ReppoChat Privacy Policy

Last updated: June 18, 2026

Effective date: June 18, 2026

kukuDev ("Operator") values the privacy of users of the ReppoChat mobile application ("App" or "Service") and the privacy of their conversations. This Privacy Policy explains what information is stored on the user's device and what information may be transmitted or processed for service operation or by third-party service providers.

1. Core Principles

  1. The Operator does not transmit conversation text, prompts, AI responses, detailed persona settings, or memory slot contents to the Operator's servers or to external AI APIs.
  2. After the model file is downloaded, AI response generation and recognition of photos attached to chats are performed on the user's device.
  3. Conversation history, personas, relationship state, long-term memory, and search indexes are stored in an encrypted local database on the user's device.
  4. Information transmitted to servers is limited to metadata necessary for service operation, such as model downloads, ads, purchase verification, error analysis, report processing, security, and abuse prevention.
  5. The Service currently does not require a separate membership sign-up or login account. Platform features such as Google Play purchases, AdMob ads, and Firebase App Check may be connected to each provider's account and device systems.

2. Information Processed and Purposes

2.1 Information Stored Only on the Device

The following information is generally stored on the user's device and is not transmitted to the Operator's servers or to external AI APIs.

CategoryProcessed ItemsStorage LocationPurposeRetention
Policy consent informationAgreement to the Terms of Service, agreement to the Privacy Policy, confirmation that the user is 16 or older, accepted policy versionSharedPreferencesConfirm onboarding completion and determine whether re-consent is requiredUntil app data is deleted or policy re-consent is required
Persona informationName, age, gender, occupation, appearance, personality tags, MBTI axis values, speech style, likes, dislikes, background narrative, avatar image pathSQLCipher local DB and app-specific file areaCreate AI characters, assemble chat prompts, display the friends listUntil deleted by the user or app data is deleted
User relationship settingsUser gender, user age range, persona's role toward the user, user's role toward the persona, initial intimacySQLCipher local DBMaintain how the persona addresses and relates to the userUntil persona deletion, relationship reset, or app data deletion
Conversation informationUser messages, AI responses, message creation time, chat room, FTS search indexSQLCipher local DBDisplay conversations, assemble recent conversation context, enable local searchUntil message, chat room, persona, or app data deletion
Chat attachment imagesImage files created by re-encoding photos attached by the user as an original-aspect-ratio PNG (EXIF removed), and the image path associated with the messageApp-specific file area and SQLCipher local DBShow photos in chat and perform on-device vision recognitionUntil message, chat room, persona, or app data deletion
Memory informationLong-term memory slots, important facts, preferences, key events, promises, emotional state, pinned state, salience scoreSQLCipher local DBRelationship progression, long-term-memory-based responses, memory management screenUntil memory deletion, relationship reset, persona deletion, or app data deletion
App lock informationPIN hash, biometric authentication setting, PIN failure count, retry cooldown timeDevice secure storageApp lock, PIN verification, short retry delay after repeated failures (up to 30 seconds, not permanent lockout)Until the user removes the app lock setting or app data is deleted
Local ad-removal stateWhether ad removal is active, copy of purchase tokenDevice secure storageMaintain purchase state and hide ads on restartUntil purchase state or app data is deleted
Model files and runtime settingsModel file, model ID, SHA-256, file size verification marker, active model, per-model CPU/GPU settingsApp-specific file area and SharedPreferencesOffline AI inference, model integrity verification, local runtime setting persistenceUntil the user deletes model files or app data
Local report queueTarget message ID, target persona ID, report reason, status, report timeSQLCipher local DBOffline report queue, retry, report rate limitingUntil transmission completion, expiry processing, or app data deletion
Backup filesEncrypted .reppo files containing personas, relationship states, chat sessions, messages, memory slots, avatar images, and chat attachment image dataLocation selected by the user for sharing or storageData transfer, archiving, restorationUntil the user deletes the backup file

2.2 Information That May Be Transmitted to Servers or Third-Party Services

The following information may be transmitted to the Operator's server-side functions or third-party services to the extent necessary to operate the Service.

