Legal · Privacy Policy

Privacy Policy

Effective: April 26, 2026 · Last updated: April 26, 2026

This Privacy Policy describes how Fonles (“Fonles”, “we”, “us”, “our”) collects, uses, shares, and protects personal information in connection with the Kirigomobile application (the “App”) and the website at kirigo.fonles.com (together, the “Service”). It also explains your choices and rights regarding your information. This Policy is incorporated into our Terms of Service.

Plain-language summary. When you use Kirigo we collect a limited profile (e.g., a first name and date of birth you provide), the audio-video recording you create when you make a wish, a transcript generated from that recording, basic device and usage information, and analytics events. We use this to run and improve the Service. We do not sell your personal information. You can request deletion at any time by emailing info@fonlescompany.com.

1. Who we are & scope

The data controller for personal information collected through the Service is Fonles. You can reach us at info@fonlescompany.com.

This Policy applies to personal information we process about you when you install, open, or use the App; visit kirigo.fonles.com or any subdomain; or otherwise interact with us. It does not apply to third-party services that may be linked from the Service; their processing is governed by their own privacy policies.

2. Information we collect

2.1 Information you provide

Profile information.A given name (or chosen alias) and date of birth that you enter during the “saju” onboarding so the Service can personalize the experience. You can use a pseudonym; we do not verify identity.
Wish content.The audio-video recording you make when you tap “Make a wish”, including any speech and ambient audio captured by the microphone and any imagery captured by the camera during the recording window.
Transcripts. A text transcript generated from your recording, in the language detected by the on-device or cloud speech-to-text engine of your operating system.
Communications. Information you send when you email us (subject, body, attachments, contact information).
Marketing preferences. Whether you have opted in to receive promotional communications.

2.2 Information collected automatically

Device & install identifiers. An anonymous install identifier generated by the App, an authentication user ID issued by our backend, your device model, operating system and version, App version, language preference, and approximate time-zone.
Approximate location. The country and language inferred from your device locale and from the public IP address used by your device to connect to our backend. We do not collect precise (GPS) location.
Push notification token. If you enable push notifications, a token issued by Apple Push Notification service or Firebase Cloud Messaging.
Usage & events. Analytics events that describe your interaction with the Service, such as app_open, saju_completed, wish_committed, share-link interactions, screen transitions, and timestamps. Each event may include a small JSON payload (e.g., transcript length, whether a video was attached, referral identifier).
Diagnostics. Crash reports and error logs (stack traces, app state at the time of the error, device characteristics).
Referral data. When you open the App from a shared link (e.g., https://kirigo.fonles.com/?ref=abcd1234), the referral identifier and the channel through which the link was opened.
Web logs. Standard web-server logs for the website (IP address, user-agent string, referring URL, requested URL, response code, timestamp).

2.3 Permissions we request

The App requests the following device permissions when needed. Granting them is voluntary; if you decline, the related feature may be unavailable.

Camera & microphone. Required to record the audio-video wish.
Speech recognition.Required to generate the wish transcript on your device or via the operating system’s speech engine.
Notifications. Required to deliver notifications described in Section 18.

2.4 Information we do NOT collect

Government-issued identifiers.
Payment-card numbers (handled by Apple or Google).
Precise GPS location.
Contacts, calendar, photo library, health data, or biometrics (unless you explicitly choose to attach such content, which the Service does not currently offer).

3. Sources of information

We obtain information directly from you (when you provide it), automatically (when you use the Service), and from third parties (such as Apple or Google when you install the App or make an in-app purchase, and from Supabase when you authenticate).

4. How we use information

We use personal information to:

provide, operate, and maintain the Service;
create and authenticate your anonymous account, and link your sessions to your wishes and events;
generate, display, and store the fictional response to your wish, including timers and notifications that form part of the Kirigo narrative;
transcribe and, where you enable it, translate or process your wish content for the experience and for product analytics;
measure usage and engagement, debug, prevent fraud and abuse, and improve the Service, including the quality of speech recognition and the narrative;
personalize the experience based on your locale, device, and referral context;
communicate with you about service changes, security incidents, and (where you have opted in) marketing;
comply with legal obligations, enforce our Terms, and defend legal claims;
produce aggregated, de-identified statistics (e.g., the global wish counter shown in the App) and anonymous research; and
train and evaluate machine-learning models that are part of the Service, using only data we are permitted to use for that purpose (see Section 20).

