Privacy Policy
-
Last updated: {new Date().toLocaleDateString()}
+
Last updated: June 1, 2026
- 1. Information We Collect
+ 1. Introduction
- We collect information you provide directly, such as when you create an account, update your profile, or contact us.
+ Kordant ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains
+ how we collect, use, disclose, and safeguard your information when you use our mobile application
+ (Kordant for Android and iOS) and website (kordant.com), collectively referred to as the "Service."
+
+
+ Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use
+ of your information in accordance with this policy. If you do not agree with any part of this policy,
+ please do not use the Service.
+
+
+ This policy complies with the General Data Protection Regulation (GDPR),
+ California Consumer Privacy Act (CCPA), and Google Play's Data Safety requirements.
+
+
+
+
+ 2. Information We Collect
+
+ We collect information you provide directly, information automatically collected when you use the Service,
+ and information from third-party sources.
+
+
+ 2.1 Information You Provide Directly
+
+ - Account Information: Name, email address, password, and phone number when you create an account, update your profile, or sign in via Google.
+ - Payment Information: When you subscribe or make purchases, payment processing is handled securely by Stripe. We do not store credit card numbers on our servers.
+ - Profile Content: Avatar images, display name, and other profile customization data.
+ - Voice Recordings: Audio recordings you voluntarily capture for the VoicePrint feature, used to create a voice fingerprint for caller identification. Recordings are processed and stored securely.
+ - Watchlist Data: Personal information you choose to monitor for exposure (email addresses, phone numbers, or other identifiers).
+ - Property Information: Property addresses and related information you add for title monitoring and data broker removal services.
+ - Spam Reports: Phone numbers you report as spam or block for community protection.
+ - Communications: Information you provide when contacting support or communicating with us.
+
+
+ 2.2 Information Collected Automatically
+
+ - Device Information: Device model, operating system version, app version, device locale/language, and unique device identifiers (FCM token for notifications).
+ - Usage Data: App interactions, feature usage, API requests, startup timing, and navigation patterns to improve our service.
+ - Call Data (Android only): Incoming phone numbers are checked against our spam database for call screening purposes. Phone numbers are hashed (SHA-256) before storage in the local database. Anonymized call screening logs are maintained for 7 days.
+ - Crash Data: Crash reports, ANR traces, and performance diagnostics collected via Firebase Crashlytics.
+ - Notification Preferences: Your opt-in/opt-out choices for different notification types (security alerts, marketing, system notifications).
+
+
+ 2.3 Information from Third-Party Sources
+
+ - Google Sign-In: When you authenticate via Google, we receive your name, email address, and profile picture as authorized by your Google account.
+ - Data Brokers: We may collect publicly available information from data broker websites as part of our DarkWatch monitoring service, which is initiated by your search terms or watchlist items.
+
+
+
+
+ 3. How We Use Your Information
+ We use the collected information for the following purposes:
+
+ - Provide and Maintain the Service: To operate our platform, authenticate users, process requests, and deliver features like call screening, dark web monitoring, and exposure alerts.
+ - Personalization: To customize your experience, remember your preferences (theme, notification settings), and surface relevant alerts.
+ - Security and Fraud Prevention: To detect root access, tampering, and unauthorized access; to screen incoming calls for spam and scams; and to protect the integrity of our service.
+ - Communications: To send you security alerts, exposure warnings, scan results, account notifications, and (with your consent) marketing communications.
+ - Analytics and Improvements: To analyze usage patterns, diagnose crashes, measure performance, and improve the Service.
+ - Compliance: To comply with legal obligations, enforce our terms of service, and respond to lawful requests.
+
+
+
+
+ 4. Third-Party Services
+ We use the following third-party services that may process your data:
+
+
+
+
+ | Service |
+ Purpose |
+ Data Shared |
+
+
+
+
+ | Firebase Crashlytics |
+ Crash reporting and analytics |
+ Crash logs, device info, app version |
+
+
+ | Firebase Cloud Messaging |
+ Push notifications |
+ Device token, notification delivery data |
+
+
+ | Google Sign-In |
+ Authentication |
+ Name, email, profile picture |
+
+
+ | Stripe |
+ Payment processing |
+ Payment card data (processed by Stripe, not stored by us) |
+
+
+ | Clerk |
+ Web authentication |
+ Name, email, authentication data |
+
+
+ | Resend |
+ Email delivery |
+ Email address |
+
+
+ | Twilio |
+ SMS notifications |
+ Phone number |
+
+
+
+
+ Each third-party service has its own privacy policy governing the use of your data.
+ We do not sell your personal information to any third party.
+
+
+
+
+ 5. Data Storage and Security
+
+ 5.1 Encryption in Transit
+
+ All data transmitted between our mobile and web applications and our servers is encrypted using
+ TLS 1.2 or higher. Our Android app enforces certificate pinning for an additional
+ layer of security against man-in-the-middle attacks.
