KurdPad Privacy Policy
Effective: 2026-05-22 · Contact: contact@kurdai.org
KurdPad is a Kurdish keyboard for Android (Sorani Arabic, Sorani Latin, Kurmancî, English) with optional cloud voice typing, operated by Kurd AI. This page summarises what we collect, why, where it goes, and your rights over it.
What we don't collect
- Your keystrokes or typed text — what you type never leaves your device.
- Analytics, advertising IDs, or third-party trackers.
- Contacts, photos, location, or files outside the keyboard's own working storage.
- Device identifiers (IMEI, MAC address, Android ID).
What we collect (and only this)
- Voice audio — only while you hold the microphone button. Sent over HTTPS to our speech server, transcribed, and discarded. Not stored.
- Email address — only if you choose to sign in. Used solely to send your magic-link sign-in.
- Anonymous user ID — auto-generated on first launch; used to track your daily voice quota.
- Daily voice transcription count — for quota enforcement. Anonymous and signed-in tiers have different daily limits; current values are shown in the app.
Where data goes
| Service | Purpose |
|---|
| Supabase | Authentication and per-user daily quota database. |
| RunPod | GPU server that runs the speech model. Audio held in RAM only, not persisted. |
| Cloudflare | Encrypted edge network in front of the speech server. |
| Google Play | Distribution and (optionally) device-integrity verification. |
If your data crosses the EEA / UK boundary, we rely on Standard Contractual Clauses provided by these processors.
How long we keep it
- Voice audio — not retained; discarded after transcription.
- Email + user ID — until you ask us to delete it.
- Daily quota counter — resets daily.
- Microphone permission flag — stays on your device only.
Your rights (GDPR / UK GDPR)
You can ask us to access, correct, delete, restrict, port, or object to processing of your data. Email contact@kurdai.org — we reply within 30 days. You can also lodge a complaint with your national data-protection authority.
Security
- TLS 1.2+ for all network traffic (cleartext blocked at the OS level).
- AES-256-GCM encryption at rest for your authentication token, via Android's hardware-backed Keystore.
- ES256 (elliptic-curve) signatures for authentication tokens.
- Excluded from Google's cloud backup and device-transfer features.
Children
KurdPad is not directed at children under 13 (or under 16 where local law applies).
Changes to this policy
We may update this policy. The "Effective" date above reflects the latest revision; material changes will be announced in the app or by email.