Privacy policy
Who we are
Koru is a personal CRM mobile app built and operated by an independent developer ("we", "us", "our"). The app and the small managed AI gateway behind it run from servers located in the EU. Reach us at bug@enot.dev for any privacy question.
What this policy covers
This policy explains what data Koru collects, what we do with it, and what we don't. It applies to the Android app and the optional managed AI gateway at api.koru.chronocatlabs.com.
What we collect
Account data (server-side)
When you create a Koru account to use AI features, we store on our server:
- Your email address — used as your sign-in identifier and as the only way for us to contact you.
- A bcrypt hash of your password — never the plaintext password. We can't see your password.
- Per-user AI usage counters (one number per calendar month) and per-request metadata — the AI task type ("brief", "draft", etc.), the model used, response time, success/failure flag. This is what lets us enforce free-tier quotas, surface bugs, and measure cost.
We do not log AI prompt content, AI responses, IP addresses, device identifiers, geolocation, or anything you didn't explicitly send.
App data (local only — never uploaded)
Koru is offline-first. Your contacts, interactions, reminders, family information, notes, photos, and groups live in a SQLite database on your phone. We never upload, sync, or read this data unless you explicitly trigger an AI feature (see below).
How AI features handle your data
When you tap an AI feature (Brief, Draft, Summary, Enrich, OCR, Reminders), the app builds a request containing only the context relevant to that one action — for example, a contact's name, your notes, and recent interactions for a Brief. That request goes through Koru's managed gateway to a third-party AI model provider (currently OpenRouter, which routes to Anthropic, OpenAI, Google, or Perplexity depending on the configured chain).
- The data is transmitted only at the moment you tap the feature.
- Neither Koru's gateway nor the upstream AI providers store the prompt content or the response after the request completes.
- Per OpenRouter's terms, your data is not used to train AI models.
- We log only the metadata described above, never your prompt.
Third parties
| Service | Purpose | Their privacy policy |
|---|---|---|
| OpenRouter | AI model gateway | openrouter.ai/privacy |
| Hosting VPS provider | Server infrastructure (EU) | standard provider policy |
We do not use Google Analytics, Firebase, advertising SDKs, fingerprinting, crash reporting, or any other third-party tracking.
Android permissions Koru asks for
| Permission | Why | Optional? |
|---|---|---|
| Internet | Auth + AI gateway | Required for AI features |
| Read contacts | Phone-book import | Optional, prompted, can revoke |
| Read call log | Auto-log calls as interactions | Optional, prompted |
| Camera | Business-card scan | Optional, prompted |
| Notifications | Reminder alerts, pre-meeting briefs | Optional, prompted |
We don't store the data we read from these permissions on our servers — it's processed locally and saved to your phone's database (or, in the case of business-card OCR, sent through the AI gateway with the same handling as above).
Security
- All client-server traffic is HTTPS only (TLS 1.2+).
- Passwords are bcrypted at standard cost.
- Sessions use signed JWT tokens (24-hour expiry).
- The server runs in a Docker container with the database isolated to a private network.
Your rights
- Export your data: Settings → Export. Your local data is exported as CSV, JSON, or vCard, ready to take with you.
- Delete your account: Email bug@enot.dev from the address tied to your account. We will remove your server-side data (account row, plan, usage logs) within 30 days. The local database on your phone stays under your control — uninstall the app to delete it from the device.
- Object to processing: You can use Koru's local CRM features without ever creating an account. AI features will be unavailable in that case, but everything else works.
Children
Koru is not directed at children under 13. We do not knowingly collect data from anyone under 13.
Changes to this policy
We will post material changes here and may notify you in-app. Continued use of the app after a change means you accept the updated terms.