PRIVACY POLICY

Last updated: April 30, 2026

This Privacy Policy describes how KoaList ("we," "us," or "our") collects, uses, and shares your personal information when you use our website and application (collectively, the "Services"). By using the Services, you agree to the collection and use of information in accordance with this policy. If you have any questions or concerns, please contact us at support@koalist.app.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASES DO WE RELY ON?
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
6. HOW DO WE HANDLE SOCIAL LOGINS?
7. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?
8. HOW LONG DO WE KEEP YOUR INFORMATION?
9. HOW DO WE KEEP YOUR INFORMATION SAFE?
10. DO WE COLLECT INFORMATION FROM MINORS?
11. WHAT ARE YOUR PRIVACY RIGHTS?
12. CONTROLS FOR DO-NOT-TRACK FEATURES
13. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
14. DO WE MAKE UPDATES TO THIS NOTICE?
15. HOW CAN YOU CONTACT US?
16. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us. We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, or otherwise contact us. The personal information we collect may include the following: names, email addresses, usernames, and passwords. We do not process sensitive personal information.

Social media login data. We may provide you with the option to register with us using your existing Google account. If you choose to register in this way, we will collect certain profile information about you from the social media provider, as described in the section called "HOW DO WE HANDLE SOCIAL LOGINS?" below.

Information automatically collected. We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes. Like many businesses, we also collect information through cookies and similar technologies.

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To facilitate account creation and authentication. We may process your information so you can create and log in to your account, as well as keep your account in working order.
• To deliver and facilitate the delivery of services to the user. We may process your information to provide you with the requested service, including managing your lists, items, and community ratings.
• To respond to user inquiries and offer support. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
• To send administrative information to you. We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.
• To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
• To identify usage trends. We may process information about how you use our Services to better understand how they are being used so we can improve them.
• To save or protect an individual's vital interest. We may process your information when necessary to save or protect an individual's vital interest, such as to prevent harm.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

If you are located in the EU or UK, the General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. We may rely on the following legal bases to process your personal information:

• Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time by contacting us at support@koalist.app.
• Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
• Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information to analyze how our Services are used so we can improve them, to diagnose problems, and for marketing purposes.
• Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
• Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

If you are located in Canada, we may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in certain situations where your permission can be inferred (i.e., implied consent). In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including when collection is clearly in the interests of an individual and consent cannot be obtained in a timely way, or for investigations and fraud detection and prevention.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

We may need to share your personal information in the following situations:

• Google. We use Google as a social authentication provider. When you choose to sign in with Google, certain profile information is shared between Google and our Services to facilitate your login. Google's use of your information is governed by their own privacy policy.
• Cloudflare. We use Cloudflare for website hosting, content delivery (CDN), and security services. Cloudflare may process certain technical information such as your IP address and request metadata as part of delivering and protecting our Services.
• Supabase. We use Supabase as our database and authentication infrastructure provider. Your account information and application data are stored and processed through Supabase's services.

Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. In such an event, we will make reasonable efforts to notify you before your personal information is transferred and becomes subject to a different privacy policy.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

Yes. We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. We use cookies primarily for security purposes and to maintain your authenticated session when you log in to our Services. These cookies are essential to the operation of the Services and cannot be disabled without affecting functionality.

We do not use cookies for advertising or third-party tracking purposes. The specific types of cookies we use are session cookies for authentication and security tokens that expire when you close your browser or after a set period of inactivity.

6. HOW DO WE HANDLE SOCIAL LOGINS?

Our Services offer you the ability to register and log in using your Google account. When you choose to do this, we will receive certain profile information about you from Google. The profile information we receive may vary depending on your Google account settings, but will typically include your name, email address, and profile picture.

We will use the information we receive only for the purposes that are described in this Privacy Policy or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by Google. We recommend that you review their privacy policy to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps.

7. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

Our servers are located in the United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed by us in the United States and by those third parties with whom we may share your personal information (see "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?" above).

If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this Privacy Policy and applicable law. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to provide adequate safeguards for the transfer of personal data from the EEA to the United States.

8. HOW LONG DO WE KEEP YOUR INFORMATION?

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). When you maintain an active account with us, we will retain your information for as long as your account remains active.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If you request deletion of your account, we will process your request and delete your data within a reasonable timeframe.

9. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. These measures include encryption of data in transit using TLS/SSL, row-level security policies in our database ensuring users can only access their own data, secure password hashing, and regular security reviews of our infrastructure.

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

10. DO WE COLLECT INFORMATION FROM MINORS?

We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 years of age or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at support@koalist.app.

11. WHAT ARE YOUR PRIVACY RIGHTS?

In the European Economic Area (EEA), United Kingdom (UK), and Switzerland, you have certain rights under applicable data protection laws. These may include the right to: (i) request access to and obtain a copy of your personal information, (ii) request rectification or erasure, (iii) restrict the processing of your personal information, (iv) data portability, and (v) object to the processing of your personal information. In certain circumstances, you also have the right to lodge a complaint with your local data protection supervisory authority. You can find their contact details here: https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

If you are a resident in Canada, you have the right to access your personal information, request correction of inaccurate data, and in some cases, request deletion. You may also withdraw your consent to our processing of your personal information at any time. Please note that this will not affect the lawfulness of the processing before its withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Account Information. If you would at any time like to review or change the information in your account or terminate your account, you can log in to your account settings and update your user account, or contact us at support@koalist.app. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms, and/or comply with applicable legal requirements.

Cookies and similar technologies. Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services.

12. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Policy.

13. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

If you are a resident of certain US states, including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia, you may have additional rights regarding your personal information under applicable state privacy laws, including the California Consumer Privacy Act (CCPA).

Categories of personal information we have collected. The following table identifies the categories of personal information we have collected in the past twelve months and whether we have disclosed that information for a business purpose or sold/shared it:

• A. Identifiers (e.g., name, email address, account name) — Collected: YES
• B. California Customer Records categories (e.g., name, contact information) — Collected: YES
• C. Protected classification characteristics (e.g., age, race, gender) — Collected: NO
• D. Commercial information (e.g., transaction history, purchase records) — Collected: NO
• E. Biometric information (e.g., fingerprints, voiceprints) — Collected: NO
• F. Internet or other similar network activity (e.g., browsing history, search history) — Collected: NO
• G. Geolocation data (e.g., precise physical location) — Collected: NO
• H. Audio, electronic, visual, thermal, olfactory, or similar information — Collected: NO
• I. Professional or employment-related information — Collected: NO
• J. Education information — Collected: NO
• K. Inferences drawn from collected personal information — Collected: NO
• L. Sensitive personal information — Collected: NO

We do not sell or share personal information for cross-context behavioral advertising, and we have not done so in the preceding twelve months. We do not knowingly sell or share the personal information of consumers under 16 years of age.

Under applicable US state privacy laws, you may have the right to: (i) request to know what personal information we have collected about you, (ii) request deletion of your personal information, (iii) request correction of inaccurate personal information, and (iv) opt out of the sale or sharing of personal information, if applicable. To exercise any of these rights, please contact us at support@koalist.app. We will respond to your request within the timeframe required by applicable law.

14. DO WE MAKE UPDATES TO THIS NOTICE?

Yes, we will update this notice as necessary to stay compliant with relevant laws. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Policy. If we make material changes to this Privacy Policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your information.

15. HOW CAN YOU CONTACT US?

If you have questions or comments about this notice, you may email us at support@koalist.app.

KoaList
United States

16. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. To request to review, update, or delete your personal information, please contact us at support@koalist.app.

This Privacy Policy was created using Termly's Privacy Policy Generator.