Privacy Policy

Informative translation. In case of conflict, the Brazilian Portuguese version shall prevail.

Document language

Privacy Policy — koda

Last updated: April 9, 2026 Version: 1.0

This English version is an informative translation. The authoritative version of this Policy is the Brazilian Portuguese version available at /privacy. In case of conflict between the versions, the Brazilian Portuguese version shall prevail.

1. Introduction

Koda Tech Solutions LTDA ("koda", "we", "our") respects the privacy of its Users and is committed to protecting personal data. This Privacy Policy describes how we collect, use, store, share and protect your personal data when you use our platform.

This Policy has been drafted in compliance with:

Brazilian General Personal Data Protection Law (LGPD) — Law 13.709/2018 (Brazil);
General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679;
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) — Cal. Civ. Code §§ 1798.100–1798.199;
Brazilian Marco Civil da Internet — Law 12.965/2014 (Brazil);
Other applicable data protection legislation, including specific rules on biometric data.

This Policy is an integral part of the Terms of Service and both documents must be read together.

2. Data Controller

2.1. Controller Identification

KODA TECH SOLUTIONS LTDA CNPJ (Brazilian Corporate Taxpayer ID): 66.082.842/0001-48 Rua Agapito Veloso, 79 — Estreito, Florianópolis/SC — ZIP 88054-050 — Brazil Website: https://usekoda.app

2.2. Data Protection Officer (DPO)

For questions related to the processing of your personal data, exercise of rights or privacy complaints:

DPO email (dedicated channel): dpo@usekoda.app
Postal mail: to the attention of the Data Protection Officer, at the address above.

For general questions not related to privacy, the channel is support@usekoda.app.

2.3. EU Representative

As of this version, Koda Tech Solutions LTDA does not have an active offering directed at the European market, nor does it process a volume of EU data subjects' data sufficient to trigger the mandatory nature of Art. 27 of the GDPR. Should an active offering to the EU be initiated, a representative will be appointed and indicated in this Section with a minimum advance notice of 30 days.

Users residing in the EU or the European Economic Area who wish to exercise GDPR rights should contact us directly by email at dpo@usekoda.app, indicating their jurisdiction in the email subject.

3. Data We Collect

This section describes, with technical precision, all the data that koda collects from the User — both data provided directly and data automatically derived from use of the application.

3.1. Data Provided Directly by the User

Category	Data	Purpose	Legal Basis (LGPD)
Mandatory registration	Name and email address	Account creation and management, authentication and transactional communications	Art. 7, V — performance of contract
Optional profile	Phone number (with country code), country of residence, photography genres served (e.g., wedding, portrait, landscape)	Experience personalization, specialized support and aggregated product research	Art. 7, I — consent (optional provision)
Avatar	Optional profile image (up to 2 MB)	Interface personalization	Art. 7, I — consent
Preferences	Interface language, preferred GPU device, default profile, culling settings, mask settings, workflow type (Lightroom or folder)	Service personalization	Art. 7, V — performance of contract
Onboarding progress	Records of completion of initial tutorial steps (boolean per step)	Contextual guidance within the application	Art. 7, V — performance of contract
Referral code	Tolt affiliate code captured from the signup URL, when present	Commission attribution to the referral program	Art. 7, I — consent + Art. 7, V — performance of contract
Terms acceptance	Date and time of acceptance of the Terms of Service and this Policy	Evidence of manifestation of will	Art. 7, V — performance of contract
Payment	Stripe customer reference (`stripe_customer_id`) and subscription identifier (`subscription_id`). We never store card numbers, CVV, cardholder name or billing address — these data remain exclusively at Stripe	Payment processing	Art. 7, V — performance of contract
Support	Messages and screenshots voluntarily sent to our support	User assistance	Art. 7, V — performance of contract

3.2. Data Derived from User Content

These data are extracted locally on the User's device from their Lightroom catalogs and photographs. The vast majority never leaves the device, except in the specific cases indicated below.

3.2.1. Data extracted locally (never leaves the device)

Category	Technical description	Purpose
Editing parameters	Up to 129 numeric photographic adjustment values (exposure, contrast, clarity, HSL, color temperature, sharpening, curves, etc.) extracted from the `.lrcat` catalog	Training the individual AI Model and local inference
Tonal curve	40 interpolated numeric luminosity curve values	Same
Technical EXIF metadata	Camera model, lens model, ISO, shutter speed, aperture, focal length, orientation	Temporal grouping, session regime detection, grouping
Quality metrics	Sharpness (Laplacian variance), exposure, composition, facial presence/quality — all numeric values	Intelligent selection (culling)
Perceptual hash (pHash)	64-bit hash per image, for duplicate detection	Grouping of similar images

