Privacy Policy

What Koher collects, why, and what it does not do with it.

Last updated: 30 April 2026

Who runs Koher

Koher is a practice run by Prayas Abhinav, an individual based in Ahmedabad, India. There is no legal entity behind Koher — no company, no trust, no NGO. Under the Digital Personal Data Protection Act, 2023, Prayas is the Data Fiduciary for personal data processed through Koher; you are the Data Principal.

Contact: hello@koher.app for general questions, prayas@koher.app for direct correspondence. For grievances, see the Grievance Officer section below.

Purpose limitation and lawful basis

Personal data collected through Koher is used only for the purposes described in this policy. It is not repurposed for advertising, profiling, or sold to third parties.

The lawful basis for processing is your consent (given when you submit content to a hosted tool, write to Koher, or donate), supplemented by the "legitimate uses" recognised under the DPDP Act for safeguarding the security and integrity of services. You may withdraw consent at any time — see Your rights and How to withdraw consent below.

What is collected, and why

Submissions to hosted tools

When you use a hosted demo at *-demo.koher.app — Coherence Diagnostic, Play Shape Diagnostic, Fragment Mapper, and others — your submission (text, selections, fragments) is processed to produce the tool's response and logged.

Submissions are logged for one purpose: to improve the accuracy of Koher's underlying classification models. They are never sold, shared with third parties for marketing, or used commercially. No human reads your submission as a routine matter; logs are reviewed in aggregate during model retraining.

If you do not want your submission logged, run the open-source version yourself. The codebase is at github.com/koherarchitecture. Self-hosted tools log nothing by default.

Anonymous session identifiers

Some tools (currently Play Shape Diagnostic, with others migrating) set an anonymous user_id cookie. This identifier links a sequence of actions within one session — for example, the steps of a diagnostic — but does not connect to any name, email, or external identity. The cookie is first-party and not shared.

Bot protection

Hosted tools use Cloudflare Turnstile to distinguish humans from automated traffic. Turnstile may receive technical signals from your browser (IP address, user agent, headers). Turnstile is privacy-respecting by design and does not track users across sites. See Cloudflare's privacy policy for details.

Pageview analytics

Pageviews on koher.app are counted by a self-hosted analytics service at analytics.koher.app. Stored fields: page path, referrer, anonymised IP, user agent, timestamp. There is no cross-site tracking, no advertising integration, and no profile is constructed. Data is held on Koher's own infrastructure.

Donations

If you support Koher through the Support page, payment is processed by Razorpay. Razorpay receives your name, email, and payment details; Koher receives a payment ID and amount. Razorpay is responsible for the security of payment data under its privacy policy.

Email

If you write to Koher, your email address and the contents of your message are stored in standard email systems (Google Workspace) for as long as needed to respond and maintain a record of the correspondence. Mailing lists are opt-in only.

Server logs

Standard web server logs (IP address, request path, status code, user agent, timestamp) are kept for security and operational purposes for up to 30 days, then rotated.

Third parties

Service	What is shared	Why
Anthropic (Claude API)	Tool inputs that need language narration	Generating the language layer of tool responses
Cloudflare	DNS, CDN, Turnstile signals	DNS resolution, denial-of-service protection, bot mitigation
Razorpay	Name, email, payment details (only if donating)	Payment processing
Google Workspace	Emails sent to or from Koher addresses	Email delivery and storage
Hosting provider (CapRover on VPS)	Server logs, application data	Running the tools and the website
Meta (Facebook, Instagram)	Posts published by Koher to its own Page and Instagram Business account	Reaching readers on those platforms

Anthropic's commercial terms specify that Claude API inputs and outputs are not used to train models and are retained only as needed for safety. See Anthropic's commercial terms.

Social media accounts

Koher publishes to its own Facebook Page and Instagram Business account through Meta's Graph API. This activity is one-way: Koher posts content. Visiting Koher's social profiles is governed by Meta's privacy policy, not Koher's. No user data from Koher tools is shared with Meta.