5. Legal bases (EEA / UK / Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information on the following legal bases under the GDPR / UK GDPR:

Performance of a contract (Art. 6(1)(b)) — to create and operate your account, deliver the wish experience, and provide support.
Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, perform analytics, develop product improvements, and conduct internal research. We balance these interests against your rights and freedoms; you may object as described in Section 12.
Consent (Art. 6(1)(a)) — for camera, microphone, push notifications, optional marketing, and other features that require it. You can withdraw consent at any time without affecting prior processing.
Legal obligation (Art. 6(1)(c)) — to comply with laws and respond to lawful requests.

We do not knowingly process special categories of data (Art. 9 GDPR). Wish recordings may incidentally contain such information if you choose to mention it; we ask you not to. If you do, you consent to processing for the limited purposes described here.

6. How we share information

We share personal information only as described below. We do not sell personal information for monetary consideration.

With service providers (processors). Third parties that process information on our behalf under written contracts, such as cloud hosting, database, storage, real-time, authentication, push-notification, analytics, crash-reporting, customer-support, and payments providers.
With Apple and Google. When you obtain the App or make an in-app purchase, your relationship with the relevant store is governed by its own privacy policy. We receive limited information from these stores, such as anonymized purchase or install events.
For legal reasons. When we believe disclosure is necessary to comply with applicable law, lawful request, court order, or governmental request, or to investigate and prevent fraud, security incidents, or violations of our Terms.
To protect rights and safety. When we believe disclosure is necessary to protect the rights, property, or safety of Fonles, our Users, or the public.
In a corporate transaction. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality obligations.
With your consent or at your direction. For example, when you choose to share a referral link.
Aggregated or de-identified information. We may share aggregated, de-identified, or anonymized data (e.g., the total number of wishes worldwide) with anyone for any purpose. We do not attempt to re-identify such data.

7. Subprocessors & service providers

The principal processors we currently rely on are listed below. We may add or change processors over time; the current list is available on request from info@fonlescompany.com.

Supabase Inc. — backend authentication, database, file storage (wish recordings), real-time messaging, analytics events. Hosted on AWS infrastructure.
Apple Inc. — App distribution, in-app purchases, push notifications (APNs), and on-device speech recognition.
Google LLC. — App distribution (Google Play), in-app purchases, push notifications (FCM), and on-device or cloud speech recognition (depending on Android configuration).
Vercel Inc. — hosting of the kirigo.fonles.com website.

Each processor is bound by a data-processing agreement that requires it to safeguard personal information and to process it only on our instructions and as permitted by law.

8. International transfers

We are a global service. Your personal information may be transferred to, stored in, and processed in countries other than your own, including the United States, where data-protection laws may differ from those in your country.

Where we transfer personal information from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (and the UK Addendum or the Swiss equivalent, as applicable), supplemented by additional technical and organizational measures where needed. You may request a copy of the relevant safeguards by emailing info@fonlescompany.com.

9. Data retention

We retain personal information only as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Specific retention periods include:

Profile data: for the life of your account, plus up to 90 days after deletion to allow recovery and to satisfy backup-rotation cycles.
Wish recordings & transcripts: by default, up to 24 months from creation, after which the recording is permanently deleted. You may request earlier deletion.
Analytics events: up to 36 months in identifiable form; we may retain aggregated, de-identified analytics for longer.
Diagnostics & logs: up to 12 months.
Communications with us: up to 36 months after the matter is resolved.
Tax, accounting, and legal records: for the period required by applicable law.

When personal information is no longer needed, we delete or de-identify it. De-identified data may be retained and used for analytics and product improvement.

10. Security

We implement administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, or destruction. These include encryption in transit (TLS), encryption at rest for stored content, access controls based on least privilege, network segmentation, server-side row-level authorization, audit logging, and routine security reviews of our processors. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

You are responsible for keeping your device, operating system, and App updated, and for using the lock-screen and biometric protections available on your device.

11. Your rights — global

Subject to applicable law, you may have the right to:

access the personal information we hold about you;
correct inaccurate or incomplete information;
delete personal information;
restrict or object to certain processing, including processing based on legitimate interests;
receive a copy of certain information in a portable format;
withdraw consent for processing based on consent;
opt out of marketing communications; and
lodge a complaint with a supervisory authority (see Section 24).

To exercise these rights, email info@fonlescompany.com. We may need to verify your request and may ask for information to confirm your identity. We will respond within the period required by applicable law (typically within 30 days). You may use an authorized agent to make a request on your behalf where permitted by law.

12. EEA, UK & Switzerland (GDPR)

In addition to the rights above, if you are in the EEA, UK, or Switzerland you have the right to lodge a complaint with your local data-protection supervisory authority. A list of EEA authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner’s Office (ico.org.uk). The Swiss authority is the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

We have not appointed an EU representative or UK representative under Articles 27 GDPR / UK GDPR because we believe we are not required to. If this changes, we will update this Policy. In the meantime, you may always contact us at info@fonlescompany.com.