3.2.2. Data that may leave the device during cloud training

When the User opts for cloud training (available in all plans subject to the monthly quota), koda locally extracts and sends the following data to temporary servers:

Category	Technical description	Notice
224×224 JPEG thumbnail	Low-resolution image, approximately 224 pixels on the longest dimension, JPEG quality 85, approximate size of 50 KB per photograph	⚠️ Constitutes a visually recognizable representation of the scene — may contain people, objects and locations identifiable by visual inspection. The User declares to have authorization from depicted individuals when required by applicable law
Training CSV	285-column file per row: 129 parameters + 40 tonal curve values + 29 local mask parameters + 120 derived numeric features + basic metadata + file name	Contains only numbers and file names; does not contain pixels
DINOv2 vector	768-dimensional numeric vector (DINOv2-B/14 extractor embedding) per photograph	Abstract mathematical representation; does not allow visual reconstruction of the original photograph

These data are compressed into a ZIP file (typically 20 to 60 MB) and sent over encrypted HTTPS (TLS 1.3) to Supabase Storage (temporary storage) and then to the GPU processing service at RunPod, Inc. Upon completion of training, all temporary data is deleted from the servers.

3.2.3. Data that may leave the device during cloud inference (Pro and Studio plans)

When the User uses editing processing on remote GPU servers (feature available only in Pro and Studio plans), koda sends the following data per photo batch:

Category	Technical description
Preprocessed Image Tensor	224×224 pixel numeric tensor in float16 (approximately 150 KB per photograph), representing the photograph preprocessed and normalized by the DINOv2 extractor. It is not a standard visual image, but contains enough information to approximate the scene if reconverted
Condition Vector (120-dim)	Color histogram + technical EXIF metadata + semantic features derived locally, concatenated into a 120-dimensional float32 vector
Regime Embedding (32-dim)	32-dimensional float32 vector that characterizes the general style of the photographic session
Signed Model URL	Temporary link for the inference server to download the User's encrypted AI Model
224×224 JPEG thumbnail (only when cloud masks are active)	Low-resolution image, same format as item 3.2.2, transmitted exclusively when the User activates the cloud masks feature

None of this data is persisted by the inference server after the response is returned to the koda client. The inference servers operate in "serverless" mode and scale to zero when not in use.

3.2.4. Data that NEVER leaves the device

koda never transmits to any server:

Original RAW files (.cr2, .arw, .nef, .dng, etc.);
JPEG, HEIC, TIFF or other files in original resolution;
Lightroom catalog files (.lrcat, .lrdata);
Complete XMP sidecar files;
Biometric vectors (ArcFace, facial landmarks) — except the exception in Section 3.3;
GPS coordinates or other geolocation metadata present in EXIF.

3.3. Biometric Data

Category	Technical data	Purpose	Legal Basis
Face detection	Bounding boxes and 5 landmarks per face	Culling, face masks, composition	LGPD Art. 11, I — specific consent / GDPR Art. 9(2)(a) — explicit consent
ArcFace embeddings	512-dimensional numeric vectors per face	Grouping of recurring faces (VIP Faces)	Same
Expression classification (HSEmotion)	Continuous happiness score (0-1) and expression class	Intelligent selection (culling)	Same

General rule: all biometric processing described above occurs exclusively on the User's local device, in volatile memory, without disk persistence and without transmission to servers.

Exception — Cloud Masks (Pro and Studio): when the User, by explicit choice, activates the cloud masks feature, 224×224 JPEG thumbnails of the photographs are transmitted to the GPU processing server for segmentation. These thumbnails may contain recognizable faces. The other biometric vectors (ArcFace, landmarks, expression) continue to be processed only locally even when cloud masks is active.

IMPORTANT:

We do not perform individual identification — biometric processing is used for technical photographic editing and selection purposes;
We do not maintain a database of faces, identities or faces;
The biometric vectors generated are discarded at the end of each processing session;
The User is responsible for obtaining consent from depicted individuals when required by applicable law. See Section 14 for details.

The User may, at any time, disable in the application Settings the features that use biometric processing (VIP Faces, Face Skin, expression classification, facial composition), without losing access to the other features of the contracted plan.

