Privacy

    Privacy Policy
    
    Last updated: June 15, 2026
    
    Important notice
    
    This Privacy Policy describes how we handle personal data in connection with the Services. Use of the Services is also governed by our Terms of Service at https://khudio.com/terms.
    
    1. Overview
    
    This Privacy Policy explains how personal data may be processed when you visit https://khudio.com, create an account, use our applications, or interact with related services (collectively, the "Services"). The Services are operated by an individual ("we", "us", "Operator"), not by a registered company or other legal entity, unless we state otherwise in writing.
    
    We seek to process personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) where it applies. The categories of data and processing activities below are indicative and may change as the Services develop.
    
    This policy describes processing for which the Operator acts as data controller. It does not apply to third-party websites, applications, or services that we do not operate, even if linked from the Services or accessed through your account.
    
    This policy is intended to meet applicable transparency requirements. It does not expand our obligations beyond what applicable law and our Terms of Service require, except where we expressly commit to more in writing.
    
    2. Data controller
    
    The data controller for the processing described in this policy is Dmitrii Khudiakov, operating khudio in a personal capacity.
    
    Friedrich-Ebert-Straße 114
    34119 Kassel
    Germany
    Email: service@khudio.com
    
    Further operator details: https://khudio.com/legal-notice
    
    3. What data we may collect
    
    Depending on how you use the Services, we may process some or all of the following:
    
    - Account data — email address, password (stored in hashed form), account status, and verification state;
    - Profile and settings — preferences you choose in the app (for example, theme or security settings), where available;
    - Authentication and security data — session and token metadata, login events, IP address, browser user agent, and related records used to secure accounts (including multi-factor authentication and sign-in via Google, if you use these features);
    - Communications — messages you send us and transactional emails we send (for example, verification, password reset, or account deletion confirmation);
    - Technical data — server logs, device or browser information, referring URLs, and similar diagnostic data;
    - Cookie and consent data — your cookie preference (necessary only vs. accept all), where the cookie banner is shown; interface preference cookies (such as theme), where used as described in section 6.
    
    We do not intentionally collect special categories of personal data (such as health data) unless you voluntarily provide such information and we have a valid lawful basis to process it.
    
    You are responsible for ensuring that information you submit is accurate and that you have the right to provide it.
    
    4. Why we use your data
    
    We may process personal data for purposes such as:
    
    - creating, administering, and supporting user accounts;
    - providing, operating, securing, and maintaining the Services;
    - authenticating users and detecting, preventing, or investigating abuse, fraud, or security incidents;
    - sending service-related communications that are necessary for the Services or that you request;
    - complying with legal obligations and responding to lawful requests;
    - improving the Services, but only where permitted by law and proportionate in the circumstances.
    
    5. Legal bases (GDPR)
    
    Where GDPR applies, we rely on one or more of the following legal bases, depending on the context:
    
    - Contract — where processing is necessary to provide the Services you request;
    - Legitimate interests — for example, security, fraud prevention, service reliability, and proportionate improvement of the Services, where our interests are not overridden by your rights;
    - Consent — for optional cookies or other processing where consent is required;
    - Legal obligation — where we must retain, disclose, or otherwise process data under applicable law.
    
    6. Cookies and similar technologies
    
    We use cookies and similar technologies for:
    
    - Strictly necessary purposes — including authentication (HttpOnly session cookies), security, and (where shown) storing your cookie consent choice. These are required for signed-in use of the Services.
    - Interface preferences — such as theme or sidebar state. These remember choices you make in the app (for example light/dark mode) so the Services work as you expect. They are not used for advertising, analytics, or cross-site tracking. Where applicable law allows, we use them based on our legitimate interest in providing a usable service and/or because they are proportionate to delivering the Services you use.
    - Optional cookies — our cookie banner lets you choose "Accept all" or "Only necessary". At present this mainly records your preference for optional cookies we may introduce later (such as analytics). It does not block strictly necessary cookies or basic interface preferences described above.
    
    We do not currently use analytics, advertising, or similar tracking cookies. If we introduce optional analytics in the future, we will load them only after you give consent through our cookie banner (for example by choosing "Accept all") and will update this policy before or when we do so.
    
    You can change your cookie choice at any time using the cookie banner or cookie settings on this site, where available. You can also manage cookies through your browser settings. Disabling certain cookies may limit functionality.
    
    7. Third-party services and processors
    
    We may use service providers (processors) to help operate the Services, such as hosting, infrastructure, email delivery, and authentication providers (for example, Google OAuth).
    
    These providers process data on our instructions and under contractual or legal safeguards where required. We are not responsible for the privacy practices, availability, or security of third parties that we do not control.
    
    If you sign in with Google, Google processes data under its own terms and privacy policy. We receive only the information needed to authenticate your account (such as email address and a profile identifier).
    
    If you follow links to external projects or websites, their own privacy policies apply.
    
    8. Retention
    
    We retain personal data only for as long as we reasonably consider necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law.
    
    In particular:
    
    - Account data — while your account is active. If you confirm account deletion, we soft-delete your account: access ends immediately, the account is no longer available for normal use, and active sessions are revoked. The underlying record and related copies may remain in our production systems, backups, logs, or archives for some time before they are deleted, anonymized, or overwritten, including for legal compliance, dispute handling, abuse prevention, and disaster recovery. We do not commit to a fixed deletion schedule for residual copies.
    - Security and access logs — for as long as we reasonably need them for security, troubleshooting, or legal purposes.
    - Cookie consent records — as needed to demonstrate consent and apply your choices, subject to applicable law.
    
    After soft deletion, we do not use account data for ordinary service operations except where retention is required or permitted by law.
    
    9. Security
    
    We implement technical and organizational measures that we consider reasonable in the circumstances for an individually operated service, such as HTTPS, password hashing, HttpOnly authentication cookies, and access controls. However, no system is completely secure. We do not guarantee that unauthorized access, loss, alteration, or disclosure will never occur.
    
    You are responsible for keeping your credentials confidential and for the security of devices and networks you use to access the Services.
    
    10. International transfers
    
    Data may be processed in the European Economic Area (EEA) and, depending on our providers and your use of third-party sign-in, in other countries. Where required by applicable law, we use appropriate safeguards for transfers outside the EEA, such as Standard Contractual Clauses or equivalent mechanisms offered by our providers.
    
    11. Your rights
    
    Depending on your location and applicable law, you may have rights regarding your personal data, which may include the right to request access, rectification, erasure, restriction, objection, or portability, and to withdraw consent where processing is based on consent.
    
    These rights are not absolute. For example:
    
    - we may refuse requests that are manifestly unfounded, excessive, or repetitive;
    - we may need to verify your identity before responding;
    - erasure requests may be limited where we must retain data by law or where residual copies remain in backups or logs for a period of time after soft deletion;
    - we will respond within a reasonable period, as required by applicable law.
    
    You may also have the right to lodge a complaint with a supervisory authority in your country of residence. In Germany, information is available from the federal and state data protection authorities (https://www.bfdi.bund.de).
    
    To exercise your rights, contact service@khudio.com.
    
    12. Children
    
    The Services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us at service@khudio.com and we will take appropriate steps in accordance with applicable law.
    
    13. Changes
    
    We may update this Privacy Policy from time to time. The current version is the one published on this page with the "Last updated" date shown above. Changes take effect when posted, unless otherwise stated. Where permitted by law, continued use of the Services after an update may constitute acceptance of the revised policy.
    
    14. Contact
    
    Privacy questions and data protection requests: service@khudio.com
    
    Operator: Dmitrii Khudiakov
    Friedrich-Ebert-Straße 114
    34119 Kassel
    Germany