Privacy

Kommon is a small app for people who live in the same building. We try to collect as little as possible to make that work, and to be straightforward about the rest.

What we collect

• Account info. Your name, email, building, and unit when you sign up. Your password is stored hashed; we never see it.
• What you post. Listings (e.g. "drill to lend", "Catan night Saturday"), messages, and replies. These are visible to other verified residents of your building.
• Device & usage basics. App version, OS, crash reports, and rough usage events (e.g. "opened listings tab"). We use these to fix bugs and figure out what to build next.
• Website attribution. If you scan a QR poster with a ?src= tag (e.g. ?src=lobby), we record that label, your user-agent, and a timestamp so we know which posters work. No IP, no name, no cookie.

What we don't collect

• Precise location. The app does not track where you are.
• Your contacts, photos, or other apps' data.
• Advertising IDs. We don't run ads.

How we use it

• To run the app — show you your building's listings and posts.
• To verify that you live in the building you signed up for.
• To send you transactional notifications (a reply to your post, a request on your listing). You can turn these off.
• To debug crashes and improve the product.

Who else sees it

Other verified residents of your building see the things you choose to post in the building hub or list for lending. That's the whole point.

Beyond that, your data is shared only with:

• Infrastructure providers we use to actually run the service (hosting, database, email delivery, crash reporting, push notifications). They process data on our behalf, not for their own purposes.
• Authorities, if we receive a valid legal request. We'll push back on overbroad requests where we can.

We don't sell your data. We don't share it with advertisers.

How long we keep it

• Account data: as long as your account exists.
• Posts and listings: until you delete them, or until you delete your account.
• Crash reports and usage events: 90 days.
• QR scan attribution: 12 months.

When you delete your account, we delete your profile and posts within 30 days, except where we're legally required to keep something (e.g. payment records, if/when payments exist).

Your rights

Wherever you live, you can ask us to:

• See what we have about you.
• Correct anything that's wrong.
• Delete your account and associated data.
• Export your data in a portable format.

Email hello@kenkolabs.io and we'll respond within 30 days.

If you're in Quebec, you have these rights under Law 25. If you're in the EU/UK, you have them under GDPR. If we ever can't fulfill a request, we'll tell you why and how to appeal.

Kids

Kommon is for adults (18+). We don't knowingly collect data from children. If you think we have, email hello@kenkolabs.io and we'll delete it.

Security

Data is encrypted in transit (HTTPS) and at rest. We use industry-standard authentication. No system is perfectly secure, but we'll tell you promptly if something happens to your data.

Changes

If we change this policy in a meaningful way, we'll notify you in the app before the change takes effect. The "last updated" date at the top always reflects the current version.

Contact

Questions (including privacy): hello@kenkolabs.io