3.4. Data Collected Automatically

Category	Data	Purpose	Legal Basis
Device identifier	SHA-256 hash (irreversible) derived from hardware identifiers, device name reported by the operating system (e.g., "MacBook Pro"), platform (macOS or Windows), application version, last access	Per-plan authorized device limit, compatibility, diagnostics	Art. 7, V — performance of contract
Device hardware	Number of CPU cores, available RAM, GPU model and memory	Automatic performance optimization — used only locally, never transmitted to our servers	Art. 7, IX — legitimate interest
Access logs	IP address, date and time of access, authentication type (email/password or OAuth)	Security and compliance with Marco Civil da Internet Art. 15	Art. 7, II — legal obligation
Service usage	Actions performed (editing, culling, training), number of photographs processed, operation duration, billing period	Quota control, billing, service improvement	Art. 7, V — performance of contract and Art. 7, IX — legitimate interest
Audit logs (`audit_log`)	Key account events: login, signup, culling/editing completion, plan changes, deletion requests. Each record contains the user identifier (UUID), action type, event metadata (JSONB) and timestamp	Security, fraud prevention, handling of data subject requests	Art. 7, IX — legitimate interest and Art. 7, II — legal obligation
Product analytics (PostHog)	Usage events (e.g., `login_completed`, `project_created`, `culling_completed`, `editing_completed`), pseudonymous identifier (UUID)	Product improvement — only after explicit consent (opt-in)	Art. 7, I — consent
Crash reports (Sentry)	Stack traces, application version, operating system, generic hardware — with `sendDefaultPii: false`: no personal information (email, name, IP) is sent	Bug fixing and product stability	Art. 7, IX — legitimate interest

Note on analytics: Event tracking via PostHog is disabled by default. The User may explicitly enable it during onboarding or in Settings → Privacy, and may disable it at any time through the same path. No events are sent to PostHog before explicit consent.

3.5. Data We Do NOT Collect

For full transparency, koda does NOT collect:

Original photographs in full resolution;
Geographic location or GPS coordinates — even when present in the EXIF metadata of the original file, koda does not extract, transmit or store this information. GPS remains exclusively in the original file on the User's device;
Contacts, calendars, browsing history or data from other applications;
Cross-site tracking cookies (koda is a desktop application — see Section 12);
User's social network data;
Content of the User's personal communications;
Biometric information persisted in a database.

4. How We Use Your Data

4.1. Specific Purposes

Purpose	Data Used	Legal Basis (LGPD)	Legal Basis (GDPR)
Service provision (editing, culling, masks, auto-straighten)	Extracted parameters, thumbnails, metrics, features	Art. 7, V — performance of contract	Art. 6(1)(b)
Training of individual AI Model	Parameters, thumbnails, training CSV	Art. 7, V — performance of contract	Art. 6(1)(b)
Biometric processing	Landmarks, ArcFace embeddings, expression classification	Art. 11, I — specific consent	Art. 9(2)(a) — explicit consent
Access control and licensing	Device identifier, plan, usage history	Art. 7, V — performance of contract	Art. 6(1)(b)
Payment processing	Stripe references, plan, period	Art. 7, V — performance of contract	Art. 6(1)(b)
Quota control and billing	Usage statistics (actions, photos processed)	Art. 7, V — performance of contract	Art. 6(1)(b)
Performance optimization	Hardware data (only locally)	Art. 7, IX — legitimate interest	Art. 6(1)(f)
Security and fraud prevention	IP, access logs, device fingerprint, audit log	Art. 7, IX — legitimate interest	Art. 6(1)(f)
Legal compliance	Access logs, tax data	Art. 7, II — legal obligation	Art. 6(1)(c)
Product improvement	Usage analytics (opt-in), crash reports	Art. 7, I — consent (analytics) and Art. 7, IX — legitimate interest (crashes)	Art. 6(1)(a) and Art. 6(1)(f)
Transactional communications	Registered email	Art. 7, V — performance of contract	Art. 6(1)(b)
Marketing communications	Registered email	Art. 7, I — consent	Art. 6(1)(a)
Commission attribution in the referral program	Tolt code, Stripe reference	Art. 7, I — consent + Art. 7, V — performance of contract	Art. 6(1)(b)

4.2. What We Do NOT Do with Your Data

koda categorically states that:

We do NOT train general AI models with User data. Each Model is individual, exclusive and isolated — User A's model is never fed with User B's data;
We do NOT sell, rent or commercialize personal data;
We do NOT perform profiling for advertising purposes or any purpose external to koda's own service;
We do NOT use exclusively automated decisions that produce legal effects — the User always has final control over edits and selections;
We do NOT transfer original photographs to any external server — only the technical representations described in Sections 3.2.2 and 3.2.3, and only when the User opts for cloud processing.

5. Automated Decisions

5.1. koda uses artificial intelligence to:

(a) Predict photographic editing parameters (up to 129 values per image);
(b) Classify photographs by technical and aesthetic quality (culling);
(c) Group photographs by visual and facial similarity (VIP Faces).

5.2. These decisions are suggestions to the User. The User retains full control to accept, modify or reject any result produced by the artificial intelligence. No automated decision by koda produces legal effects on the User or on third parties.

5.3. Under Art. 20 of the LGPD and Art. 22 of the GDPR, the User has the right to:

(a) Request clear information about the logic used in automated processes and the relevant criteria;
(b) Request human review of automated decisions affecting their interests;
(c) Contest results deemed inappropriate.

5.4. To exercise these rights, the User may contact us by email at dpo@usekoda.app, with identification of the project and the photographs involved. koda will respond within 15 days (LGPD) or 30 days (GDPR), extendable by 60 days in complex cases.

6. Data Sharing

6.1. Service Providers (Processors)

koda shares personal data with the service providers listed below, exclusively for service provision and within the technical limits necessary. All listed providers have been selected considering contractual commitments for security and privacy compatible with the LGPD and GDPR.

#	Provider	Purpose	Data shared	Location
1	Supabase, Inc.	Database, authentication, file storage, Edge Functions	Email, name, phone, country, genres, avatar, plan, device identifier, profiles, AI Models, temporary training data, projects, culling decisions, settings, usage statistics, audit log	USA — AWS, us-west-2 region (Oregon)
2	Stripe, Inc.	Payment processing (Checkout, Customer Portal, Webhooks)	Email, plan, subscription identifiers, card and billing data (remain exclusively at Stripe)	USA (global data)
3	RunPod, Inc.	Cloud GPU processing (training and inference)	For training: 285-column CSV + 224×224 JPEG thumbnails. For inference: 224×224 float16 tensors + condition vectors + regime vectors + (optional) JPEG thumbnails for masks. Nothing persists on the server after operation completion.	USA — multiple regions (SJC and others)
4	PostHog, Inc.	Product usage analytics (only after explicit consent)	Usage events, pseudonymous identifier (user UUID), timestamps	USA (`us.i.posthog.com`)
5	Functional Software, Inc. (Sentry)	Error and crash monitoring	Stack traces, application version, operating system, generic hardware — without PII (`sendDefaultPii: false`)	USA
6	Resend, Inc.	Transactional emails (signup, password reset, magic link, email change)	Name, email address, content of the transactional email	USA
7	Cloudflare, Inc.	CDN, DNS, anti-bot layer and Workers for the institutional website `usekoda.app`	IP address, HTTP headers, DNS queries, essential cache cookies	USA + global network
8	Tolt, Inc.	Referral (affiliate) program with two-way Stripe synchronization	Stripe customer identifier, subscription identifier, plan, amount, currency, affiliate code — does not receive the User's email directly	USA
9	Apple Inc.	Notarization of macOS builds (mandatory distribution layer)	Binary hashes, Apple Developer account metadata — does not receive end user data	USA
10	GitHub, Inc. (Microsoft)	Repository, continuous integration, automatic application update endpoint	Build artifacts, CI logs, release metadata. End users only interact with the automatic update endpoint (periodic check for new version availability)	USA
11	BetterStack	Public status page at `status.usekoda.app`	Only health checks of koda services — does not receive user data	USA

6.2. Contractual Guarantees

All the service providers listed above are contracted subject to:

Data Processing Agreements (DPAs) or equivalent terms containing standard contractual clauses;
Obligations of confidentiality and adequate security;
Limitation of data use exclusively to the contracted purpose;
Obligation to delete or return data upon contract termination.

Copies of the DPAs and SCCs (Standard Contractual Clauses) applicable to each provider may be obtained by request to the DPO at dpo@usekoda.app.

6.3. Other Sharing

We may share personal data in specific and limited situations:

(a) To comply with legal, regulatory or judicial obligations issued by competent authority;
(b) To protect rights, property or safety of koda, its Users or third parties, in case of serious and imminent risk;
(c) In the context of a merger, acquisition, corporate reorganization or sale of assets, subject to prior notice to the User with a minimum of 30 days' advance notice;
(d) With explicit and specific consent from the User for purposes not covered by this Policy.

6.4. We Never Share

koda NEVER shares:

Original photographs of the User, because we do not possess them;
Individual AI Models with other Users or third parties;
Biometric vectors;
Personal data with advertisers or for behavioral advertising purposes.

7. International Data Transfers

7.1. Users' personal data may be transferred and processed on servers located outside Brazil, predominantly in the United States, via the service providers listed in Section 6.

7.2. For Users in Brazil, international transfer is carried out on the basis of Art. 33, II and VIII of the LGPD, through:

Standard contractual clauses compliant with CD/ANPD Resolution No. 19/2024;
Contractual commitments to equivalent protection by the providers;
Informed consent of the User through this Policy.

7.3. For Users in the EU/EEA, transfer is carried out on the basis of Art. 46 of the GDPR, through:

Standard Contractual Clauses (SCCs) approved by the European Commission;
Transfer Impact Assessment documented for each provider;
Supplementary security measures, such as encryption in transit (TLS 1.3) and encryption at rest, where applicable.