+
+
+ 5.2 Encryption at Rest
+
+ On Android, sensitive data including authentication tokens and cached user profiles are encrypted
+ using AES-256-GCM via Android's EncryptedSharedPreferences, with the master key
+ stored in the hardware-backed Android Keystore. Phone numbers in the local spam database are
+ SHA-256 hashed before storage.
+
+
+ 5.3 Server-Side Security
+
+ Data stored on our servers is encrypted at rest using industry-standard encryption.
+ We implement strict access controls, regular security audits, and follow security best practices
+ to protect your data.
+
+
+ 5.4 Security Features
+
+ - Root Detection: Our Android app detects compromised devices and restricts sensitive features.
+ - Certificate Pinning: The Android app validates server certificates against known pins to prevent MITM attacks.
+ - Secure Deletion: Sensitive data is overwritten before removal to prevent forensic recovery.
+ - Log Sanitization: Authentication tokens, passwords, phone numbers, and email addresses are redacted from all logs.
+
+
+
+
+ 6. Data Retention
+ We retain your data for the following periods:
+
+ - Account data: Retained for as long as your account is active.
+ - Authentication tokens: Retained until logout or token expiration.
+ - Call screening logs (local): Anonymized logs retained for 7 days.
+ - Voice recordings: Retained until you delete your enrollment or account.
+ - Crash data: Retained per Firebase Crashlytics retention policy.
+ - Usage analytics: Retained in aggregated form for service improvement.
+ - Backup data: Retained for up to 90 days after account deletion for legal compliance.
+
+
+
+
+ 7. Your Rights and Choices
+ Depending on your jurisdiction, you have the following rights:
+
+ - Access: Request a copy of the personal data we hold about you.
+ - Rectification: Request correction of inaccurate or incomplete data.
+ - Deletion (Right to be Forgotten): Request deletion of your personal data. This can be done in-app via Settings → Delete Account, or by emailing privacy@kordant.com.
+ - Data Portability: Request your data in a machine-readable format.
+ - Opt-Out of Marketing: Unsubscribe from marketing communications at any time via notification settings or by replying "STOP" to SMS messages.
+ - Withdraw Consent: Withdraw consent for data processing at any time (e.g., disable VoicePrint, turn off call screening).
+ - Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
+
+
+ To exercise any of these rights, contact us at privacy@kordant.com.
+ We will respond within 30 days as required by applicable law.
+
+
+
+
+ 8. California Privacy Rights (CCPA)
+
+ Under the California Consumer Privacy Act (CCPA), California residents have additional rights:
- - Account information (name, email, password)
- - Payment information (processed securely via Stripe)
- - Usage data and analytics
- - Device and browser information
+ - Right to Know: Request disclosure of categories and specific pieces of personal information collected.
+ - Right to Delete: Request deletion of personal information collected.
+ - Right to Opt-Out: We do not sell personal information. If this changes, we will update this policy.
+ - Right to Non-Discrimination: We will not deny service or charge different rates for exercising CCPA rights.
-
-
-
- 2. How We Use Your Information
-
- - Provide and maintain our services
- - Process your transactions
- - Send you notifications and updates
- - Improve our products and services
- - Comply with legal obligations
-
-
-
-
- 3. Third-Party Services
- We use the following third-party services:
-
- - Clerk - Authentication and user management
- - Stripe - Payment processing
- - Resend - Email delivery
- - Twilio - SMS notifications
- - Firebase - Push notifications
-
-
-
-
- 4. Your Rights
- Under GDPR and CCPA, you have the right to:
-
- - Access your personal data
- - Rectify inaccurate data
- - Request deletion of your data
- - Export your data in a machine-readable format
- - Opt-out of marketing communications
-
-
-
-
+
+
+ 9. Children's Privacy
+
+ Our Service is not intended for children under the age of 13 (or 16 in the European Economic Area).
+ We do not knowingly collect personal information from children. If we learn that we have collected
+ personal information from a child without appropriate consent, we will delete that information promptly.
+ If you believe a child has provided us with personal data, please contact us.
+
+
+
+
+ 10. International Data Transfers
+
+ Your information may be transferred to and processed in countries other than your own.
+ We ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs)
+ and other GDPR-compliant transfer mechanisms when transferring data from the European
+ Economic Area (EEA) to countries outside the EEA.
+
+
+
+
+ 11. Changes to This Privacy Policy
+
+ We may update this Privacy Policy from time to time. We will notify you of material changes
+ by posting the new policy on this page and updating the "Last updated" date. For significant
+ changes, we may also provide in-app notification or email notice.
+
+
+ We encourage you to review this Privacy Policy periodically for any changes.
+ Your continued use of the Service after the posting of changes constitutes your acceptance
+ of such changes.
+
+
+
+
+ 12. Contact Us
+
+ If you have questions, concerns, or requests regarding this Privacy Policy or our data practices,
+ please contact us:
+
+
+
+ We will acknowledge receipt of your request within 5 business days and respond within 30 days.