CategoryTransmitted ItemsRecipientPurposeRetention
Model download configurationApp version, Firebase Remote Config request information, model ID, model filename, model size, SHA-256, and other information needed to retrieve configuration valuesFirebase Remote ConfigCheck currently available models, check whether downloads are enabled, determine forced updatesAccording to Firebase settings and log policies
Model URL requestFirebase App Check token, app install hash, requested model ID, request IP, and other HTTP metadataCloudflare Worker, Firebase App CheckVerify genuine app requests, issue presigned URLs, prevent download abuse, rate limitFor the period necessary for abuse prevention and log retention
Model file downloadPresigned URL request, downloaded bytes, IP address, and other network metadataCloudflare R2Provide model filesAccording to Cloudflare log and security policies
Report informationTarget message ID, target persona ID, report reason, creation timeFirebase Cloud Functions, FirestoreReceive reports of inappropriate responses, improve safety policy, prevent abuseOperated under a policy of deletion after up to 90 days
Purchase verificationGoogle Play product ID, purchase token, order ID, purchase verification result, verification timeFirebase Cloud Functions, Google Play Developer API, FirestoreVerify ad-removal purchases, prevent duplicate token use, restore purchasesFor the period necessary to maintain and restore purchase rights and comply with legal retention obligations
Advertising informationAdvertising ID, device information, ad request, impression, click, and other ad interaction informationGoogle AdMobServe ads, prevent invalid traffic, measure ad performanceAccording to Google AdMob policies
Error and crash informationApp version, OS version, device state, stack trace, error type, model download failure type, device integrity stateFirebase CrashlyticsAnalyze errors, improve stability, understand abnormal device environmentsAccording to Firebase Crashlytics settings and retention policies
App integrity informationFirebase App Check token, Play Integrity related verification informationFirebase App CheckPrevent abnormal app or automated requests, protect Cloud Functions and Worker endpointsAccording to Firebase policies

The Operator does not intentionally collect conversation text, prompts, AI responses, detailed persona settings, or memory slot contents during report processing, error analysis, model download, or purchase verification. Photos attached to chats are stored and recognized only on the device and are not transmitted to the Operator's servers or to third parties through any path, including reports.

3. Information Not Collected

In the current structure of the Service, the Operator does not directly collect the following information.

  1. Email addresses, passwords, phone numbers, or addresses for membership sign-up
  2. Real-name verification information, resident registration numbers, passport numbers, or driver's license numbers
  3. Raw payment instrument information such as credit card numbers or bank account numbers
  4. Server-side copies of conversation text, prompts, AI responses, detailed persona settings, or memory slot contents
  5. Contacts, address books, SMS, or call records
  6. GPS-based precise location information
  7. Raw biometric authentication data
  8. Server-side collection of photos or images. Avatar images use images selected from the gallery, and chat attachment photos use images either selected from the gallery or captured with the system camera app; in all cases they are re-encoded into app-specific storage, and chat attachment photo recognition is performed only on the device and is not transmitted to servers.

Information processed by third-party services such as Google Play, Google AdMob, Firebase, and Cloudflare under their own policies is also subject to the policies of those providers.

4. Local Data Processing

  1. The App uses a local database named reppochat.db, and the database key is stored in device secure storage.
  2. Conversations, personas, relationship states, memory slots, report queues, and search indexes are stored in a SQLCipher-based encrypted DB.
  3. Persona avatar images are stored in the app-specific file area. The App re-encodes images as JPEG so that EXIF and similar metadata are not retained. Photos attached to chats are also re-encoded as an original-aspect-ratio PNG in the same privacy-preserving manner, EXIF and similar metadata are removed, and photo recognition is performed only on the device.
  4. When the user deletes a message, the message is deleted from the local DB and any photo file attached to that message is also deleted.
  5. When the user deletes a chat room, the relevant chat session, messages, and attached photo files are deleted, and the relationship state and memory slots for the relevant persona are reset.
  6. When the user deletes a persona, the persona, relationship state, chat sessions, messages, memory slots, avatar file, and chat attachment photo files are deleted together.
  7. When the user resets a relationship, the relationship state and memory slots are reset and existing messages are excluded from later AI context.
  8. If the App is deleted, app data is deleted, the device is reset, the device is lost, or the backup password is lost, the Operator cannot recover local data.

