only receives the data it needs to do its job.

  • supabase — primary data storage and anonymous authentication. stores your auras, profile, and sync state.
  • posthog (eu) — product analytics. usage events linked to anonymous ids; hosted on the eu instance for data residency.
  • apple — app store distribution, sign in with apple (optional), apns push delivery.
  • google — google play distribution, google sign-in (optional), fcm push delivery.
  • revenuecat — subscription state and entitlement verification.
  • openai (pro only, us-based) — generates the ai-written reading layers.

we do not allow these services to use your data for their own purposes.

data retention

  • your aura history is kept for as long as your account exists. delete your account and it's removed.
  • analytics events are retained for up to 12 months and may be aggregated/anonymized after that.
  • subscription records are retained as required by tax and consumer-protection laws (typically 7 years in the eu).
  • backups may persist for up to 30 days after deletion before being purged from supabase backups.

international transfers

your primary data is stored in the european union. some processing — specifically the openai-powered ai readings for pro subscribers — happens on us-based infrastructure. these transfers rely on the european commission's standard contractual clauses as the legal basis.

your rights

under gdpr (and equivalent rights in other jurisdictions), you can:

  • access the personal data we hold about you
  • correct inaccurate data
  • delete your data (the "right to be forgotten")
  • export your data in a portable format
  • object to certain processing or withdraw consent at any time
  • lodge a complaint with your local data protection authority

most of these are one tap inside the app. for anything else, email hello@kolorz.com and we'll respond within 30 days.

how to delete your data

  • open kolorz → settings → delete account. this removes your auras, profile, and identifiers from our active systems immediately, and from backups within 30 days.
  • prefer email? send a deletion request to hello@kolorz.com from the address linked to your account (or include enough information to identify the anonymous device).
  • uninstalling the app does not automatically delete your synced data — use the in-app delete or email us.

children's privacy

kolorz is intended for users 16 and older. we do not knowingly collect personal data from anyone under 16. if you believe a minor has used the app, please contact us at hello@kolorz.com and we will delete the data.

security

data is encrypted in transit (tls) and at rest. anonymous authentication is the default — you don't have to share an email or password to use kolorz. we follow standard industry practices for access control and incident response. no system is perfectly secure, but we treat your emotion data with the care it deserves.

changes to this policy

we may update this policy as kolorz evolves. material changes will be surfaced inside the app before they take effect. the date at the top of this page always shows the most recent revision.

contact

for any privacy question, request, or concern, email hello@kolorz.com. our registered postal address is available on request.

krasava eood, registered in bulgaria.