7.4. For Users in California, service providers are contracted as "Service Providers" under the CCPA/CPRA.

7.5. The User may obtain a copy of the applicable standard contractual clauses by contacting us at dpo@usekoda.app.

8. Data Security

8.1. Technical Measures

Encryption in transit: TLS 1.3 on all communications between the application and koda's infrastructure and that of its service providers;
Encryption at rest of AI Models: AES-256 algorithm with HKDF-SHA256 key derivation from the User's and device's identifiers. Proprietary .koda format. As a consequence of this architecture, neither koda nor any of its service providers can read the User's AI Model without the key derived from the User and their device;
Credential storage on the client: the User's session tokens (JWT) are stored in the secure sandbox of the Tauri WebView, with a strict Content Security Policy (CSP) and without exposure to third parties;
Irreversible device identification: cryptographic SHA-256 hash instead of direct hardware identifiers;
Logical data isolation between Users: Row Level Security (RLS) enabled on all database tables — each User accesses only their own data;
Log sanitization: tokens, credentials and secrets are masked before any log entry;
Automatic deletion: cloud training data is deleted from intermediate servers after training completion.

8.2. Organizational Measures

Restricted access to data under the principle of least privilege;
Periodic review of access permissions;
Service providers contracted under DPAs and security obligations;
Source code maintained in a private repository with access control;
Cryptographic signing of the distributed application (code signing + notarization).

8.3. Security Incident Notification

No system is 100% secure. In case of a security incident that may entail relevant risk to personal data subjects, koda will:

Notify the Brazilian National Data Protection Authority (ANPD) within 3 (three) business days of becoming aware of the incident, pursuant to CD/ANPD Resolution No. 15/2024;
Notify the competent supervisory authority in the EU within 72 (seventy-two) hours, pursuant to Art. 33 of the GDPR, where applicable;
Notify the affected Users without undue delay, with a description of the incident, affected data, probable risks and mitigating measures adopted.

9. Data Retention

9.1. Retention Periods

Personal data is retained for the shortest period necessary to fulfill the purposes described in this Policy, subject to legal obligations:

Data Category	Retention Period	Justification
Active account data (email, name, phone, country, genres)	While the account is active or in the reactivation window	Performance of contract
Trained AI Model (Personalized Profile)	Active account + 12 months (paid plans) or 90 days (Trial) after cancellation	Possibility of reactivation
Temporary training data (CSV + thumbnails)	Automatically deleted after training completion	Intermediate processing data
Usage and billing data	Active account + 5 years after the last invoice	Tax and accounting obligations
Access logs (IP, date/time)	6 months	Art. 15 of the Brazilian Marco Civil da Internet
Payment references (Stripe)	According to Stripe's own policy	Payment processor obligation
Biometric data	Volatile memory only — discarded at the end of each processing session	No persistent storage
Hardware data (CPU, RAM, GPU)	Not stored on servers — local use only	Local processing
Audit log (account events)	Pseudonymous identifier retained for 6 months; details anonymized after account anonymization	Security and Marco Civil compliance
Support communications	2 years	Service quality

9.2. Voluntary Deletion (LGPD Art. 18, VI Right)

The User may request voluntary deletion of the account at any time, through the application Settings (Settings → Account → Delete Account) or by email at dpo@usekoda.app. Voluntary deletion triggers:

(a) Marking the account for deletion in the database;
(b) 30 (thirty) day grace period during which the User may cancel the request and fully recover the account;
(c) At the end of 30 days, irreversible anonymization of the account and deletion of AI Models, profiles, projects, culling decisions, settings, usage statistics and stored files.

9.3. Anonymization After Subscription Cancellation

When a User cancels the subscription (or when Stripe marks the subscription as definitively cancelled due to payment failure), the record is marked for anonymization with a 12-month retention window (accounting + reactivation possibility). After 12 months, an automated daily process anonymizes the account as described in item 9.2.

9.4. Mandatory Legal Retention

Even after voluntary deletion or anonymization, certain data may be retained for the time strictly necessary to comply with legal obligations:

Accounting and tax records — 5 years (Art. 37 of Law 9.532/1997 and Art. 195 of the Brazilian Tax Code);
Access logs — 6 months (Art. 15 of the Marco Civil);
Security incident documentation — for the period of the applicable legal obligation.

10. Data Subject Rights

10.1. Rights under LGPD (Users in Brazil)

Under Art. 18 of the LGPD, the User has the right to:

Confirmation of the existence of processing of personal data;
Access to personal data we hold;
Correction of incomplete, inaccurate or outdated data;
Anonymization, blocking or deletion of unnecessary, excessive or data processed in disagreement with the LGPD;
Portability of data to another service provider, in structured format (JSON or CSV);
Deletion of data processed on the basis of consent;
Information about public and private entities with whom koda shares your data;
Information about the possibility of not providing consent and the consequences of refusal;
Withdrawal of consent, at any time, free of charge and easily;
Objection to processing carried out in disagreement with the LGPD;
Review of automated decisions (Art. 20), including information on the criteria and procedures used.