5. Backup File Processing

  1. The App provides export and import features for backup files with the .reppo extension.
  2. Backup files may include personas, relationship states, chat sessions, messages, memory slots, avatar images, and chat attachment image data.
  3. Report logs are not included in backup files.
  4. Backup files apply PBKDF2-HMAC-SHA256 key derivation and AES-256-GCM encryption based on the backup password entered by the user.
  5. The Operator does not store backup passwords and does not upload backup file contents to servers.
  6. If the user stores or transmits a backup file through an external app, cloud service, messenger, email, or file sharing feature, security and deletion at that location are the user's responsibility.

6. Report Processing

  1. Users may use the in-app report feature if they determine that an AI response is inappropriate.
  2. Information transmitted when reporting is limited to the target message ID, target persona ID, report reason, creation time, and platform information.
  3. The report feature does not transmit message text, prompts, raw AI responses, detailed persona settings, memory slots, or raw device identifiers.
  4. Report reasons are limited to selecting from categories defined in the App, such as inappropriate content, violence, sexual expression, self-harm, and other.
  5. If there is no network connection or server transmission fails, reports may be stored in a local queue and retried.
  6. To prevent report abuse, the App limits the number of reports per minute, hour, day, week, and month.

7. Purchase and Ad-Removal Processing

  1. The ad-removal product is provided through Google Play in-app billing.
  2. The Operator does not directly collect or store raw payment instrument information, card numbers, or bank account numbers. Google Play handles payment processing.
  3. To verify ad-removal purchases, the App transmits the product ID and Google Play purchase token to Firebase Cloud Functions.
  4. Cloud Functions verifies the validity of purchases through the Google Play Developer API and may record the purchase token, product ID, order ID, and verification time in Firestore to prevent duplicate token use.
  5. When purchase verification succeeds, the App may store the ad-removal state and a copy of the purchase token in device secure storage.
  6. Google Play purchase history and server verification information may be used to restore purchases on a new device or after reinstalling the App.
  7. Refunds, payment cancellations, payment failures, payment instrument errors, and receipt verification failures follow Google Play policies and applicable laws.

8. Advertising Processing

  1. Google AdMob ads may be displayed to free users.
  2. Google AdMob may process advertising ID, device information, IP address, app information, and ad interaction information to serve ads, prevent invalid traffic, control ad frequency, and measure ad performance.
  3. Users may manage ad personalization and advertising ID reset through device settings or Google ad settings.
  4. If the user purchases the ad-removal product, the App hides ad containers or stops ad requests.
  5. The App does not transmit conversation text, prompts, AI responses, detailed persona settings, or memory slot contents to the Operator's servers for ad targeting purposes.

9. Error Analysis and Security

  1. The App may use Firebase Crashlytics to improve stability.
  2. Crashlytics may record app version, OS version, device state, stack trace, error type, model download failure type, device integrity state, and similar information.
  3. The Operator designs the App so that Crashlytics does not record conversation text, prompts, AI responses, detailed persona settings, or memory slot contents.
  4. The App may detect abnormal device environments such as rooting or emulators. Under the current policy, detection results are used for stability and security analysis rather than blocking users.
  5. The App may use Firebase App Check and Cloudflare Worker rate limits to restrict abnormal apps, automated requests, and model download abuse.

10. Android Permissions

The App does not directly request sensitive runtime permissions such as contacts, microphone, precise location, or notifications for its core features. Avatar images are processed from files selected by the user through the gallery image selection feature (system photo picker), and chat attachment photos are processed from files the user selects through the system photo picker or captures through the system camera app. Camera capture is delegated to an external camera app, so the App does not declare the camera permission directly, and photo selection likewise does not require separate storage access permission.

Certain standard permissions for network communication, advertising, and biometric authentication may be declared by third-party SDKs (such as Firebase, Google AdMob, and biometric modules) to support model downloads, advertising, and app lock features. In such cases, they are subject to the third-party processing scope described in Article 11 of this Policy.

11. Third-Party Provision and Processing

The following third-party services are used in providing the Service.

