Privacy Policy
Effective date: June 2026 · Last updated: June 2026
Koala Statements ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and what rights you have.
1. Data we collect
Account data: When you create an account we collect your email address and, if you sign in with Google, your name and profile picture.
Financial model data: The numbers, assumptions, and structure of financial models you create and save in the app. This data belongs to you.
AI inputs: When you use the AI advisor, your prompts are sent to Google Gemini to generate a response. We do not store AI prompts independently beyond what is saved in your model.
Usage analytics: We use PostHog to collect aggregated, anonymized analytics (page views, feature usage). No financial values are collected by analytics.
Support communications: If you contact us by email, we retain that correspondence.
2. How we use your data
- To provide and improve the service
- To send transactional emails (welcome, account notices)
- To analyze aggregate usage patterns and improve the product
- To respond to support requests
We do not sell your data. We do not use your financial model content to train AI models.
3. Third-party services
- Supabase: authentication and database storage (servers in EU and US)
- Google Gemini API: AI advisor inference (inputs processed by Google)
- PostHog: product analytics (anonymized)
- Resend: transactional email delivery
- Vercel: application hosting and edge infrastructure
4. Data retention
Your account and model data is retained for as long as your account is active. If you delete your account, your data is removed from our systems within 30 days. Share links expire after 90 days by default.
5. Your rights
You have the right to access, correct, export, or delete your personal data at any time. To exercise these rights, reach us through the contact form on our website. We will respond within 30 days.
If you are in the EU, you may also lodge a complaint with your local data protection authority.
6. Cookies
We use functional cookies for authentication (Supabase session) and, if you consent, analytics cookies from PostHog. You can disable cookies in your browser settings; this may prevent you from signing in.
7. Security
Data is encrypted in transit (TLS) and at rest. Authentication is handled by Supabase, which is SOC 2 Type II certified. Row-level security policies ensure no user can read another user's data.
8. Changes to this policy
We may update this policy from time to time. We will notify you by email or in-app notice when material changes occur.
Questions? Reach us anytime through the contact form on our website.