Skip to content
Back to Home
Français English Deutsch Español Italiano Português Nederlands Svenska Polski Dansk Suomi Magyar Ελληνικά Română Čeština Русский

Koabit

Privacy Policy

Last updated: March 26, 2026

1. Introduction

Welcome to Koabit.

We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you about how we process your personal data when you use our application and will inform you of your data protection rights.

Koabit is developed and operated by Corentin Quichaud, sole proprietor (entrepreneur individuel), registered under SIRET 890 455 389 00027, located at 10 rue Comtesse-de-Ségur, 29200 Brest, France.

This policy covers the Koabit mobile application as well as the koabit.app website. No tracking cookies are used on the website.

2. Information We Collect

When you use our application, we collect certain information about you, including:

  • Mandatory account data:
    • Your email address and the username you choose.
    • A unique user identifier (UID) automatically generated to securely identify you within our system.
    • If you sign in with an email address and password, your password is managed and protected by our authentication provider (Firebase Auth). We never have access to your password in plain text, and it is stored securely according to the strictest standards.
  • Optional profile data: You may choose to provide your date of birth and gender. This information is used solely for statistical purposes within your household.
  • Authentication data: If you choose to sign in via Google or Apple, we receive the information you agreed to share through these services.
  • Usage data: We collect information about how you interact with our application, including the features you use and the time spent on the application.
  • Device data: We collect information about the device you use, such as the model, operating system, and unique device identifier.
  • Notification data: If you agree to receive push notifications, we collect a unique token generated by your device to enable sending notifications via Firebase Cloud Messaging (FCM).
  • External calendar data: If you connect an external calendar (Google Calendar, Microsoft Outlook), we access your calendar list and events in read-only mode. OAuth authentication tokens are stored securely on our servers to maintain synchronization. You can revoke this access at any time from the application.
  • Device calendar data: If you grant calendar access permissions on your device, we can read your local events and write Koabit events to your local calendars for synchronization.
  • Calendar files (ICS): If you import an ICS file, its content is transmitted to our servers for processing and integration into your household calendar.
  • Calendar feed (URL): If you enable the calendar feed, a unique URL is generated to allow subscription from third-party calendar applications. This URL is accessible without authentication and contains your household events.
  • Receipt images: If you use the receipt scanning feature, images taken with your camera or selected from your gallery are transmitted to our servers for automatic information extraction (products, prices) via artificial intelligence processing. Images are not retained after processing.

Personal data may be freely provided by the User, or, in the case of usage data, collected automatically. Unless stated otherwise, all data requested by Koabit is mandatory. Where Koabit specifies that certain data is not mandatory, Users are free not to provide it.

3. How We Use Your Information

We use your information solely within the Koabit application to:

  • Allow you to create and manage your account
  • Provide, maintain and improve our application
  • Send you important notifications about the application
  • Analyze application usage to improve user experience
  • Detect and prevent fraudulent activities or technical issues
  • Synchronize and display your connected external calendars
  • Process receipt images to facilitate expense tracking
  • Convert amounts in different currencies
  • Automatically suggest categories for your items

We do not sell your personal data to third parties and do not use it for commercial purposes external to the application.

4. Firebase Services

Our application uses several Firebase services provided by Google LLC for its operation:

Firebase Authentication

We use Firebase Authentication to enable sign-in via Google, Apple, or email and password. This service processes your credentials to authenticate you with our application.

Firestore

We use Firestore as a database to store your user data, including your username and information related to your use of the application.

Firebase Cloud Functions

We use Firebase Cloud Functions to execute certain server-side operations necessary for the application to function.

Firebase Analytics

We use Firebase Analytics to collect pseudonymized data about application usage, which helps us understand how users interact with the application and improve it.

Firebase Crashlytics

We use Firebase Crashlytics to collect information about application crashes, which helps us identify and resolve technical issues.

Firebase Cloud Messaging (FCM)

We use FCM to send push notifications to your device, informing you of important updates or events in the application.

Google LLC acts as a data processor within the meaning of Article 28 of the GDPR. A Data Processing Agreement (DPA) is in place with Google.

For more information about how Google processes your personal data, please see Google's privacy policy.

5. Third-Party Services and Integrations

In addition to Firebase services, our application may connect to the following third-party services, at your initiative:

Google Calendar API (Google LLC)

If you connect your Google Calendar account, we use the Google Calendar API to access your calendars and events in read-only mode. Authentication is done via OAuth 2.0. Access and refresh tokens are stored securely on our servers to maintain synchronization. You can revoke this access at any time from the application or from your Google account security settings.

Microsoft Graph API (Microsoft Corporation)

If you connect your Outlook account, we use the Microsoft Graph API to access your calendars and events in read-only mode. Authentication is done via OAuth 2.0 with PKCE. Access and refresh tokens are stored securely on our servers. You can revoke this access at any time from the application or from your Microsoft account settings.

Exchange rates (exchangerate.host)

We use exchange rate data from the exchangerate.host service for currency conversion in the budget module. No personal data is transmitted to this service; only exchange rate data is retrieved.