ProviderServices UsedPurposeMain Processed Information
Google/FirebaseApp Check, Remote Config, Cloud Functions, Firestore, CrashlyticsApp integrity verification, model configuration, report receipt, purchase verification functions, error analysisApp Check tokens, report metadata, purchase tokens, error information
Google PlayIn-app billing, purchase restoration, purchase verification APIAd-removal payment processing and restorationPurchase tokens, product IDs, order information
Google AdMobMobile advertisingAd serving, invalid traffic prevention, ad performance measurementAdvertising ID, device and ad interaction information
CloudflareWorkers, R2Model file presigned URL issuance, model file download, rate limitingApp Check verification result, install hash, model ID, IP and other network metadata
Operating system and device manufacturersSecure storage, biometric authentication, local files, sharing featuresPIN storage, biometric authentication invocation, backup sharing, local file processingDevice-internal secure storage values, biometric authentication result, file paths

The Operator does not provide conversation text, prompts, AI responses, detailed persona settings, or memory slot contents to these third-party services.

12. International Transfers

Third-party services such as Firebase, Google Play, Google AdMob, and Cloudflare may process information on servers and infrastructure outside the Republic of Korea. Accordingly, model download metadata, report metadata, purchase verification information, advertising information, and error information may be processed on servers operated by Google or Cloudflare in other countries. Each provider's privacy policy and service terms apply to international transfers, security, and retention by that provider.

13. Retention and Deletion

  1. Local data is stored on the device until the user deletes it or deletes app data.
  2. Personas, messages, chat rooms, memory slots, and relationship states may be deleted or reset through in-app deletion or reset features.
  3. .reppo backup files remain at the location where the user saved them. Deleting data inside the App does not delete backup files located in external storage locations.
  4. Report metadata is operated under a policy of retention for up to 90 days for policy improvement and response, followed by deletion.
  5. Purchase verification information may be retained for the period necessary to maintain ad-removal rights, restore purchases, prevent duplicate token use, respond to payment disputes, and comply with legal obligations.
  6. Crashlytics error information, AdMob advertising information, Firebase App Check and Remote Config information, and Cloudflare logs are retained according to each third-party service's retention policies and the Operator's settings.
  7. Information that must be retained under applicable law is retained for the period required by that law and then deleted.

14. User Rights and How to Exercise Them

  1. Users can directly manage personas, messages, chat rooms, memory slots, model files, app lock settings, and backup files through in-app features.
  2. Users can delete local data by deleting the App or using the OS app data deletion feature.
  3. Users can manage advertising ID reset, ad personalization restrictions, notification permissions, and app permissions in device settings.
  4. Requests to access, correct, or delete report metadata, purchase verification information, or error information transmitted to servers may be submitted by email. The Operator will process requests after verifying identity and whether legal retention is required.
  5. Purchase entitlement confirmation or refunds are handled according to Google Play account and payment policies.
  6. If the user loses the backup password, the Operator cannot decrypt or recover the backup file.

15. Children's Personal Information

  1. The Service is not directed to children under the age of 16.
  2. Users under the age of 16 may not use the Service, and guardians should manage the device and app installation state so that children do not use the App.
  3. If the Operator confirms that server-transmitted metadata of a child under 16 has been processed, the Operator will take deletion measures within a reasonable scope, except where retention is required by law.

16. Guidance for Safe Use

  1. Setting an app PIN and device lock can reduce the risk of others viewing the App on the device.
  2. The .reppo backup password should be different from passwords used for other services and should be managed so it is not lost.
  3. If a backup file is shared through cloud services or messengers, the user should check the security settings of that service.
  4. Users should not enter another person's personal information, sensitive information, payment information, address, contact information, or account information in conversations.
  5. AI responses do not replace professional counseling or emergency support. For risks involving self-harm or suicide, violence, medical issues, legal issues, financial issues, or similar matters, users should seek help from appropriate authorities or qualified professionals.

17. Changes to This Privacy Policy

  1. The Operator may revise this Privacy Policy due to changes in applicable laws, service features, third-party SDKs, model download infrastructure, advertising, or payment methods.
  2. If there are material changes, the Operator will provide notice through in-app notices, webpages, update notes, or other reasonable methods.
  3. Users who do not agree to the changed policy may stop using the Service and delete the App and local data.

18. Contact and Privacy Officer

Questions about personal information processing, report data, purchase verification data, error data, or this Policy may be submitted to the following contact.

If reporting or counseling is needed regarding personal information infringement, the following organizations may be used.