10.2. Rights under GDPR (Users in the EU/EEA)

Under the GDPR, the User has the right to:

Access (Art. 15) — obtain a copy of the personal data and information about the processing;
Rectification (Art. 16) — correct inaccurate data;
Erasure (Art. 17) — request deletion of the data ("right to be forgotten");
Restriction (Art. 18) — limit processing in certain circumstances;
Portability (Art. 20) — receive data in structured and interoperable format;
Objection (Art. 21) — object to processing based on legitimate interest;
Not to be subject to automated decisions (Art. 22) — including profiling;
Withdrawal of consent (Art. 7(3)) — at any time, without affecting the lawfulness of prior processing;
Complaint to the supervisory authority of the country of residence.

10.3. Rights under CCPA/CPRA (California Residents)

Under the CCPA/CPRA, the User has the right to:

Know what personal data we collect, use and share;
Delete personal data we collect;
Opt-out of the sale of personal data — koda does not sell personal data;
Non-discrimination for exercising rights;
Correction of inaccurate personal data.

CCPA categories processed by koda: identifiers (email, name, UUID), commercial information (plan, payments), electronic information (IP, device), biometric data (processed locally — see Section 3.3) and inferences derived from processing (predicted editing parameters). We do not collect sensitive categories beyond those described.

10.4. How to Exercise Your Rights

The User may exercise any of the rights above through:

Email: dpo@usekoda.app (preferred channel)
In-app form: Settings → Privacy → My Data
JSON data export: Settings → Account → Export My Data (immediate download)
Postal mail: Rua Agapito Veloso, 79 — Estreito, Florianópolis/SC — ZIP 88054-050 — Brazil

Response deadlines:

LGPD: immediate confirmation in simplified format or complete statement within 15 days;
GDPR: 30 days, extendable by an additional 60 days in complex cases, with notice to the User;
CCPA: 45 days, extendable by an additional 45 days in complex cases.

Identity verification: for security, we will confirm the User's identity before processing requests involving access or deletion of data, and may request reasonable additional information for verification.

10.5. Right to Lodge a Complaint

If the User believes that the processing of their data violates applicable law, they may file a complaint with:

ANPD (Brazil): https://www.gov.br/anpd
Supervisory authority of the country of residence (EU/EEA)
Attorney General of the State of California (CCPA)

koda encourages the User to first contact the DPO for amicable resolution.

11. Cloud Processing — Details

This section presents, in a visual and technical manner, the data flow between the User's device and koda's and its providers' cloud infrastructure.

11.1. Cloud Training

User's device                              koda (Supabase + RunPod)
┌─────────────────────────┐                ┌──────────────────────┐
│ Lightroom catalog        │                │ Supabase Storage      │
│ (remains local)          │                │ (temporary            │
│                          │                │  storage)             │
│ Local extraction:        │   Upload       │                       │
│ • 224×224 JPG thumbnails │ ──────────►   │ training_data.zip     │
│   (~50 KB/image)         │   TLS 1.3      │ (~20-60 MB)           │
│ • 285-column CSV         │                │                       │
│ • DINOv2 vectors (768-d) │                └──────────┬────────────┘
│                          │                           │
│ Original RAW files:      │                           │ Download
│ NOT TRANSMITTED          │                           ▼
│                          │                ┌──────────────────────┐
│                          │                │ RunPod GPU            │
│                          │                │ (temporary            │
│                          │   Download     │  processing)          │
│ Trained .koda model      │ ◄───────────  │                       │
│ (~25 MB encrypted)       │   TLS 1.3      │ Trains model          │
│                          │                │ (~8-30 minutes)       │
└─────────────────────────┘                └──────────┬────────────┘
                                                       │
                                                       │ After completion:
                                                       │ • ZIP deleted
                                                       │ • GPU released
                                                       │ • Data in memory
                                                       │   discarded

Notice about the 224×224 thumbnails: they are visually recognizable low-resolution images. By opting for cloud training, the User declares to have the authorization of depicted individuals in the photographs, when required by applicable law.