OpenAI (OpenAI, L.L.C.)

Certain features use the OpenAI API via our Cloud Functions: receipt scanning (extracting products and prices from images) and automatic category suggestions for your items (item names are transmitted). Data is transmitted to OpenAI servers solely to provide the requested result and is not retained by Koabit after processing. OpenAI acts as a data processor (Data Processing Addendum in place) and does not reuse your data to train its models. OpenAI may temporarily retain data (up to 30 days) for abuse monitoring purposes. For more information, see OpenAI's privacy policy.

For more information, please see Google's privacy policy, Microsoft's privacy statement and OpenAI's privacy policy.

6. Lawful Bases for Processing

In accordance with the General Data Protection Regulation (GDPR), each processing of personal data is based on a specific lawful basis:

  • Account management and data storage (Firebase Authentication, Firestore): Performance of a contract (Art. 6(1)(b) GDPR): processing is necessary for the performance of the service you requested.
  • Analytics and statistics (Firebase Analytics): Legitimate interest (Art. 6(1)(f) GDPR): we have a legitimate interest in understanding how our application is used in order to improve it. You can opt out via your device settings.
  • Crash reporting (Firebase Crashlytics): Legitimate interest (Art. 6(1)(f) GDPR): we have a legitimate interest in ensuring the stability and reliability of our application.
  • Push notifications (Firebase Cloud Messaging): Consent (Art. 6(1)(a) GDPR): you can withdraw your consent at any time via your device settings.
  • External calendars (Google Calendar, Microsoft Outlook): Consent (Art. 6(1)(a) GDPR): you explicitly initiate the connection and can revoke it at any time from the application.
  • Device calendar: Consent (Art. 6(1)(a) GDPR): you explicitly grant calendar access permissions on your device and can revoke them via your device settings.
  • Receipt scanning and AI processing (OpenAI): Consent (Art. 6(1)(a) GDPR): you explicitly initiate each scan or categorization. Data is transmitted to OpenAI for processing and is not retained by Koabit afterwards.
  • Currency conversion: this feature does not involve any personal data (only public exchange rates are retrieved server-side). No GDPR lawful basis is required.

Koabit does not carry out any automated decision-making or profiling within the meaning of Article 22 of the GDPR.

7. Data Storage and Security

Your data is stored on Firebase's secure servers, which comply with the strictest security standards. We implement appropriate security measures to protect your personal data against unauthorized access, modification, disclosure or destruction.

OAuth tokens for connected calendars are stored in encrypted form on our servers and are used solely to maintain synchronization. They are deleted when you disconnect a calendar or delete your account.

Your data is retained for the entire duration of your account usage. If you delete your account, your personal data will be deleted within 30 days. Backup data is purged within 180 days. Anonymized analytics data may be retained for statistical purposes.

8. Your Rights

As a user of our application, you have the following rights regarding your personal data:

  • Right of access: You have the right to request a copy of the information we hold about you.
  • Right to rectification: You can correct inaccurate data we hold about you.
  • Right to erasure: You can delete your account directly from the application.
  • Right to restriction of processing: You can ask us to restrict the processing of your personal data.
  • Right to data portability: You can ask us to transfer your data to another organization.
  • Right to object: You can object to the processing of your personal data.

To exercise any of these rights, please contact us at: [email protected].

Where processing is based on your consent, you may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

You also have the right to lodge a complaint with the French data protection authority (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, www.cnil.fr.

9. Platform Services and Hosting

These services host and run the key components of Koabit, enabling it to be provided from a unified platform.

Google Play Store (Google Ireland Limited)

Koabit is distributed on Google Play Store. Google collects usage and diagnostic data and shares aggregated information with the Owner. Users can manage analytics settings via this page.
Personal data processed: Usage data.

Apple App Store (Apple Inc.)

Koabit is distributed on the Apple App Store. Apple collects basic analytics and provides reporting features. Users can manage analytics settings via this page.
Personal data processed: Usage data.

10. Other Information About Personal Data Processing

Push notifications

Koabit may send push notifications to the User. Users can opt out of receiving push notifications by checking their device settings. Disabling push notifications may negatively affect the use of Koabit.

11. Children's Privacy

Our application is not intended for children under 15 years of age. We do not knowingly collect personal data from children under 15. If we discover that a child under 15 has provided us with personal data, we will delete it as soon as possible. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

12. Information for California Residents

If you reside in California, you have additional rights under the CCPA/CPRA. We do not sell or share your personal data as defined by the CCPA. You have the right to know what data is collected, the right to deletion, and the right to non-discrimination.

13. International Data Transfers

Your data may be transferred to the United States where Firebase (Google LLC), OpenAI (OpenAI, L.L.C.) and Microsoft Corporation host their services. These transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission and by certification under the EU-US Data Privacy Framework. You can obtain a copy of the safeguards by contacting [email protected].

14. Changes to the Privacy Policy

We may update our privacy policy from time to time. We will notify you of any changes by posting the new privacy policy on this page.

We encourage you to review this privacy policy regularly.

15. Contact Us

If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact us at:

Email : [email protected]