Privacy Policy

1. What We Collect

We collect the minimum information necessary to operate the Service:

Account Information

• Email address (required for authentication via OTP)
• Name, phone number, and other profile fields (optional, provided by you)
• Use case selection (Vehicle, Home/Office, Pet, Luggage, Others)
• Emergency contact email (optional, for vehicle use case)
• 4-digit PIN for emergency detail protection (optional)

Automatically Collected

• FCM device token — collected automatically on the Android app for push notification delivery; stored on our server and used solely to send you notifications when a visitor contacts you

Session Metadata

• Call logs (timestamp, duration, call type) — not call content
• Session timestamps (when a visitor scans a QR code)
• Device type and browser information (for compatibility)

2. What We Do NOT Collect

KnoQ is built on the principle of minimal data collection. We do not collect or store:

• Message content — all chat messages are end-to-end encrypted and unreadable by KnoQ
• File content — shared files are encrypted in transit and not stored on our servers
• Call audio or video content — calls are peer-to-peer via WebRTC
• Location data or GPS coordinates
• Contact lists or address books
• Browsing history outside of KnoQ
• Advertising identifiers or tracking pixels

3. End-to-End Encryption

Chat messages and file transfers are protected by end-to-end encryption using ECDH P-256 key exchange, HKDF-SHA256 key derivation, and AES-256-GCM authenticated encryption. This means:

• Encryption keys are generated on your device and never leave it
• KnoQ servers relay encrypted ciphertext — we cannot decrypt it
• Each session uses unique ephemeral keys that are discarded when the session ends
• Even if our servers were compromised, past messages remain unreadable

Video and audio calls use WebRTC with SRTP encryption, establishing direct peer-to-peer connections whenever possible.

4. How We Use Your Information

• To authenticate your identity and provide access to the Service
• To deliver push notifications for incoming calls and messages (via Firebase Cloud Messaging)
• To display your registration details on your dashboard
• To connect visitors with the correct QR code owner
• To facilitate emergency contact communication when configured
• To enforce rate limiting and prevent abuse

5. Data Storage and Security

Your account data is stored in Supabase (PostgreSQL) with Row Level Security (RLS) policies that ensure each user can only access their own data. Security measures include:

• Row Level Security on all database tables — ownership-scoped access
• HTTPS/TLS encryption for all data in transit
• Encrypted storage at rest
• OTP-based authentication (no passwords stored)
• Automatic session cleanup and data expiry

6. Visitor Data

Visitors are ephemeral. When a visitor scans a QR code, a temporary session is created. No visitor account is created, no personal information is collected from visitors, and session data is automatically cleaned up. Each new scan creates a fresh session — there is no visitor tracking across sessions.

7. Owner Contact Fallback

If a visitor attempts to call an owner multiple times and the calls are not answered, KnoQ may display the owner's phone number and address to the visitor as a last-resort fallback. This only occurs when:

• The visitor has made 5 or more unsuccessful call attempts within the same session
• The owner has explicitly opted in to contact fallback sharing during registration or from the app settings
• The owner has provided a phone number or address (both are optional)

Owners can enable or disable this fallback at any time from the KnoQ Android app. When disabled, no contact details are ever revealed to visitors regardless of the number of failed calls. This feature is designed for genuine situations where the owner is unreachable through KnoQ (e.g., phone dead, app force-stopped) and the visitor needs to reach them urgently.

8. Third-Party Services

KnoQ uses the following third-party services, each with limited scope:

• Firebase Cloud Messaging (FCM) — push notification delivery only; message content is not shared with Google
• Firebase Crashlytics — collects crash logs, stack traces, device model, and OS version to monitor app stability and fix issues; no personal data or message content is included in crash reports
• Supabase — database hosting and authentication infrastructure
• Vercel — web application hosting
• metered.ca — TURN relay servers for WebRTC connectivity (no content access)

We do not sell, trade, or share your personal information with advertisers or data brokers. We do not use analytics tracking or advertising SDKs.

9. Data Retention

• Account data is retained as long as your account is active
• Call and session metadata is retained for 90 days, then automatically purged
• Encrypted messages are stored only for session duration — not persisted after session ends
• Visitor session data is cleaned up automatically after session expiry

10. Your Rights

You have the right to:

• Access all personal data we hold about you
• Correct or update your information at any time from the app
• Delete your account and all associated data
• Export your data in a portable format
• Object to any data processing you believe is unnecessary

When you delete your account, your KnoQ Code is freed for reassignment and all personal data is permanently removed from our systems.

11. Children's Privacy

KnoQ is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. We encourage you to review this page periodically.

13. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights: