Legal

Privacy Policy

Effective date: January 1, 2026 · Last updated: January 1, 2026

Koibolo (“we,” “our,” or “us”) is committed to protecting your personal information. This Privacy Policy explains what data we collect when you use our language-learning platform at koibolo.com, how we use it, and the choices you have.

Short version: We collect your email address and learning activity to run the service. We send only transactional emails (account verification and password resets). We do not sell your data. You can delete your account at any time.

1. Information We Collect

Information you provide directly

Email address — required to create an account.
Password — stored as a salted cryptographic hash; we never store or transmit your plaintext password.
Language preferences — the language(s) you are learning and your native language.
Lesson input — text you type or speak during lessons and review sessions. This input is processed by AI to generate personalized feedback.
Uploaded images — if you use the ad-hoc image lesson feature (paid tier), images you upload for OCR processing.

Information collected automatically

Usage data — pages visited, lesson completion events, session duration, and feature interactions.
Device and browser information — browser type, operating system, screen size, and approximate time zone, used to optimize the user experience.
IP address — collected for security and fraud prevention; not linked to your learning profile for analytics.
Log data — server logs including request timestamps, HTTP status codes, and error traces. Logs are retained for up to 90 days.

Information we do not collect

We do not collect your real name, phone number, or physical address.
We do not collect payment information directly — payments are processed by our third-party payment provider.
We do not use third-party advertising trackers or sell your data to advertisers.

2. How We Use Your Information

To operate the service — authenticate your account, personalize lessons, track vocabulary progress, and run the spaced-repetition review system.
To send transactional emails — account verification emails when you register, and password-reset emails when you request them. We do not send marketing or promotional emails.
To improve the platform — anonymized, aggregated usage patterns (e.g., which lesson types have the highest completion rates) help us improve Koibolo for everyone. Raw lesson text is never included in aggregate analytics without explicit consent.
For safety and security — detecting abuse, fraud, and violations of our Terms of Use.
To comply with law — when required by applicable law, regulation, or valid legal process.

3. Email Communications

Koibolo uses AWS Simple Email Service (Amazon SES) exclusively to deliver the following transactional messages:

Email address verification when you create an account.
Password-reset links when you request them via the “Forgot password” flow.

We do not send newsletters, promotional offers, or any unsolicited commercial email. Because all email from Koibolo is strictly transactional and requires your explicit action to trigger, there is no general marketing unsubscribe. If you no longer wish to receive any email from Koibolo, you may delete your account (see Section 7).

We maintain bounce and complaint rates below the thresholds set by AWS SES and actively monitor delivery health. Invalid or undeliverable email addresses are suppressed automatically.

4. Third-Party Services

We share data with the following processors only to the extent necessary to operate Koibolo:

Anthropic — AI language models that power lesson generation and feedback. Lesson prompts submitted to Anthropic are processed per Anthropic’s Privacy Policy. We scrub personally identifiable information from prompts before transmission.
Google (Gemini) — Optical Character Recognition (OCR) for the image-upload lesson feature (paid tier). Processed per Google’s Privacy Policy.
Amazon Web Services (AWS) — Email delivery via SES; audio asset storage via S3 + CloudFront. Processed per AWS’s Privacy Policy.
Neon (PostgreSQL) — Database hosting. Your account data and learning progress are stored in a Neon-managed PostgreSQL database.
Redis (Upstash or equivalent) — In-memory caching to speed up vocabulary lookups and session state. Data in Redis mirrors the database and is not stored permanently.
Render — Application hosting for our backend API and servers.

We do not sell, rent, or share your personal data with any third party for their own marketing purposes.

5. Cookies and Local Storage

Koibolo uses cookies and browser storage for authentication and session management:

Session cookie (httpOnly) — a secure, httpOnly cookie used to maintain your login session via our refresh-token mechanism. This cookie is essential for the service and cannot be opted out of while logged in.
Theme preference — stored in your browser’s localStorage to remember your light/dark mode choice.

We do not use advertising cookies or third-party analytics cookies (e.g., Google Analytics).

6. Data Retention

Account data (email, hashed password, preferences) is retained as long as your account is active.
Learning progress and vocabulary data are retained as long as your account is active, so your progress is never lost.
Server logs are retained for up to 90 days, then automatically deleted.
Telemetry events (anonymized usage stats) are retained for up to 12 months.
Upon account deletion, your personal data is deleted within 30 days, except where retention is required by law.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Correction — request correction of inaccurate data.
Deletion — delete your account and all associated personal data via your Profile page or by emailing us.
Portability — request your data in a machine-readable format.
Objection / Restriction — object to or restrict certain processing activities.

Residents of California (CCPA) and the European Economic Area / UK (GDPR) may exercise these rights by contacting us at the address in Section 10. We will respond within 30 days.

8. Children’s Privacy

Koibolo is not directed at children under 13 years of age (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

9. Security

We implement industry-standard security measures including TLS encryption in transit, bcrypt password hashing, httpOnly/Secure cookies, rate limiting, and regular security reviews. No method of transmission or storage is 100% secure; we encourage you to use a strong, unique password and to report any suspected security issues to us immediately.

10. Contact Us

For privacy-related questions, data requests, or to report a concern, please contact us at:

Koibolo
Email: privacy@koibolo.com
Mailing address: [Koibolo LLC, Address, City, State, ZIP, USA]

We will update this address once our registered business address is finalized.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where required by law, notify you by email. Your continued use of Koibolo after any change constitutes acceptance of the revised policy.