Privacy

Your data, our responsibility

This page explains how KOHSTO handles data collection, analytics, security, and monetization to remain transparent and respectful of your privacy. Last updated: 12 October 2025.

Minimal collection

KOHSTO defaults to a guest mode; optional accounts only add the data needed for multi-device synchronisation.

  • As a visitor we keep aggregated technical logs (timestamp, route, country, truncated user agent) for security and observability
  • A Supabase account stores your email, hashed password, locale, watchlists, preferences (genres/countries), search history, and configured alerts
  • Guest watchlists and caches (genres, viewed titles) stay in your browser via localStorage only if you accept the 'Preferences' category

Responsible analytics

We focus on aggregated indicators and limit trackers to explicitly consented needs.

  • Vercel Analytics and Speed Insights measure performance and errors without cookies, retaining aggregated data for 30 days
  • Google Tag Manager and Google Analytics 4 load only after 'Statistics' consent; GA4 anonymises IPs and avoids ad identifiers
  • PostHog is not active in production; no other profiling tool is deployed

Transparent monetisation

Revenue covers infrastructure costs without individual profiling.

  • Google AdSense triggers only after 'Marketing' consent; Google may set its own cookies based on your choices
  • Affiliate redirects (/redirect/[provider]) notify KOHSTO Cloud about the provider, platform, and optionally a device identifier supplied by your device
  • The Buy Me a Coffee button leads to Buy Me a Coffee Inc., which processes payment data directly

Hosting & security

We select compliant providers and apply proportionate security measures.

  • Web app, CDN, and error logs: Vercel Inc. (EU/US) with 30-day retention
  • Database, authentication, and transactional email: Supabase B.V. (EU)
  • Cache, rate limiting, and abuse counters: Upstash Inc. (serverless Redis, TTL up to 24 h)
  • Country resolution: ip-api.com (United States) receives your IP to return a country code; only the result is stored for 24 h in our cache

Your rights

Under GDPR and French data protection law you may exercise the following rights:

  • Access, rectify, export, or delete your Supabase account and associated watchlists
  • Request restriction or objection to processing based on legitimate interest (technical logs, rate limiting)
  • Withdraw cookie consent at any time via the Cookiebot icon or by clearing cookies
  • Contact the CNIL (www.cnil.fr) if KOHSTO’s answer does not satisfy you

Processors involved

We work with a limited set of processors, each applying appropriate security for its scope.

  • Supabase B.V. (EU) – authentication, database, and transactional email
  • Vercel Inc. (EU/US) – hosting, CDN, analytics, and speed insights
  • Upstash Inc. (EU/US) – Redis cache and abuse prevention
  • Cybot A/S (Denmark) – Cookiebot for consent management
  • Google LLC (USA) – Google Tag Manager, Google Analytics 4, and Google AdSense (subject to consent)
  • IP-API.com (USA) – IP geolocation service

Consent management

The Cookiebot banner lets you fine-tune which categories of trackers are enabled on KOHSTO.

  • Essential: Supabase cookies and session storage required for security and authentication
  • Preferences: enables local storage (guest watchlist, filters, language)
  • Statistics: loads Google Analytics 4 and sends page_view events
  • Marketing: activates Google AdSense and partner affiliate tags

Need clarification?

Email contact@kohsto.com; we respond within five business days. Include your account email to speed up the process.

contact@kohsto.com

Support this project

If you find this service useful and wish to help it grow, you can buy me a coffee! Every contribution helps maintain and improve the platform. ☕

Buy me a coffee ☕
Your data, our responsibility | KOHSTO