Search MLAs, places, posts

Ko · Legal & policy

Public record

Operational drafts written for launch. These describe how Ko works, what we collect, and how to file a complaint.

Privacy Policy

Last updated: 11 May 2026

This Privacy Policy describes how Ko (“we”, “us”) collects, uses, stores, and shares your personal data. We comply with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the IT Rules 2021, and the Digital Personal Data Protection Act, 2023 (“DPDP Act”) as it comes into force.

1. What we collect

From your account

  • Identity data passed by your sign-in provider (Google): name, email address, profile picture URL, and a stable provider user ID.
  • Your chosen display name, anonymous-mode flag, bio, and home constituency.
  • Account creation timestamp and last sign-in timestamp.

From your activity

  • Posts, comments, votes, reports, and resolution requests you create.
  • Photos you upload, stored on Amazon S3 in the ap-south-1 (Mumbai) region.
  • Server-side request logs (timestamp, IP, user-agent) for abuse prevention; retained 90 days.

What we do not collect

  • We do not collect Aadhaar, PAN, bank account details, or biometric identifiers.
  • We do not collect precise location (we may infer your home constituency only if you provide it).
  • We do not run third-party advertising trackers, behavioural tracking pixels, or fingerprinting scripts.

2. How we use it

  • To run the Platform — show your posts, count your votes, surface MLAs, communities, and leaderboards.
  • To moderate the Platform — investigate reports, prevent abuse, and respond to lawful requests.
  • To compute karma, streaks, and similar non-personal aggregates derived from your activity.
  • To send transactional emails (sign-in confirmations, account changes); we do not send marketing emails.

3. Lawful basis (DPDP Act)

We process your personal data on the basis of your consent (provided when you sign in), and for legitimate uses recognised under Section 7 of the DPDP Act including operating the Platform and responding to legal obligations.

4. Sharing

We do not sell your personal data. We share data only:

  • With service providers (Google for sign-in, Amazon Web Services for hosting and image storage) under contracts that limit further use.
  • With law-enforcement and regulatory authorities, on receipt of a valid order, request, or subpoena under Indian law.
  • In aggregate or anonymised form, for research, analytics, or to surface platform-wide statistics.

5. Cross-border transfers

Personal data is stored on servers in India (Amazon Web Services ap-south-1, Mumbai). Sign-in is brokered by Google, which may process the underlying authentication request internationally. By using Ko you consent to this cross-border processing as needed for authentication.

6. Retention

  • Account data is retained while your account is active.
  • When you delete your account, your User Content is anonymised and most personal fields are erased within 30 days, except for data we are legally required to retain (e.g. logs preserved under government directions). Comments and posts that have replies remain visible but the author is shown as “[deleted]”.
  • Server logs: 90 days, then deleted.
  • Backups: 35 days rolling.

7. Your rights

Under the DPDP Act and applicable rules, you may:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data (or correct it yourself in your profile).
  • Request erasure of your account, subject to retention obligations.
  • Withdraw consent (which terminates further processing for that purpose).
  • Nominate a person to exercise these rights on your behalf in case of incapacity or death.
  • File a grievance with our Grievance Officer; if unresolved, with the Data Protection Board of India.

To exercise any of these rights, contact the Grievance Officer (see page). We aim to respond within 7 working days; the IT Rules 2021 require acknowledgement within 24 hours and resolution within 15 days for ordinary grievances.

8. Security

We use industry-standard practices including TLS in transit, access-controlled databases, narrowly scoped IAM credentials, and the principle of least privilege for storage. No system is perfectly secure; we cannot guarantee that data will not be accessed by unauthorised parties, but we will notify the Data Protection Board and affected users in the event of a personal-data breach as required by the DPDP Act.

9. Children

Ko is not for users under 18. We do not knowingly collect data from users under 18. If we learn we have, we will delete the account.

10. Changes

We will update this Policy when our practices change. Material changes will be communicated at sign-in. Continued use after the update constitutes consent to the revised Policy.

11. Contact

Privacy questions or rights requests: see the Grievance Officer page.

Operational draft

Not a substitute for independent legal review. An Indian-licensed lawyer should review these before significant traffic or any commercial activity.