Privacy Policy
Last Updated: May 2026
Our Privacy Commitment
KoKo is built with privacy first. We never store credit card numbers, bank account credentials, Social Security Numbers, or individual transaction data. We do not connect to your bank accounts or screen-scrape financial institutions.
1. Information We Collect
1.1 Account Information
When you sign in with Google OAuth or create an account, we receive and store:
- Name and email address — from your Google profile
- Profile picture URL — from your Google profile
- Account timestamps — when you created your account and last logged in
You may also use KoKo as a guest without creating an account. Guest sessions are identified by an anonymous session token. If you later sign in, your guest data is merged into your registered account.
1.2 Profile and Preferences
To provide personalized recommendations, you may optionally share:
- Monthly spending estimates — category-level amounts (e.g., "dining: $500/month"), not individual transactions
- Preferred bank or issuer
- State of residence (two-letter code only)
- Travel preferences — home airport, preferred airline, preferred hotel chain
- Loyalty memberships — program names (e.g., "Marriott Bonvoy"), not account numbers
- Alert preferences — whether you want reminders for fee renewals, expiring benefits, or new offers
1.3 Portfolio Data
If you use our portfolio tools (Card Studio, Portfolio Review, Renewal Check), we store:
- Credit card names — the product name (e.g., "Chase Sapphire Reserve"), not the card number
- Annual fee amounts
- Card acquisition dates and annual fee due dates
- Points and miles balances — aggregate balances per loyalty program, entered by you
- Benefit selections — which card benefits you use or skip
- Analysis results — portfolio health scores, net-value calculations, and optimization history
1.4 Conversation Data
When you use our AI-powered tools (Card Explorer, Which Card, Travel Planner, etc.), we store the conversation session including messages you send and the responses we generate. This allows us to provide context-aware follow-ups and lets you reference past conversations.
1.5 Developer and API Data
If you use the KoKo API as a developer:
- Organization name and subscription tier
- API keys — stored as hashed values; we cannot retrieve your raw key after creation
- API request logs — tool name, parameters, timestamps, and success/failure status for usage tracking and billing
- Stripe billing data — customer and subscription IDs managed by Stripe (we do not store payment card details)
1.6 Analytics and Usage Data
We collect privacy-friendly analytics to understand how KoKo is used:
- Google Analytics (GA4) — page views, session duration, and general traffic patterns. GA4 does not use third-party cookies and IP addresses are anonymized by default.
- Internal event analytics — card searches, comparisons, and calculator usage tied to an anonymized visitor hash (not your name or email). Authenticated users may be linked by user ID for personalization.
2. What We Never Collect
KoKo will never collect, store, or request:
- Credit card numbers, CVVs, or expiration dates
- Bank account numbers or routing numbers
- Login credentials or passwords for financial institutions
- Social Security Numbers or Tax IDs
- Individual transaction records or purchase history
3. How We Use Your Information
| Data | Purpose |
|---|---|
| Account info (name, email) | Authentication, session management, and account recovery |
| Spending estimates and preferences | Personalized card recommendations, portfolio optimization, and renewal analysis |
| Portfolio data | Card value calculations, benefit tracking, and comparison tools |
| Conversation history | Context-aware AI responses and allowing you to revisit past sessions |
| API usage logs | Usage metering, billing, rate limiting, and debugging |
| Analytics data | Improving the product, understanding usage patterns, and fixing bugs |
4. Third-Party Services
KoKo integrates with the following services to operate:
| Service | Purpose | Data Shared |
|---|---|---|
| Google OAuth | Authentication | Name, email, and profile picture (with your consent during sign-in) |
| Google Gemini AI | Card analysis and conversational AI | Card names, spending categories, and conversation messages (no personal financial account data) |
| Serper API | Real-time credit card information lookup | Search queries only (e.g., "Chase Sapphire Reserve annual fee") — no user data |
| Google Cloud Platform | Hosting, database, and infrastructure | All stored data resides on GCP (US region) |
| Google Analytics (GA4) | Aggregated usage analytics | Anonymized page views and session data |
| Stripe | Developer API billing | Email and subscription tier; Stripe handles all payment card processing |
We do not use advertising networks, social media tracking pixels, or data brokers.
5. MCP Server and AI Integrations
KoKo offers an MCP server that allows AI assistants (such as Claude) to access our credit card tools on your behalf. When you connect via MCP:
- Authentication uses OAuth 2.0 with Google as the identity provider — the same sign-in flow as our website
- We log tool calls (tool name, parameters, timestamps) for usage tracking
- Your conversation with the AI assistant is between you and that assistant — KoKo only sees the individual tool calls, not your full conversation
- Portfolio and session data created via MCP follow the same storage and privacy policies as data created on our website
6. Cookies and Local Storage
KoKo uses:
- JWT authentication tokens — stored in your browser's localStorage to keep you signed in
- Theme preference — stored in localStorage (light/dark mode)
- GA4 cookies — first-party analytics cookies set by Google Analytics; you can opt out via Google's opt-out browser add-on
We do not use third-party advertising cookies or cross-site tracking cookies.
7. Data Retention
- Account and profile data — retained as long as your account is active
- Conversation sessions — retained for your reference; you can request deletion
- API usage logs — retained for billing and debugging purposes
- Guest session data — retained until merged into a registered account or until periodic cleanup
- Analytics events — retained in aggregate; individual event records are purged periodically
8. Data Security
- All data is encrypted in transit (HTTPS/TLS)
- Database credentials and API keys are managed via Google Cloud Secret Manager
- API keys are stored as irreversible hashes — we cannot recover your raw key
- Infrastructure runs on Google Cloud Run with managed security patches
- We do not sell, rent, or share your information with advertisers or data brokers
9. Your Rights
You have the right to:
- Access — request a copy of the data we hold about you
- Correction — update or correct your profile information at any time through your account settings
- Deletion — request deletion of your account and all associated data
- Portability — request your data in a machine-readable format
- Opt-out of analytics — disable Google Analytics via the GA opt-out add-on
To exercise any of these rights, contact us at team@kokofinance.net.
10. Children's Privacy
KoKo is not intended for users under 18 years of age. We do not knowingly collect information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy as our product evolves. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify registered users by email.
12. Contact Us
If you have questions about this Privacy Policy or our data practices:
- Email: team@kokofinance.net
- Website: Contact Page
Last Updated: May 2026
This privacy policy is effective as of the date listed above and applies to all users of KoKo Credit Card Assistant, including the website, API, and MCP server.