11.2. Cloud Inference (Pro and Studio)

User's device                              RunPod GPU
┌─────────────────────────┐                ┌──────────────────────┐
│                          │   Send         │                       │
│ 224×224 tensors (f16)    │ ──────────►   │ Loads User's Model    │
│ (~150 KB/image)          │   TLS 1.3      │ via signed URL        │
│                          │                │                       │
│ Condition vectors        │                │                       │
│ (120-d, ~0.5 KB)         │                │ GPU inference         │
│                          │                │ (~0.5 s/batch of 50)  │
│ Regime vector            │                │                       │
│ (32-d, ~0.1 KB)          │                │                       │
│                          │                │                       │
│ (Optional cloud masks)   │                │                       │
│ 224×224 JPEG thumbnails  │                │                       │
│                          │   Return       │                       │
│ Applies parameters       │ ◄───────────  │ 129 parameters +      │
│ locally to the catalog   │   TLS 1.3      │ mask decisions        │
│                          │                │                       │
│ Does NOT send original   │                │ Data in memory        │
│ files                    │                │ discarded after       │
│                          │                │ the response          │
└─────────────────────────┘                └──────────────────────┘

11.3. Cloud Masks (optional, Pro and Studio)

When the User activates the cloud masks feature:

224×224 JPEG thumbnails are transmitted together with the inference payload;
The thumbnails may contain recognizable faces;
Processing is ephemeral — the thumbnails are discarded after mask generation;
The User may disable the cloud masks feature at any time in the application Settings, returning to 100% local processing.

11.4. No Persistence

No data is persisted on processing servers (RunPod) after operation completion. Serverless workers operate in ephemeral mode — data in memory is discarded at the end of the job, and servers scale to zero when not in use. Temporary data deposited in Supabase Storage during training is automatically deleted upon completion.

12. Cookies and Tracking Technologies

12.1. koda is a desktop application and does not use cookies in the traditional sense (web browser cookies).

12.2. The application stores locally on the User's device:

Authentication session token: in the secure Tauri WebView sandbox, with strict CSP;
Thumbnail cache: in ~/.cache/koda/ (or equivalent on Windows), only for interface performance;
Application settings: language, GPU, default profile and layout preferences.

12.3. Institutional website usekoda.app:

We use only strictly necessary cookies for site functionality and checkout;
Analytical or marketing cookies, if used in the future, will be preceded by explicit consent from the visitor through a cookie banner in accordance with LGPD and GDPR guidelines;
The site is served by Cloudflare, Inc. infrastructure (listed as a sub-processor in Section 6), which may log IP address, HTTP headers and DNS queries for security and performance purposes.

13. Children and Minors

13.1. koda is not directed at minors under 18 years of age. We do not intentionally collect personal data of minors.

13.2. Should we become aware that personal data of minors has been inadvertently collected, we will proceed with immediate deletion.

13.3. If you are a parent or legal guardian and believe that a minor has provided personal data to koda, please contact us immediately at dpo@usekoda.app.

14. Third-Party Data in Photographs

14.1. Photographs processed by the User may contain images of third parties — models, clients, event guests, pedestrians in street photos, among others.

14.2. Roles of the parties:

The User is the controller of personal data of third parties contained in their photographs, including any derived biometric data;
Koda Tech Solutions LTDA acts as the processor of such data, exclusively within the technical limits of the service and under the User's instructions.

14.3. User responsibilities:

(a) Obtain the necessary consent from photographed individuals, when required by applicable law (including data protection laws, image rights laws and specific biometric laws such as BIPA, CUBI and others);
(b) Inform individuals about the use of automated editing and selection tools, where applicable;
(c) Respond to data subject rights requests (access, correction, deletion, objection) relating to those photographs;
(d) Ensure the appropriate legal basis for biometric processing of depicted individuals, in cases where face clustering, face masks or expression classification features are used.

14.4. koda's posture:

We do not identify individuals in the photographs — facial processing is technical (editing, selection, composition), not identification;
We do not maintain a face, identity or face database between sessions;
We do not share biometric data of third parties;
We do not perform cross-referencing with external sources of biometric data.

15. Changes to this Policy

15.1. This Policy may be updated periodically. Material changes will be communicated through:

(a) Email to the registered address, with a minimum of 30 (thirty) days advance notice before entry into force;
(b) Prominent notice in the application;
(c) Publication of the updated version at https://usekoda.app/privacy with a change history (Section 20 of this Policy).

15.2. Continued use of koda after the notification period constitutes tacit acceptance of the updated Policy. A User who disagrees with the changes may terminate the account through the application Settings before the new version enters into force.

