Privacy Policy
Effective Date: April 8, 2026
1. Introduction and Scope
Korrelated, LLC ("Korrelated," "we," "us," or "our") is a California limited liability company and the developer of Kanvio. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Kanvio mobile application ("Kanvio" or the "App") and the kanv.io website (the "Website"), collectively referred to as the "Service."
By using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Account and Authentication Data
When you create an account, we collect:
- Authentication credentials through Sign in with Apple or Sign in with Google via Firebase Authentication
- Provider identifiers (opaque identifiers assigned by Apple or Google — not your Apple ID or Google account credentials)
- Email address (as provided by your authentication provider)
- Date of birth (used solely for age verification; see Section 7)
2.2 Profile Data
- Display name (your chosen username)
- Avatar image (up to 512x512 pixels)
- Optional social media links (Instagram, TikTok, X/Twitter, YouTube, personal website)
For users aged 13–17, social media links are hidden from public view by default.
2.3 Location Data
Kanvio is a location-based augmented reality platform. Location data is central to how the Service works:
- Precise GPS coordinates (latitude and longitude) are collected when you use the map view or AR camera. Location is collected only while the App is in the foreground and actively in use — we do not collect location data in the background
- Content location: When you place digital art ("graffiti") in the world, the GPS coordinates of that content are stored and visible to other users. This is core to Kanvio's functionality
- Your real-time location is never shared with other users. Only the locations of content you create are visible
- Privacy Zones: You can define circular protected areas (100m–2,000m radius) where your content is hidden from all users except your trusted friends
- Location precision: coordinates are stored to 6 decimal places (~0.1 meter) for AR anchoring accuracy, and rounded to 4 decimal places (~11 meters) for display purposes
Location permission is requested through the standard iOS system prompt. You can revoke location access at any time in your device's Settings.
2.4 User-Created Content
- Drawings and artwork (PNG format, up to 2 MB)
- Imported and edited photos
- Scene preview images (JPEG format)
- Text descriptions (up to 280 characters)
- Content category assignments (Tag, Art, Life, Humor, Love, Voice, Tribute)
- AR Cloud Anchor identifiers (for persistent AR positioning; these have a 365-day time-to-live set by Google)
2.5 Interaction and Activity Data
- Likes on content
- Comments (up to 500 characters, which may include @mentions of other users)
- Content reports you submit
- View events and timestamps
- Share events, including which platform you share to (e.g., Instagram, Messages). When you share content externally, a preview page is generated containing the creator's display name, description, and a preview image — this metadata may be cached or indexed by the receiving platform
- Dwell time (how long you view a piece of content)
- In-app activity notifications (e.g., comments on your content, @mentions, likes, challenge reminders). Activity data is auto-deleted after 30 days
2.6 Challenge Data
- Challenges you create (title, description, theme image, date range, optional location)
- Challenge participation and submissions
- Leaderboard data (entry counts and likes received)
2.7 Social and Safety Data
- Trusted friends list (one-directional friend relationships you create)
- Block and restrict actions you take against other users
- Privacy Zone definitions (zone name, center coordinates, and radius — visible only to you)
- Parent-child account links and parental control settings (if a parent or guardian links to your account)
- Account recovery requests (if you use the trusted friend verification process to recover your account, a temporary recovery request is stored linking your account to the verifying trusted friend. These requests expire automatically)
2.8 Device and Technical Data
- Device model and iOS version
- Aggregated engagement statistics
2.9 Waitlist Data (Website)
If you sign up for the waitlist on kanv.io, we collect your email address.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Kanvio service, including AR content creation, discovery, and social features
- Authenticate your identity and manage your account
- Verify your age and apply appropriate safety restrictions
- Display your content to other users at the locations where you place it
- Personalize your content feed (see Section 10)
- Moderate content for safety and policy compliance (see Section 8)
- Respond to reports and enforce our Community Guidelines and Terms of Service
- Analyze usage patterns to improve the Service
- Send service-related communications
- Comply with legal obligations
4. How We Share Your Information
Publicly Visible Data
The following information is visible to other Kanvio users by design:
- Your display name and avatar
- Content you place (drawings, photos, descriptions) and its location
- Your likes and comments
- Your challenge participation and leaderboard standings
- Your profile statistics (pieces created, likes received, likes given)
Content placed within a Privacy Zone is visible only to you and your trusted friends.
Third-Party Service Providers
We share data with the following third-party service providers, solely to operate the Service. Because this policy covers both the kanv.io website and the Kanvio app, we have grouped providers by where they apply:
App (Kanvio iOS Application)
- Google Cloud Platform (GCP): The Kanvio app backend is hosted entirely on GCP. All user data described in Section 2 (account, profile, content, interactions, challenges, and social data) is stored and processed on GCP infrastructure. Specific GCP services that process your data in notable ways include:
- Firebase Authentication: Processes authentication tokens and provider identifiers for sign-in
- Cloud Vision API: Images you upload are scanned for automated content safety (see Section 8)
- Cloud Natural Language API: Text content you submit is scanned for toxicity (see Section 8)
- ARCore Cloud Anchors: AR positioning data (Cloud Anchor identifiers and spatial mapping data) is sent to enable persistent AR content placement. Raw camera frames are not transmitted
Certain Apple frameworks used by the App (ARKit, Vision, PencilKit, MapKit, Core Image) process data locally on your device. These frameworks do not transmit your data to Apple or to third parties for Kanvio's purposes.
