Skip to main content

Privacy Policy

Last updated: April 9, 2026

1. Overview

Kiroku (“we”, “us”, or “the Service”) is a visual weekly planner. We are committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.

2. Data Storage — Local First

Your planner data is stored entirely in your browser. All tasks, notes, settings, templates, and workspace data are saved in your browser's IndexedDB storage on your device. No planner data is sent to our servers unless you explicitly enable Cloud Sync.

  • Tasks, day notes, task types, and settings are stored locally in IndexedDB
  • Data remains on your device and is not accessible to us
  • Clearing your browser data will delete your planner data — we recommend using the Export feature for backups
  • No analytics, tracking scripts, or third-party trackers are used in the application

3. Account Data

If you create an account, we store the minimum information required for authentication:

  • Email address — used for sign-in and account recovery
  • Name — optional, displayed in the app
  • Password hash — securely hashed with bcrypt; we never store plaintext passwords
  • OAuth tokens — if you sign in with Google or Apple, we store the access and refresh tokens required to maintain your session and access authorized services (e.g., Google Calendar)

Account data is stored in a PostgreSQL database hosted on Vercel (Neon). It is not shared with third parties and is used solely for authentication and authorized integrations.

4. Cloud Sync (Optional)

Cloud Sync is opt-in. When enabled, your planner data is compressed, encrypted in transit (HTTPS), and stored on our server so you can access it across devices. You can disable sync at any time in Settings, and your data remains in your browser.

  • Sync data is stored as a compressed blob associated with your user ID
  • Only you can access your sync data — it requires authentication
  • You can delete your sync data by using the “Clear All Tasks” feature or deleting your account

5. Google API Services — Limited Use Disclosure

Kiroku's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What we access

If you sign in with Google and enable the Google Calendar integration, we request read-only access to your Google Calendar (calendar.readonly scope). This allows us to display your calendar events on the Kiroku grid.

How we use Google data

  • Calendar events are fetched from Google's servers and displayed in the Kiroku interface
  • Calendar data is not stored on our servers — it is fetched in real-time and cached only in your browser session
  • Calendar data is not shared with any third parties
  • Calendar data is not used for advertising, analytics, or any purpose other than displaying it to you
  • We do not modify, delete, or write to your Google Calendar — access is strictly read-only

Token storage

Google OAuth access tokens and refresh tokens are stored securely in our database solely for the purpose of authenticating API requests on your behalf. Tokens are refreshed automatically when they expire and are deleted when you delete your account.

Revoking access

You can revoke Kiroku's access to your Google data at any time by:

  • Disabling the Google Calendar integration in Settings → Integrations
  • Removing Kiroku from your Google Account permissions
  • Deleting your Kiroku account

6. Cookies

We use a single session cookie (next-auth.session-token) for authentication. We do not use tracking cookies, advertising cookies, or third-party cookies.

7. Data Retention and Deletion

  • Local browser data is retained until you clear it or uninstall the app
  • Account data is retained as long as your account exists
  • You can delete your account and all associated data at any time from the Account panel
  • Sync data is deleted when you delete your account

8. Security

  • All data in transit is encrypted via HTTPS/TLS
  • Passwords are hashed with bcrypt (12 rounds)
  • Rate limiting protects against brute-force attacks
  • OAuth tokens are stored server-side and never exposed to the client
  • Content Security Policy and other HTTP security headers are enforced

9. Children's Privacy

Kiroku is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us.

10. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated “Last updated” date. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

If you have questions about this privacy policy or your data, please open an issue at github.com/johnhowelljr/kiroku.