15.3. Previous versions of this Policy will be kept accessible for consultation in a public archive.

16. Legal Bases — Summary by Jurisdiction

16.1. Brazil (LGPD — Art. 7)

Legal Basis	Application
Performance of contract (Art. 7, V)	Service provision, payment, account, support, cloud training and inference, profile synchronization
Consent (Art. 7, I)	Phone, country and photography genres (optional provision); marketing; product analytics; avatar
Specific consent (Art. 11, I)	Biometric processing — face detection, ArcFace, expression classification, facial segmentation
Legal obligation (Art. 7, II)	Access logs (Marco Civil), tax and accounting data
Legitimate interest (Art. 7, IX)	Security, fraud prevention, crash reporting, service improvement, audit log

16.2. European Union (GDPR — Art. 6 and Art. 9)

Legal Basis	Application
Performance of contract (Art. 6(1)(b))	Service provision, payment, account, cloud processing
Consent (Art. 6(1)(a))	Phone, country, optional genres; marketing; product analytics
Explicit consent (Art. 9(2)(a))	Biometric processing
Legal obligation (Art. 6(1)(c))	Tax records, cooperation with authorities
Legitimate interest (Art. 6(1)(f))	Security, fraud prevention, crash reporting, audit log

16.3. California (CCPA/CPRA)

koda operates as a "Business" under the CCPA/CPRA. koda does not sell personal data and does not share data for cross-context behavioral advertising.

17. Jurisdiction-Specific Information

17.1. Brazil

Competent authority: Brazilian National Data Protection Authority (ANPD) — https://www.gov.br/anpd
Main legislation: LGPD (Law 13.709/2018), Marco Civil (Law 12.965/2014), CDC (Law 8.078/1990), Civil Code (Law 10.406/2002)
Official language: Brazilian Portuguese
DPO: dpo@usekoda.app

17.2. European Union and European Economic Area

Competent authorities: national supervisory authorities of the User's country of residence
Main legislation: GDPR (Regulation (EU) 2016/679) and national implementing legislation
Representative (Art. 27 GDPR): not applicable at this time. See Section 2.3
Complaints: to the supervisory authority of the User's country of residence

17.3. United States — California

Main legislation: CCPA/CPRA (Cal. Civ. Code §§ 1798.100–1798.199)
"Do Not Sell or Share My Personal Information": koda does not sell or share personal data for cross-context behavioral advertising
Authorized Agent: the User may designate an authorized agent to exercise rights on their behalf, with a written power of attorney

17.4. United States — Illinois (BIPA) and Texas (CUBI)

koda processes biometric data as described in Section 3.3 — locally on the User's device by default, with the cloud masks exception described in the same item. Users residing in Illinois and Texas should additionally consider the written consent obligations regarding depicted third parties under the Illinois Biometric Information Privacy Act (BIPA) and the Texas Capture or Use of Biometric Identifier Act (CUBI), where applicable.

17.5. Other Jurisdictions

For Users in other jurisdictions, we will apply the higher level of protection between local legislation and the standards described in this Policy. If the User's country's legislation grants additional rights, these will be respected.

18. Contact

For any question related to this Privacy Policy or the processing of your personal data:

Data Protection Officer (DPO) — dedicated privacy channel: dpo@usekoda.app
General support (questions not related to privacy): support@usekoda.app
Postal mail: Rua Agapito Veloso, 79 — Estreito, Florianópolis/SC — ZIP 88054-050 — Brazil

We will respond to all requests within applicable legal deadlines.

19. Technical Glossary

To aid reading, the following are definitions of technical terms used in this Policy:

DINOv2: open-source pretrained neural network model developed by Meta AI, used by koda as a visual feature extractor for photographs.
DINOv2-B/14: specific DINOv2 architecture with 86 million parameters, used as the base for koda's personalized models.
ArcFace: neural network specialized in generating numeric vectors representative of human faces, used for grouping recurring individuals in photographs.
HSEmotion: facial expression classification neural network based on the EfficientNet architecture and ONNX format.
224×224 float16 tensor: numeric representation of a photograph preprocessed at 224 by 224 pixels resolution, encoded with 16 bits of precision per value. Approximate size of 150 KB per photograph.
224×224 JPEG thumbnail: low-resolution image extracted from the original file, with an approximate size of 50 KB in JPEG quality 85. Visually recognizable.
Condition Vector (120-d): 120-dimensional numeric vector containing color histogram, technical EXIF metadata and semantic features.
Regime Embedding (32-d): 32-dimensional numeric vector characterizing the general style of the photographic session.
LoRA (Low-Rank Adaptation): fine-tuning technique that adds few trained layers on top of a frozen base model.
Device Fingerprint: unique device identifier generated by irreversible SHA-256 cryptographic hash.
HKDF-SHA256: cryptographic key derivation function based on HMAC-SHA256.
AES-256: 256-bit symmetric encryption standard.
RLS (Row Level Security): access control at the row level of the database, ensuring that each User accesses only their own data.
JWT (JSON Web Token): cryptographically signed authentication token.
TLS 1.3: version 1.3 of the Transport Layer Security protocol, which encrypts communication between the application and servers.

20. Version History

Version	Date	Main changes
1.0	09/04/2026	Initial version.

This Privacy Policy is an integral part of the Terms of Service and both documents must be read together.

This English version is an informative translation. The authoritative version in case of conflict is the Brazilian Portuguese version available at /privacy.