PRIVACY POLICY

This Privacy Policy explains how Machine Concord Ltd (“we,” “us,” “our”) processes information in connection with the Service.

This Privacy Policy is intended to be read together with the Terms of Service. Where the processing of personal data is concerned, this Privacy Policy describes our practices and the choices available to you.

1. Summary

• We design the Service to operate without collecting real-world identity details such as your real name, home address, phone number, or government ID.
• We process certain information that may be considered personal data (for example, device/network identifiers and the content of your interactions), in order to operate and secure the Service.
• We do not sell personal data.
• We do not transfer personal data to third parties for their own use.
• We may use your interactions with the Service to train, fine-tune, evaluate, and improve our models and systems, as described below.

2. Information we collect

2.1 Information you provide

• Interaction content: text, audio, video, images, prompts, and other content you submit through the Service, and any outputs returned to you.
• Support communications: if you contact us, we will receive the information you choose to provide (which may include an email address and message contents).

2.2 Information collected automatically when you use the Service

• Account/session identifiers: internal account ID (if any), session IDs, authentication tokens, and similar identifiers needed to provide the Service.
• Device and app information: device type/model, operating system, app version, language settings, time zone, and similar technical metadata.
• Network information: IP address and request metadata (such as timestamps and endpoints requested), and related security/rate-limiting logs.
• Diagnostics and performance: crash reports, error logs, and performance metrics needed to maintain reliability and investigate issues.

2.3 Cookies and Local Device Storage

We use cookies and similar technologies (such as local storage, SDK storage, and device identifiers) to operate and secure the Service. These technologies may be stored on your browser or device and accessed by the Service. They may be used to:

• keep you signed in and maintain your session;
• remember preferences and settings;
• enable core functionality and feature delivery;
• prevent fraud and abuse, enforce rate limits, and protect the integrity of the Service;
• measure reliability and performance (for example, to diagnose crashes and errors); and
• support subscription status and entitlement checks.

You can usually control cookies through your browser settings and can delete cookies and local storage at any time. If you disable or delete cookies or local storage, parts of the Service may not function properly.

2.4 Payments

Purchases and subscriptions may be processed by third-party platforms (such as app stores or payment processors) under their own terms and privacy policies. Those platforms may collect personal data such as payment instrument details and billing information directly from you as independent controllers.

We do not receive or store your payment instrument details (such as full card number) from those platforms. We may receive limited information necessary to provide the Service, such as:

• purchase/receipt identifiers or tokens,
• subscription status and renewal information,
• timestamps, and
• product identifiers (SKUs).

We use this information only to provide entitlements, prevent fraud, handle chargebacks, and maintain accounting records.

2.5 Advertising

Where advertising is employed, ads may be delivered by an advertising provider. We do not provide advertisers with personal data from the Service (including your interaction content, account information, or identifiers we create). Like any service accessed over the internet, the advertising provider may receive limited technical information as part of delivering content to your device (for example, IP address and user agent), which it processes under its own privacy policy. For premium accounts where no advertising is shown, no personal data is provided to advertisers.

3. Information we do not aim to collect

We do not require you to provide, and we do not intentionally collect:

• your real name,
• your home address,
• your phone number,
• government ID images,
• personally identifying biometric data, or
• contacts/address book information.

If you include personal information during interactions with the Service (such as in conversation with an AI), that content may be processed as part of your interactions.

If required by a third party payment processor, we may collect some of the above information as they require us to, strictly in relation to that payment method. In this case we aim to collect as little information as possible, and to use it only in relation to the payment method in question.

In some jurisdictions the local government (directly or as a condition of distribution by an app store locally) may require us to collect additional personal information in order to verify an account. In these cases we will also attempt to collect the minimum of information and to associate it strictly with the account verification requirement being imposed on us, and will not use it for other purposes.

4. How we use information

We process information to:

1. Provide and operate the Service (authentication, routing, feature delivery, entitlements).
2. Maintain safety and security (abuse detection, rate limiting, preventing unauthorized access, enforcing Terms, investigating incidents).
3. Maintain and improve reliability (debugging, crash diagnosis, performance monitoring).
4. Develop and improve the Service and AI models, including training and evaluation.
5. Communicate with you (support responses, operational notices).
6. Comply with legal obligations and respond to lawful requests.

5. Training and improvement using interactions

We may use your interactions with the Service (including User Content you submit through the Service and related metadata) to train, fine-tune, evaluate, and improve our models, safety systems, and Service features.

This may include:

• creating and using datasets derived from interactions,
• testing and evaluating outputs for quality, safety, and performance, and
• developing new features and systems.

We may apply technical and organisational measures intended to reduce risk (for example, access controls, minimisation, and separation of environments), but you should assume that interaction content may be used broadly for model and Service improvement, subject to applicable law.

We may process non-identifying signals derived from User Content (such as inferred mood, tone, or expression) to enhance interactions. We do not use these signals to uniquely identify you.

If you do not want your interaction content processed for these purposes, do not use the Service.

6. Sharing and disclosure

6.1 No transfers to third parties for their own use

We do not sell personal data and we do not transfer personal data to third parties for advertising, profiling, data brokerage, or other third-party commercial purposes.

6.2 Legal compulsion and protection

We may disclose information if we reasonably believe disclosure is required to comply with law, regulation, legal process, or a lawful request by public authorities, or to protect our rights, users, or the public (for example, to investigate abuse or security incidents).

6.3 Payments

Payment platforms (such as app stores and payment processors) may process information independently of us. We do not control how those platforms process personal data.

7. Data retention

We retain information for as long as reasonably necessary to:

• provide the Service,
• maintain security and prevent abuse,
• comply with legal obligations, and
• resolve disputes and enforce our agreements.

Retention periods may vary depending on the category of data and the purpose for which it is processed. We may retain certain security logs and accounting records for longer periods where required or advisable for compliance and security.

8. Your choices and rights

Depending on your jurisdiction, you may have rights to:

• request access to personal data we process about you,
• request deletion or correction,
• object to or restrict certain processing, and
• request information about our processing.

Because accounts may be pseudonymous, we may need you to verify control of your account/session in order to process a request. You can make requests by contacting us. We may refuse requests where permitted by law (for example, where fulfilling a request would undermine security or infringe others’ rights).

9. Security

We use reasonable technical and organisational measures designed to protect information against unauthorised access, loss, misuse, alteration, or destruction. No system is perfectly secure, and we cannot guarantee absolute security.

10. Age verification

The Service is not intended for users below the minimum age required by law where they live. If we learn that we have processed personal data from a minor in a way that requires action under applicable law, we may delete that data and restrict or terminate access.

With any age verification measures, our approach is to minimise data provision and retention by performing automated verification entirely on-device and generating a one-way cryptographic hash derived from an identification number (or similar value) associated with an ID, along with a one-time on-device liveness check, without storing the original identifying number.

In exceptional cases age or identity may need to be verified manually by support staff; in these cases we aim to retain such documents for as short a time as possible (i.e. for the duration of processing a support request).

11. International data processing

We operate from Bulgaria. Depending on how you access the Service, information may be processed in Bulgaria or other locations necessary to operate the Service, subject to this Privacy Policy and applicable law.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new “Last updated” date. If changes are material, we may provide additional notice through the Service.

13. Who is responsible for processing

Machine Concord Ltd
65 Shipchenski prohod Str - #218, Sofia, 1574, Republic of Bulgaria

14. Contact

If you have questions or requests regarding this Privacy Policy, please email support@koitomo.com.