Website (kanv.io)
- Amazon Web Services (AWS): The kanv.io website is hosted via Amazon S3 and CloudFront. AWS may collect server logs including IP addresses and access timestamps. AWS's privacy policy is available at aws.amazon.com/privacy.
- Formspree: Processes waitlist email submissions on the kanv.io website. Formspree's privacy policy is available at formspree.io/legal/privacy-policy.
Other Disclosures
- Legal Requirements: When required by law, regulation, subpoena, court order, or other legal process
- Safety: When we believe disclosure is necessary to protect our rights, your safety, or the safety of others
- Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case you will be notified of any change in ownership
What We Do Not Do
- We do not sell your personal information
- We do not share your personal information for cross-context behavioral advertising
- We do not track you across other apps or websites. App Tracking Transparency (ATT) is not required because Kanvio does not engage in cross-app tracking
5. Location Data — Special Disclosures
Because Kanvio collects precise location data, we want to be especially transparent about how this data is handled:
- Location is collected only in the foreground while you are actively using the map or AR features. Kanvio does not use background location services
- Location permission is requested through the standard iOS system prompt. You can change or revoke this permission at any time in iOS Settings
- The location where you place content is stored and visible to other users — this is the core functionality of Kanvio
- Your real-time position is never exposed to other users
- Privacy Zones allow you to define protected areas where your content is hidden from everyone except your trusted friends
- For users aged 13–17, location sharing defaults to OFF and may be further restricted by parental controls
- Precise location data (geolocation) is classified as "sensitive personal information" under the CPRA. We use it solely to provide the core AR functionality of the Service, not for profiling or advertising
6. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account data (provider IDs, email, DOB flag) | Until account deletion |
| Profile data (display name, avatar) | Until account deletion |
| Content (graffiti, drawings, photos) | Until you delete the content or your account |
| AR Cloud Anchor IDs | Until content deletion (365-day max TTL per Google) |
| Device model / OS version | 90 days |
| Activity data (views, interactions, notifications) | Auto-deleted after 30 days |
| Offline drafts (on-device only) | Auto-purged after 7 days |
| Trusted friends, blocks, restricts | Until you remove them or delete your account |
| Privacy Zone definitions | Until you remove them or delete your account |
| Parent-child links and parental controls | Until either account is deleted or the link is removed |
| Engagement analytics | Retained in aggregated/anonymized form for service improvement |
Account Deletion: When you delete your account, all associated data is cascade-deleted within 48 hours. This includes your profile, all content, comments, likes, challenge data, and Cloud Anchor identifiers. Some anonymized, aggregated analytics (e.g., total view counts) may persist, but no personally identifiable data is retained.
7. Children's Privacy and Parental Controls
Children Under 13
Kanvio does not permit account creation by children under the age of 13 in compliance with the Children's Online Privacy Protection Act (COPPA). Age verification is performed at signup via date of birth. Users determined to be under 13 are blocked from creating an account, and this restriction is backed by secure on-device storage to prevent re-attempts on the same device.
We do not knowingly collect personal information from children under 13. If we become aware that such data was collected, it will be deleted promptly.
Minors (Ages 13–17)
Users between 13 and 17 are flagged as minors and receive automatic safety restrictions, including:
- Screen time limits (60-minute daily session limit with cooldown)
- Content sensitivity filter enabled by default (sensitive content hidden)
- Location sharing defaults to OFF
- Content creation rate limits
- Social media links hidden from public profile
- @mention filtering (only trusted friends can mention)
Parental Controls
Parents and guardians can link to their child's account and configure additional restrictions, including:
- Custom screen time limits and curfew hours
- Feed and content sensitivity settings
- Trusted-friends-only mode (limits feed and map to friends' content)
- Friend request and challenge participation approval
- Remote account lock (pause the child's account entirely)
- Weekly activity digests showing aggregated statistics only — parents cannot read the child's actual comments, messages, or content
To exercise parental rights regarding your child's data (access, correction, or deletion), please contact us at privacy@kanv.io with the subject line "Parental Rights Request."
8. Content Moderation and AI Processing
To maintain a safe environment, Kanvio uses automated content moderation:
- Image Scanning: All images uploaded to Kanvio (graffiti, challenge theme images, avatars) are automatically scanned via Google Cloud Platform (Cloud Vision SafeSearch) for inappropriate content including nudity, violence, and other unsafe material. This scanning occurs asynchronously after upload
- Text Scanning: Text content is scanned via Google Cloud Platform (Cloud Natural Language) for toxicity before it is posted. This includes: display names, graffiti descriptions, challenge titles and descriptions, comments, and social media link usernames. Content exceeding toxicity thresholds is rejected with an explanation
- Sensitivity Tiers: Content is assigned a sensitivity level: safe (shown to everyone), sensitive (hidden from minors), or blocked (held for manual review, visible only to creator)
- Community Reporting: Users can report content. Content receiving 3 or more reports from unique users is automatically hidden pending review
- Enforcement: Violations are addressed through an enforcement ladder: warning, 7-day ban, suspension, and permanent ban
No human review of content occurs unless triggered by user reports or automated safety flags.
