Privacy Policy

How Kodexi handles your data. Plain language, technical specifics where they matter.

Last updated: 16 May 2026 · Version 1.0 · Governed by Brazilian law (LGPD)

1. Who we are

Kodexi is operated by Vitor Ribeiro (sole proprietor, Brazil). Contact: support@kodexiai.com. This policy covers the Kodexi macOS and iOS apps and the Kodexi web presence at kodexiai.com.

2. What we collect — and where it lives

2.1 On your device only (never leaves unless you enable sync)

• OCR text captured from your reading apps (Kindle, Apple Books, etc.) and any text you import.
• Page images (screenshots taken during capture).
• Your AI chat conversations, flashcards, audio explanations, and notes.
• Vector embeddings of your captured text, computed on-device.

All of the above is encrypted at rest on your device using AES-256-GCM via Apple CryptoKit. The encryption key is generated on first launch and stored in the macOS or iOS Keychain.

2.2 Synced to our servers (only if you create an account)

If you sign in, the following is uploaded — already encrypted with your device key — to our backend (Supabase, hosted on AWS in us-west-2):

• Your account email and (if you use Sign in with Apple) the opaque Apple user identifier.
• Encrypted copies of your captures, chats, chapters, flashcards, audio explanations, and pinned passages.
• Encrypted page-image blobs in a private Supabase Storage bucket (path-randomised, server-side encrypted on top of your device encryption).

The server-stored payloads are opaque ciphertext to us. We cannot read your captures, your conversations, or your images. We can see only: row IDs, timestamps, sizes, and routing metadata.

2.3 Operational telemetry (non-content, allowlisted)

To know whether features are used, we log per-event rows containing only:

• Event name (e.g. feature_used:chat_send, paywall_viewed, capture_idle_10min).
• Your account user ID.
• Timestamp.
• Optional non-PII context: app version, OS version, count of detected bundles, and (for capture idle) the name of the currently-foregrounded application.

A database-level CHECK constraint enforces that no other context keys are ever accepted. The full allowlist is auditable in our migration 075_feature_events.sql.

2.4 Crash reports

If Kodexi crashes, a short diagnostic record (stack trace, OS version, app version — no content) is sent to our server so we can fix the bug. You can disable this in Settings.

2.5 Billing

If you subscribe via the iOS App Store, Apple processes your payment; Kodexi receives the App Store receipt only. If you subscribe via macOS (Stripe), Stripe processes your card and Kodexi receives the customer ID, subscription tier, and billing status — never the card number.

3. AI processing — what your text is shown to

OCR runs on-device using Apple Vision Framework whenever possible. When Vision returns low-confidence results, page text may be sent to Google Gemini as a fallback OCR provider. Chat, flashcards, audio explanations, and research queries route through our process-ai-job edge function to one or more third-party LLM providers (currently Google Gemini and OpenRouter). Audio explanations route through OpenAI for TTS.

These third parties see only the specific text needed for the requested operation. They do not see your encryption keys or your other captures. Kodexi has data-processing agreements requiring deletion after inference and prohibiting training-data use. Provider list is current as of policy version; we will publish updates here when this changes.

4. Legal bases (LGPD Art. 7)

• Account, sync, and billing — performance of the contract you accept on signup (Art. 7, V).
• Telemetry, crash reports — legitimate interest in maintaining a working product (Art. 7, IX). You can opt out of crash reports in Settings.
• AI processing of your text — your consent at the time of feature use (Art. 7, I).

5. Retention

• Encrypted captures and chats: retained until you delete them, or until you delete your account.
• Telemetry rows: retained 24 months.
• Crash reports: retained 90 days.
• Stripe customer records: retained per Stripe's policies (tax/accounting obligations may require longer).

6. Your rights (LGPD Art. 18)

You can request access, correction, deletion, anonymisation, portability, or information on data sharing by emailing support@kodexiai.com. We respond within 15 days.

To delete your account immediately: Settings → Account → Delete Account. This wipes all encrypted server data, telemetry, crash reports, and billing records linked to your account. Your local device data is wiped on next launch.

7. International transfers

Our infrastructure provider (Supabase / AWS) is located in the United States (us-west-2). Stripe processes payments globally. Google and OpenAI process AI requests in the United States. We rely on the EU-US Data Privacy Framework adequacy decision and equivalent LGPD international-transfer mechanisms (Art. 33).

8. Security

End-to-end encryption (AES-256-GCM, CryptoKit) for all user content. Keys in device Keychain only. Sync key derivation via PBKDF2 from your account password (the password itself is never sent to us; Supabase Auth uses bcrypt server-side).

If we ever discover a breach affecting your data, we notify you and the ANPD within 72 hours.

9. Children

Kodexi is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe we have, email support@kodexiai.com.

10. Changes

We update this policy when our practices change. The version string at the top reflects the current version. Material changes will trigger a re-consent prompt in the app.

11. Contact / Data Protection Officer

Vitor Ribeiro — support@kodexiai.com.