LEGAL DOCUMENT

Privacy Policy

Last updated: March 5, 2026

1. Introduction

KotKit (“we”, “our”, the “Platform”) respects your privacy and is committed to protecting personal data. This Policy describes how we collect, use, store and protect information when you use our Android app, the kotkit.pro website and related services.

Personal data operator: Дородников Павел Сергеевич (самозанятый, плательщик НПД), ИНН 643908169753. Contact for personal data matters: founder@kotkit.pro. The operator’s details are on the Requisites.

This Policy has been developed in accordance with Federal Law No. 152-FZ of 27.07.2006 “On Personal Data” and Regulation (EU) 2016/679 (GDPR). The full text of the consent to the processing of personal data is on the Personal Data Processing Consent.

2. What data we collect

2.1. Data of all Users

  • Account: name, email (via Google OAuth) or Telegram ID (via Telegram OAuth)
  • Technical information: app version, Android version, device model
  • Analytics: anonymized usage data (Yandex Metrika, Google Analytics)
  • Referral code: when registering via a referral link

2.2. Additional data of Creators

  • TikTok: username, number of followers
  • Device: device identifier (device fingerprint — an anonymous hash)
  • Network: IP address and subnet (/24) — for anti-fraud protection
  • Work data: task history, completion statuses, ratings, strikes
  • Financial data: history of earnings, payouts, referral commissions
  • KOTS points: current loyalty-points balance and the history of accruals across campaigns
  • Push notifications: FCM token (Firebase Cloud Messaging)
  • Application logs: technical information about task execution

2.3. Additional data of Advertisers

  • Campaigns: campaign parameters, content categories, budgets
  • Content: uploaded video files, captions, hashtags
  • Payments: history of balance top-ups and campaign expenses

Data we do NOT collect

  • Passwords for TikTok or other social networks
  • Data from other apps on your device
  • Geolocation, contacts, SMS or call history
  • Bank card details (processed by YooKassa)

3. How we use data

  • Providing and improving the Platform’s services
  • Distributing marketplace tasks and calculating Creators’ rewards
  • Processing payments and withdrawals
  • Accruing KOTS loyalty points for completed tasks
  • Anti-fraud protection: preventing fraudulent registrations, detecting duplicate devices and suspicious patterns (legal basis: legitimate interest, art. 6 cl. 7 of 152-FZ)
  • Moderation of campaign content
  • Technical support and service notifications
  • Aggregated analytics to improve the product

4. Data storage and protection

Security measures:

  • SSL/TLS encryption of all connections + SSL certificate pinning in the app
  • Encryption of sensitive data at rest (AES-256-GCM)
  • JWT authorization with a limited token lifetime

Storage locations:

  • Fly.io — primary database (SQLite)
  • Cloudflare R2 — campaign video files and application logs

Retention periods:

  • Account data: for the lifetime of the account + 3 years after deletion
  • Financial data: 5 years (tax law requirements)
  • Application logs: 90 days

5. Disclosure of data to third parties

We do not sell personal data. We disclose data only to the following categories of recipients:

  • YooKassa — processing payments in rubles (cards, SBP, e-wallets)
  • Cloudflare — CDN, DDoS protection, file storage (R2)
  • Google — OAuth authorization, Firebase (push notifications)
  • Telegram — OAuth authorization
  • Yandex Metrika / Google Analytics — anonymized site analytics
  • VK Реклама (Top.Mail.Ru / myTarget) — measuring advertising effectiveness and remarketing
  • As required by law — where this is provided for by the legislation of the Russian Federation

6. Cross-border transfer and data localization

Where data is processed

Primary processing and storage of data take place on cloud infrastructure located outside the Russian Federation: Fly.io (primary database) and Cloudflare R2 (files and logs). Transfer of data outside the Russian Federation is carried out in accordance with the requirements of art. 12 of Federal Law No. 152-FZ, applying the protection measures described in section 4: encryption of transmission channels and encryption at rest.

Before transferring data to a foreign recipient, we take reasonable measures to verify that the recipient ensures the protection of personal data and uses it only for the agreed purposes. Up-to-date information about the location of the databases is available on request at privacy@kotkit.pro.

Liability for violations (420-FZ of 30.11.2024)

As of 30.05.2025, turnover-based fines for personal data leaks have been introduced:

  • Leak of 1,000 — 10,000 records: fine up to RUB 5 million
  • Leak of 100,000+ records: fine up to RUB 15 million
  • Repeated violations: 1-3% of annual revenue

We apply technical and organizational measures to prevent data leaks, described in section 4.

7. Your rights

In accordance with 152-FZ and the GDPR, you have the right to:

Right of access

Request information about your personal data

Right to rectification

Correct inaccurate or incomplete data

Right to erasure

Request deletion of data (except for data required by law)

Right to withdraw consent

Withdraw consent to processing at any time

To exercise your rights, send a request to privacy@kotkit.pro. We will respond within 30 calendar days.

Limitations: financial data is stored for 5 years in accordance with the requirements of the tax legislation of the Russian Federation.

8. Changes to the Policy

We may update this Policy. We will notify you of material changes by email or via the app. By continuing to use the Platform after changes, you accept the updated Policy.

9. Contacts

For privacy and personal data matters:

Related documents: