Privacy Policy

Information you provide directly:

• Name, email address, and password when you sign up
• Business name, permit class, state, address, and bio if you create a seller account
• Phone number if you opt into SMS notifications (buyers or sellers)
• Payment and payout information (collected and stored by Stripe, not Koti)
• Product photos, descriptions, and reviews you post
• Messages you send through the support chat or to other users
• Food category interests you set on your account for new-seller alerts

Information we collect automatically:

• Device and browser information, IP address, and general location
• Pages you visit, actions you take, and referral sources (how you found Koti)
• Cookies and similar technologies (see Section 7)
• Crash logs and diagnostic information (so we can fix bugs)

Information we collect from the Koti mobile app (with your permission):

• Camera and photo library access — only when you choose to upload a product photo or shop cover image. We never access your photos in the background.
• Push notification tokens— issued by Apple Push Notification Service or Google's equivalent so we can send you order updates and seller alerts. You can disable push at any time in your device settings.
• Approximate location — used to show you nearby sellers. We do not collect precise GPS coordinates and you can decline this permission without losing access to the rest of the app.
• Device identifiers — used by our crash-reporting tool to deduplicate repeat crashes from the same device. Not shared with advertisers.

We use your information to:

• Create and manage your account
• Process orders and payouts
• Send order confirmations, drop alerts, and onboarding messages
• Match buyers with new sellers in their food interest categories
• Verify seller permits and maintain platform safety
• Respond to support requests
• Improve the Platform and develop new features
• Prevent fraud, abuse, and violations of our Terms of Service
• Comply with legal obligations (tax reporting, subpoenas, etc.)

We use trusted third parties to help run Koti. These providers access only the data necessary to perform their services and are contractually bound to protect it:

• Supabase — database hosting and authentication
• Stripe — payment processing and seller payouts via Stripe Connect. Stripe processes payment card data under its own privacy policy at stripe.com/privacy.
• Apple — Sign in with Apple authentication and Apple Push Notification Service for iOS notifications
• Google — Sign in with Google authentication
• Twilio — SMS notifications for drop alerts, subscriber broadcasts, and support
• Resend — transactional and marketing emails
• Shippo — shipping label generation and carrier rate lookups for seller orders that ship
• Anthropic (Claude) — powers the Koti support agent and onboarding concierge
• Meta (Instagram) — optional seller feed integration, only if a seller connects their account
• PostHog — product analytics so we can understand how the Platform is used and improve it. We do not use this data for advertising.
• Sentry — crash and error reporting so we can fix bugs. Crash reports may include device identifiers and non-personal diagnostic data.
• Expo — over-the-air updates and push notification dispatch for the mobile app
• Vercel — hosting and infrastructure

We share your information only in these cases:

• Between buyers and sellers. When you place an order, the seller sees your name and the delivery or pickup info you provide (so they can fulfill the order).
• With service providers listed in Section 3.
• For legal compliance, when required by law, court order, or to respond to valid legal requests.
• In a business transfer, if Koti is acquired or merges with another company, your data may be transferred.

We do not sell your personal information to advertisers or data brokers.

Koti uses Claude (by Anthropic) to power our support chat and onboarding concierge. When you interact with these features, your messages are sent to Anthropic for processing. Anthropic does not use your data to train its models under our API agreement. Support escalations may be saved in our database for human follow-up.

AI-generated content (product descriptions, onboarding emails) uses your seller profile data as context but is reviewable before sending.

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate information in your account
• Delete your account and associated data
• Opt out of marketing emails (each message has an unsubscribe link)
• Opt out of SMS notifications (reply STOP to any Koti text message)
• Disable push notifications at any time in your device settings
• Export your data in a portable format (email us to request)

How to delete your account: In the Koti mobile app, open the Profile tab and tap Delete account at the bottom of the screen. On the web, sign in at kotimade.com and visit Account → Delete Account. Any in-flight orders are automatically refunded and your Stripe Connect account (if you had one) is detached at the same time. Deletion takes effect within 30 days, after which we remove your personal information except where retention is required by law (typically transaction records for tax and fraud prevention, up to 7 years).

Residents of California, Colorado, Virginia, Connecticut, and other states with privacy laws have additional rights under those laws, including the right to know what data we collect and the right to non-discrimination for exercising your privacy rights.

Koti uses cookies and similar technologies for essential functions (keeping you logged in, remembering your cart) and to understand how the Platform is used. We do not use third-party advertising trackers. You can control cookies through your browser settings, though some features may not work without them.

We also use a referral cookie to track which seller's direct link brought you to Koti, so that seller receives 0% commission on their order (instead of the standard 8%).

We keep your personal data as long as your account is active and as needed to provide services. If you delete your account, we remove your personal information within 30 days, except where we are required to retain it for legal, tax, or fraud prevention purposes (typically up to 7 years for transaction records).

We use industry-standard security measures including encryption in transit (HTTPS), encrypted database storage, row-level security, and access controls. No system is 100% secure, but we take reasonable steps to protect your data. If a breach occurs that affects your personal information, we will notify you as required by law.

Koti is not intended for users under 18 to create accounts. For Family Operation (Junior Maker) accounts, the parent or legal guardian holds the account and is responsible for managing any data associated with their child's participation. We do not knowingly collect personal information directly from children under 13. If you believe we have collected such information, please contact us to delete it.

Koti operates in the United States and stores data on US-based servers. If you access Koti from outside the US, your data will be transferred to and processed in the US. Cottage food laws are state-level regulations in the US, and Koti currently only supports sellers operating under US state cottage food laws.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or prominent notice on the Platform. Your continued use of Koti after changes take effect constitutes acceptance of the updated policy.

Questions about your privacy? Want to exercise your rights? Email privacy@kotimade.com or visit our support page.