Privacy Policy

Last updated: 25. Mai 2026

At Koordi, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our scheduling and poll service.

1. Data Controller

The data controller responsible for processing your personal data in connection with Koordi is Comova Solutions GmbH, Dorfstrasse 29a, 4303 Kaiseraugst, Switzerland (UID: CHE-461.458.577). For privacy inquiries, please contact us at:

privacy@koordi.ch

2. Data We Collect

We collect the following categories of personal data:

Account Information

Email address, name, and profile picture (provided via Clerk authentication)

Poll Data

Poll titles, descriptions, date options, and your voting choices

Contacts

Names and email addresses of contacts you add to Koordi

Calendar Connections

Calendar access tokens for Google and Microsoft calendars (tokens only, we do not store your calendar events)

Subscription Information

Stripe customer ID and payment status (payment details are handled directly by Stripe)

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Consent: When you create an account and agree to our Terms of Service
  • Contract Performance: To provide you with our scheduling and poll services
  • Legitimate Interest: To improve our services and ensure security

4. Purpose of Processing

We use your data for the following purposes:

  • Providing our scheduling and poll service
  • User authentication and account management
  • Sending poll invitations and notifications (with your consent)
  • Processing subscription payments via Stripe
  • Improving our service based on anonymized usage patterns
  • Complying with legal obligations

5. Third-Party Processors

We work with the following trusted service providers:

ServicePurposeLocationDPA
ClerkAuthentication servicesUSAStandard Contractual Clauses in place
SupabaseDatabase hostingEU (Frankfurt)GDPR-compliant, data stays in EU
StripePayment processingUSA/EUStandard Contractual Clauses in place
VercelApplication hostingGlobal CDNGDPR-compliant
Plausible AnalyticsPrivacy-first analyticsEUNo personal data collected, no consent required

6. Google User Data and Limited Use

When you connect your Google account (Google Calendar or Google Contacts) to Koordi, we receive specific data from Google's APIs. This section explains what we receive, with whom we share it, and how the use of this data is restricted.

Data we receive from Google APIs

  • Google Calendar events (title, time, location, attendees) — used to detect scheduling conflicts and identify free time slots.
  • Google Contacts (name, email, phone number) — used to invite participants to your polls.

With whom we share, transfer, or disclose Google user data

We share Google user data only with our infrastructure sub-processors, strictly to provide the user-facing features described above:

  • Supabase (database hosting, EU/Frankfurt) — stores Google Calendar events and Google Contacts data encrypted at rest under a GDPR-compliant Data Processing Agreement.
  • Vercel (application hosting, global CDN) — processes Google user data only in transit during API requests; no Google user data is persisted on Vercel infrastructure.

We do NOT share, transfer, or disclose Google user data to any other third party. In particular, Google user data is never shared with advertisers, analytics providers, data brokers, or any party outside the two sub-processors listed above.

Limited Use compliance

Koordi's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide the user-facing features described above (calendar conflict detection and contact import for poll invitations).
  • We do NOT use Google user data to develop, improve, or train generalized AI or machine learning models.
  • We do NOT use Google user data for advertising purposes.
  • We do NOT sell Google user data.
  • No humans read Google user data, except: (a) with the user's explicit consent, (b) for security investigations (e.g. abuse, fraud, or violations of our Terms of Service), (c) to comply with applicable law, or (d) for aggregated and anonymized operational/debugging purposes.

Revoking access and deletion of Google user data

You can revoke Koordi's access to your Google account at any time. In Koordi: go to Profile → Settings → Calendar / Contacts and click the Disconnect button. Directly with Google: visit https://myaccount.google.com/permissions and remove Koordi from the list of connected apps. After disconnection (by either method), all Google Calendar events and Google Contacts data cached in our database are deleted within 24 hours.

7. International Data Transfers

Your data is primarily stored in the EU (Supabase, Frankfurt). When data is transferred to the USA (Clerk authentication), appropriate safeguards are in place through Standard Contractual Clauses (SCCs) as approved by the European Commission.

8. Data Retention

We retain your data according to these principles:

  • Active Accounts: Data is retained as long as your account is active
  • Deleted Accounts: All data is permanently deleted immediately upon account deletion
  • Inactive Accounts: Accounts inactive for more than 24 months may be flagged for review. You will receive a notification before any deletion

9. Your Rights

Under GDPR and Swiss nDSG, you have the following rights:

Right to Access

Export all your data from your Profile settings

Right to Rectification

Update your profile information at any time

Right to Erasure

Delete your account and all associated data from Profile settings

Right to Data Portability

Download your data in machine-readable JSON format

Right to Withdraw Consent

Unsubscribe from notifications or delete your account

Right to Lodge a Complaint

Contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local EU Data Protection Authority

10. Cookies and Tracking

Koordi uses only essential functional cookies for authentication and session management. We do not use advertising or tracking cookies. For statistical analysis we use Plausible Analytics (hosted in the EU/Germany) — cookieless, GDPR-compliant, and storing no personal data or IP addresses.

11. Data Security

We implement appropriate technical and organizational measures:

  • All data is encrypted in transit (HTTPS) and at rest
  • Row-Level Security (RLS) ensures users can only access their own data
  • Secure authentication via Clerk with optional two-factor authentication
  • Limited staff access to production data
  • Regular encrypted backups

12. Children's Privacy

Koordi is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

14. Contact Us

For any questions about this Privacy Policy or our data practices, please contact us:

Email: privacy@koordi.app

Back to Home
Privacy Policy | Koordi | Koordi