13. California (CCPA / CPRA)

This Section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, “CCPA”). It applies to personal information of California residents.

13.1 Categories of personal information

In the past 12 months we have collected:

Identifiers (e.g., anonymous user ID, install ID, IP address);
Customer records (e.g., first name, date of birth);
Internet/network activity (e.g., usage events, referral data, web logs);
Audio & visual information (the wish recording);
Inferences drawn from the foregoing for personalization and product improvement.

13.2 Sources, purposes, and disclosures

See Sections 3, 4, and 6 above. We disclose the categories above to our service providers for business purposes.

13.3 Sale or sharing of personal information

We do not “sell” personal information, and we do not “share” personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We do not knowingly sell or share the personal information of Users under 16.

13.4 Sensitive personal information

We do not use or disclose sensitive personal information for purposes other than those permitted under § 7027(m) of the CCPA regulations (i.e., providing the goods or services reasonably expected, performing required services, ensuring security, and quality control).

13.5 Your California rights

Right to know, access, and obtain a copy.
Right to delete.
Right to correct.
Right to opt out of sale or sharing (n/a — we do neither).
Right to limit the use of sensitive personal information (n/a — we do not use sensitive personal information beyond permitted purposes).
Right to non-discrimination for exercising your rights.

To exercise these rights, email info@fonlescompany.comwith the subject line “California Privacy Request”. You may designate an authorized agent in writing.

14. Other U.S. state rights

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and other U.S. states with comprehensive privacy laws may have additional or analogous rights, including the rights to access, correct, delete, port, opt out of targeted advertising, and appeal a denial of a request. To exercise these rights or appeal a decision, email info@fonlescompany.com.

15. Brazil (LGPD)

If you are in Brazil, you have the rights described in Article 18 of the LGPD, including confirmation, access, correction, anonymization, blocking, deletion, portability, information about third parties, and withdrawal of consent. Our processing is based on the legal hypotheses of execution of a contract, legitimate interest, consent, and compliance with legal obligations.

16. Children’s privacy

The Service is not directed to children under 13 (or under 16 where local law requires). We do not knowingly collect personal information from children below the applicable minimum age. If we learn that we have, we will delete it as soon as reasonably possible. Parents and guardians who believe a child has provided us with personal information may contact us at info@fonlescompany.com.

17. Cookies & similar technologies

The App does not use browser cookies. The website at kirigo.fonles.com uses only strictly necessary, first-party cookies and local storage required to operate the site (e.g., to remember your accepted cookie banner, where presented). We do not use third-party advertising cookies, cross-site trackers, or analytics cookies on the website unless we update this Policy and obtain any consent required by your local law.

18. Push notifications

If you grant permission, the App may send push notifications that form part of the Kirigo narrative (e.g., a notification informing you that “your wish has been granted”) and operational notifications (e.g., service updates). You can disable notifications at any time in your operating-system settings. Disabling notifications does not affect your ability to use the Service.

19. Marketing & communications

Where permitted by law, we may send you marketing communications about new features or releases. You can opt out at any time by following the unsubscribe link in any marketing email or by emailing info@fonlescompany.com. We will continue to send you transactional and operational communications (e.g., security alerts, changes to these policies).

20. Automated decision-making & AI

The Service uses automated processing, including machine-learning components, to (a) transcribe your wish in your detected language, (b) generate the in-experience narrative response, (c) personalize timing and copy, and (d) detect abuse. These automated processes do not produce legal or similarly significant effects on you under Article 22 GDPR.

We may use de-identified or aggregated content from the Service to evaluate, debug, and improve our models. Where we wish to use identifiable content for model training beyond the immediate delivery of the experience, we will obtain your consent or rely on another lawful basis required by your jurisdiction.

21. Do Not Track

We do not currently respond to browser “Do Not Track” signals because no consensus standard exists. We honor the Global Privacy Control (GPC) signal where required by applicable law as a request to opt out of sale or sharing of personal information.

22. Third-party links

The Service may contain links to third-party websites or services (including app-store pages and the websites of our processors). We are not responsible for the privacy practices of those third parties.

23. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent revision. If we make material changes, we will provide additional notice (e.g., in-app notice or email, where appropriate). Your continued use of the Service after changes take effect constitutes acceptance of the revised Policy.

24. Contact & complaints

Fonles — Kirigo
Privacy: info@fonlescompany.com
DPO / Legal: info@fonlescompany.com
General: info@fonlescompany.com
Website: kirigo.fonles.com

If you are not satisfied with our response, you may also lodge a complaint with the data-protection authority of your country.