9. AR Data and Camera Privacy
- Kanvio uses the device camera for augmented reality functionality via Apple ARKit
- Camera frames are processed entirely on your device and are never transmitted to Korrelated's servers or third parties
- No video is recorded from AR sessions
- Spatial mapping data used for AR anchoring is processed via Google ARCore Cloud Anchors — Cloud Anchor identifiers are transmitted, but raw camera frames are not
- Camera permission is requested through the standard iOS system prompt and can be revoked at any time
10. Algorithms and Personalization
Kanvio personalizes your content feed using the following factors:
- Quality: Content engagement metrics (likes, comments, dwell time)
- Freshness: Newer content is weighted more heavily, with an exponential decay function
- Proximity: Content closer to your current location is prioritized
- Category Affinity: Based on your viewing history over the past 30 days, content in categories you engage with more frequently may be prioritized
- Trusted Friend Boost: Content from your trusted friends receives a priority boost
- Diversity: Anti-flooding and anti-domination rules prevent any single category or creator from overwhelming your feed
Challenge recommendations use similar factors: freshness, urgency, popularity, and proximity.
All personalization is computed at the time of each request. No persistent user interest profile or model is built or stored. There is no cross-app profiling or behavioral advertising.
11. Your Privacy Rights
11.1 California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected
- Right to Delete: Request deletion of your personal information (you can also delete your account directly in the App)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt Out: Opt out of the sale or sharing of personal information. We do not sell or share personal information
- Right to Limit Use of Sensitive Personal Information: Precise geolocation is classified as sensitive personal information under CPRA. We use it solely for the core AR functionality of the Service
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
Categories of Information Collected:
| Category | Examples | Business Purpose | Sold or Shared |
|---|---|---|---|
| Identifiers | Display name, email, provider IDs | Account management, authentication | No |
| Precise Geolocation | GPS coordinates for AR content placement | Core AR functionality | No |
| Internet or Network Activity | In-app browsing, view history, engagement metrics | Feed personalization, service improvement | No |
| Audio, Electronic, or Visual Information | Photos, artwork, avatar image | Content display, content moderation | No |
| Inferences | Category affinity scores from viewing history (not stored persistently) | Feed personalization | No |
| Sensitive Personal Information | Precise geolocation | Core AR functionality only | No |
How to Exercise Your Rights: Email privacy@kanv.io with your request. We will verify your identity using information associated with your account and respond within 45 days. You may also designate an authorized agent with written authorization.
11.2 European Economic Area and United Kingdom (GDPR)
If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation:
- The right to access, rectify, erase, restrict processing of, or port your personal data
- The right to object to processing based on legitimate interests
- The right to withdraw consent at any time
- The right to lodge a complaint with your local data protection supervisory authority
Lawful Bases for Processing:
- Consent: Location access, camera access
- Contract Performance: Account management, content storage and display, social features
- Legitimate Interest: Security, content moderation, analytics, service improvement
Automated content moderation (Section 8) does not produce decisions with legal effects. Users may appeal moderation decisions by contacting us.
12. Account Deletion
You can delete your account at any time through the App's settings. Upon deletion:
- All associated data is cascade-deleted within 48 hours, including your profile, all content, comments, likes, challenge data, and Cloud Anchor identifiers
- Some anonymized, aggregated analytics may persist (e.g., total view counts), but no personally identifiable data is retained
This account deletion mechanism satisfies Apple's App Store requirement for in-app account deletion.
13. Data Security
We implement reasonable security measures to protect your information, including:
- TLS/HTTPS encryption for all data in transit
- Row-level security (RLS) policies enforced at the database level
- Secure authentication via Firebase Authentication
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you and applicable authorities as required by law.
14. International Data Transfers
Your data is processed and stored in the United States via Google Cloud and AWS infrastructure. If you use the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. Our service providers maintain appropriate safeguards for international data transfers, including standard contractual clauses where applicable.
15. Do Not Track
Kanvio does not track users across third-party apps or websites. The App does not use App Tracking Transparency (ATT) because no cross-app tracking occurs. The kanv.io website does not currently use tracking technologies and therefore does not respond to browser "Do Not Track" signals.
16. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing personal information.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The updated version will be indicated by the "Effective Date" at the top of this page. For material changes, we will provide notice through the App (once launched). Your continued use of the Service after changes constitutes acceptance of the updated policy.
18. Contact Us
If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us at:
Korrelated, LLC
Email: privacy@kanv.io
Mailing Address: 2520 Venture Oaks Way, Suite 120, Sacramento, CA 95833
For parental rights requests, please email privacy@kanv.io with the subject line "Parental Rights Request."