Cookies

Koher uses the minimum cookies needed to operate:

• An anonymous user_id cookie on tools that need to link steps within one session.
• Cloudflare Turnstile cookies for bot protection.
• A first-party analytics cookie or local storage entry for unique-visitor counting on koher.app.

There are no advertising cookies, no remarketing, and no third-party tracking pixels.

How long data is kept

• Tool submissions: retained as part of the model improvement corpus. You can request deletion of a specific submission if you can identify it (see Your rights).
• Server logs: 30 days, then rotated.
• Pageview analytics: 12 months.
• Email correspondence: as long as needed for the conversation, then archived.
• Donation records: as long as required by Indian tax and accounting law.

Your rights

If you are in India, the European Economic Area, the United Kingdom, or another jurisdiction with data protection law, you have the right to:

• Ask what data Koher holds about you.
• Ask for it to be corrected or deleted.
• Ask for it to be exported.
• Object to processing or withdraw consent (where consent is the basis).
• Complain to your local data protection authority.

To exercise any of these, write to hello@koher.app. Koher will respond within 30 days. Because Koher does not require accounts, identifying your data may require additional information from you.

How to withdraw consent

You may withdraw consent at any time by writing to hello@koher.app. Withdrawal does not affect processing that has already taken place. Where Koher continues to process data on a non-consent basis (for example, as required by law or to maintain the integrity of services), this will be made clear in the response.

Where withdrawal of consent makes a service impossible to provide — for example, refusing all logging while still using a hosted demo — Koher will explain the consequence and point you to the self-hosted version that requires no consent.

Children

Under India's Digital Personal Data Protection Act, 2023, individuals under the age of 18 are treated as children. Koher does not knowingly collect personal data from a child without verifiable parental or lawful guardian consent.

Koher's hosted tools are designed for university students and working practitioners. They are not directed at children. If a school, institution, or guardian asks Koher to support a learner under 18, the consent of the parent or lawful guardian must be confirmed before the tool is used. Tracking, profiling, or targeted advertising directed at children is prohibited and is not done by Koher.

If you believe a child has submitted data to a Koher tool without appropriate consent, write to hello@koher.app and the data will be deleted.

International transfer

Koher operates from India. The third parties listed above (Anthropic, Cloudflare, Razorpay, Google, Meta) operate internationally. Data may be processed in the United States, the European Union, or other countries depending on these providers' infrastructure.

Under section 16 of the DPDP Act, the Central Government may notify countries to which personal data may not be transferred. Koher will comply with any such notification by changing service providers or restricting transfers as required.

Security

Koher uses HTTPS everywhere, keeps software up to date, restricts access credentials to the minimum needed, and stores secrets outside of source code. Despite this, no system is perfectly secure. If you discover a vulnerability, please write to hello@koher.app.

Personal data breach notification

If Koher becomes aware of a personal data breach affecting your personal data, Koher will notify the Data Protection Board of India and affected Data Principals as required under section 8(6) of the DPDP Act. Notification will describe the nature of the breach, the categories of data affected, the likely consequences, and the steps Koher is taking to address it. Koher aims to notify within 72 hours of becoming aware, where feasible.

Grievance Officer

In accordance with rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the grievance redressal requirements of the DPDP Act, the Grievance Officer for Koher is:

Prayas Abhinav
Grievance Officer, Koher
Ahmedabad, Gujarat, India
Email: hello@koher.app (subject line: "Grievance")

The Grievance Officer will:

• Acknowledge receipt of your complaint within 24 hours.
• Resolve the complaint within 15 days of receipt.
• For complaints relating to content takedown under rule 3(2)(b), act on a court order or government notification within 36 hours.

If you are not satisfied with the response, you may approach the Data Protection Board of India under the DPDP Act, or any other appropriate authority.

Changes to this policy

Material changes will be announced in the Koher changelog and on the website. The "Last updated" date at the top of this page reflects the most recent change.

For the companion document, see Terms of Service.