KOKI'O is launching soon! Follow us on Twitter for release updates.

KOKI'O

Privacy Policy

Last Updated: 15th July 2026 · Effective: 15th July 2026

1.Introduction

This Privacy Policy explains how KOKIO SG PTE. LTD. (UEN 202523545K) ("Koki'o", "we", "us", or "our") handles information in connection with the Koki'o mobile application and related services (the "Service"). We are committed to data minimisation: the Service is designed so that we collect and hold as little information about you as possible.

We operate from Singapore and process and store data in Singapore. We comply with the Singapore Personal Data Protection Act 2012 ("PDPA") and, where applicable to users in the European Economic Area ("EEA") and United Kingdom, the EU/UK General Data Protection Regulation ("GDPR").

2.Our Privacy-First Design

Koki'o is built to let you purchase eSIMs without providing personally identifiable information. We do not ask for your name, email address, phone number, physical address, or government identifiers to create or use an account.

Authentication uses a device-bound passkey (WebAuthn/FIDO2) stored by your device's operating system or password manager. Your account is identified solely by a device wallet address — a blockchain address derived deterministically from your passkey's public-key coordinates and a server-generated value. This identifier is pseudonymous: on its own, and without a live authentication from your device, it cannot be linked to you as an individual, including by us.

We do not integrate advertising networks, analytics SDKs, or tracking technologies that profile you.

3.Data Controller

For the purposes of the GDPR and PDPA, the data controller responsible for the limited personal data processed through the Service is:

  • KOKIO SG PTE. LTD.
  • 165B Telok Ayer Street, Singapore - 068617
  • Data Protection Officer: Arpit Kumar, legal-office@kokio.app
  • General contact: contact@kokio.app

4.Information We Process

4.1Account and Credential Data

When you register, we store a small record associated with your device wallet address, consisting of: the device wallet address, a device unique identifier, the public-key coordinates derived from your passkey, and a server-generated salt used in address derivation. We never receive or store your passkey's private key — it never leaves your device.

4.2Transaction and eSIM Data

When you purchase or top up an eSIM, we process order records, eSIM provisioning details, and payment status. These records are linked to your device wallet address, not to your identity.

4.3Payment Data

We do not collect or store your card numbers, bank details, or crypto funding details. Payments are handled by third-party payment providers (see Section 6). For card payments, a customer reference is created with our payment processor; that reference is created without your name, email, or address.

4.4On-Chain Data

Certain actions (wallet creation, purchases) are recorded on a public blockchain (Base). Blockchain records are public, permanent, and immutable. They contain a wallet address and transaction data, and cannot be altered or deleted by us or by anyone.

4.5Technical Data

To operate and secure the Service we process limited technical data such as network requests, error and security logs, and a per-request correlation identifier. These are used for service operation, security, and fraud prevention, and are configured to avoid containing personal identifiers.

Where the GDPR applies, we rely on the following legal bases:

  • Performance of a contract: to create your account, process purchases, and provision eSIMs.
  • Legitimate interests: to secure the Service, prevent fraud and abuse, and maintain records; balanced against your rights.
  • Legal obligation: to retain transaction records for financial, accounting, tax, and audit purposes.

Under the PDPA, we process data with your consent (deemed or express) and as permitted by the Act's legitimate-interests and business-purpose exceptions.

6.Third Parties and Sharing

We do not sell your data. We share limited data only as needed to run the Service:

  • Payment providers — Stripe (FIAT payments) and MoonPay (Crypto purchases) process your payment independently as their own data controllers under their own privacy policies. MoonPay may perform its own identity verification (KYC) on you; that process and any data you provide to MoonPay are governed by MoonPay's policies, not ours.
  • eSIM service providers / aggregators — provision eSIM profiles under their telecom licences and partner networks. We share only the technical details necessary to fulfil and manage your eSIM.
  • Infrastructure providers — blockchain RPC and cloud infrastructure used to operate the Service, acting as our processors under appropriate agreements.
  • Authorities — where required by law, valid legal process, or to protect rights and safety.

7.International Transfers

We store data in Singapore. Some third-party providers (Section 6) may process data outside Singapore or the EEA. Where we transfer personal data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or transfers to jurisdictions recognised as providing adequate protection, in accordance with the PDPA's Transfer Limitation Obligation and Chapter V of the GDPR.

8.Data Retention

We keep data only as long as necessary. Account and credential data are retained while your account exists. Order, eSIM, and payment records are retained for the period required to meet financial, accounting, tax, and audit obligations, even after account deletion, in pseudonymised form that contains no personal identifier and cannot be linked back to you.

9.Account Deletion

You can delete your account at any time.

9.1How to delete your account

Open the Koki'o app, go to Settings, and select "Delete Account". You will be asked to confirm with your passkey. Deletion is immediate and irreversible.

9.2What is deleted

Your account record and the credential material derived from your passkey (public-key coordinates, salt, and device identifier), and your payment-processor customer reference, are permanently removed from our systems.

9.3What is retained, and why

Order and transaction records are retained in pseudonymised form for the period required by financial and audit obligations. These records contain no name, email, address, or other personal identifier and cannot be linked back to you once your account is deleted.

9.4What cannot be deleted

Transactions published to the public blockchain are permanent and cannot be removed by anyone, including us. They contain a wallet address and no personal information. Any eSIM you have already paid for continues to work on your device until its plan expires; deleting your account does not cancel or refund an active plan.

9.5Why there is no email or web-form deletion request

Koki'o accounts hold no personal data and are secured solely by a device-bound passkey. We therefore have no way to verify, out of band, that a person contacting us is the account holder — an email-based deletion path would be a security risk. Deletion is performed in the app, authenticated by your passkey, which is the only proof of account ownership that exists.

9.6If you have lost your passkey

If your passkey is lost or deleted, the account becomes permanently unreachable. No party, including Koki'o, can access, restore, delete on request, or act on it. Account recovery is not supported by design.

10.Your Rights

Subject to applicable law and the limits imposed by our privacy-first design, you may have rights to access, correct, delete, restrict, or object to the processing of your personal data, to data portability, and to withdraw consent. Because we hold no data that identifies you, and cannot re-identify you from a wallet address without a live authentication from your device, our practical ability to action some requests is limited to what you can perform in-app via your passkey.

To exercise any right, contact us at contact@kokio.app. Where the GDPR applies, we will respond within one month. Where the PDPA applies, we will respond as required by the Act.

11.Data Security

We implement technical and organisational measures appropriate to the risk, including encryption of sensitive values, access controls, secure credential storage on your device, and security logging. No system is perfectly secure, and you are responsible for safeguarding the device and passkey that control your account.

12.Data Breach Notification

If a personal data breach is likely to result in significant harm or risk to your rights, we will notify the relevant supervisory authority and affected users within the timeframes required by applicable law (including within 72 hours under the GDPR and as required under the PDPA).

13.Children

The Service is intended for adults and is not directed to, or intended for use by, anyone under 18. We do not knowingly collect data from minors. If you believe a minor has used the Service, contact us.

14.Changes to this Policy

We may update this Policy from time to time. We will post the updated version and revise the "Last Updated" date, and provide additional notice for material changes where required by law.

15.Contact and Complaints

Questions or concerns: contact@kokio.app.

If you are in the EEA/UK, you may lodge a complaint with your local data protection authority. If you are in Singapore, you may contact the Personal Data Protection Commission (PDPC). We ask that you contact us first so we can try to resolve the matter.