Privacy Policy Koko


  1. Details of the Data Controller
  2. Information on Processed Data Types and Their Origin
    1. Types of data that we automatically collect
    2. Types of data you transmit to us
      1. User account / profile data:
      2. Optional profile details:
      3. Location data:
      4. Communication data: User
      5. Communication data: Customer service
      6. Notification of Device Access
      7. Social Sign-On:
  3. Processing Purposes & Legal Bases
  4. To Whom We Transmit Your Data
    1. To other users:
    2. To group companies:
    3. To third parties:
  5. Processing Purposes & Legal Bases
  6. Transmission to Countries Outside the EU or the EEA
  7. How Long Will My Data Be Stored?
  8. Information on the Voluntary Nature of the Information
  9. Information About Your Rights
  10. Information About Your Right of Objection
    1. Right of objection on a case-by-case basis
    2. Right of objection on the processing of data for advertising purposes

This Privacy Policy gives you an overview of the processing of your personal data in the context of the use of Koko's offers, online services and mobile applications (hereinafter referred to as the ‘Services’). Furthermore, this Privacy Policy informs you about your rights and the possibilities you have to control your personal data and to protect your privacy. The previous way of processing your data will not change. Due to legal changes, only the specified scope of information in this Privacy Policy is more comprehensive than before. We have always taken the protection of your personal data very seriously and - as before - will continue to implement appropriate organisational, contractual and technical measures to protect your data from unauthorised or unlawful processing and against accidental loss, destruction or damage.

1. Details of the Data Controller

Responsible for data processing is Ideawise Limited, Room 604, Alliance Building, 133 Connaught Road, Central, Hong Kong, Hong Kong. Our representative is SmH GmbH, P.O. Box: 20 04 34, 13514 Berlin, support [at] Ideawise Limited is also meant when the terms ‘we’ or ‘us’ are used below. You can contact our data protection officer at: dataprotection [at] Please note that we are a company based outside the European Economic Area (‘EEA’). As far as you use our Services and data is being processed, these data are transferred to a so-called "third country". Details can be found in section 6 below.

2. Information on Processed Data Types and Their Origin

If we provide the Services for your use, we process personal data from various sources. This is data that we collect automatically - for example, when you visit a website or open an app - as well as other data that you have additionally provided to us.

a. Types of data that we automatically collect

As soon as you open our website or our apps, you submit technical information to our servers. This happens regardless of whether you subsequently register with an account with us to use the Services or not. In any case, this data is recorded every time

  • When you visit our website:

Each time a page is accessed, access data is stored in a file, the so-called server log. The following data is stored: Your IP address, the time, the status of your website visit (status means in this case whether the visit of the website was successful or not) as well as the request that your browser has made to the server to open the page, the amount of data transferred and the website from which you came to the requested page (referrer), as well as the product and version information of the browser used (user agent).

  • when you open our apps:

When using our mobile applications, the following data is stored:

  • Endereço IP
  • Número de identificação do app, nome do app, versão do número do app, e informação baixada da AppStore da qual se fez o download do app
  • Nome do dispositivo, tipo de sistema operativo (iOS / Android)
  • Nome e número da versão do sistema operativo do seu dispositivo
  • Idioma do seu dispositivo móvel

If you create a profile on our Services, we will assign a so-called Unique User ID to it. Besides your chosen profile name, the unchangeable Unique User ID allows us to uniquely assign your profile. We also use cookies and API tokens to process this data. Cookies are small text files that you download to your device that store the above information about you when you use our Services. API tokens are unique identifiers that we use to authenticate you when requesting access to our Services. To learn more about how cookies and API tokens work, which cookies and API tokens we use, and how you can opt-out, click here.

b. Types of data you transmit to us

In addition to the data we receive automatically from all visitors of our Services, we also process other data from registered app users. The exact amount of this data depends on how you use the Services. Personal data that you upload publicly to your profile will be visible to other users (and searchable via the search function within the Services). Your privacy settings can be determined by yourself in your profile settings. The data you provide us with includes:

i. User account / profile data:

Types of data you transmit to us

  • Gender
  • Sexual orientation
  • Email address (either your personal email orin case of Social Sign-On, the e-mail address you use on Facebook)
  • Username
  • Password (personal or with Social Sign-On your Facebook user access token)
  • Location
  • Date of birth
ii. Optional profile details:

The use of the Services is easily possible with only the aforementioned information. However, you may also provide additional personal information in your Profile, such as physical characteristics, personal interests or detailed information about your sexual preferences, political opinions or ideological beliefs. If you like, you can upload personal photos of yourself to your Profile. The scope of this optional data can be determined by yourself via the respective input fields in your Profile settings.

iii. Location data:

When you use our Services, we process your approximate location information to allow you to contact users in your area. You select your location manually when registering or, alternatively,you can give your consent to access the location data transmitted by your device (depending on the device, e.g. via GPS). If you do not select your location manually or grant access to GPS, your location will be determined via IP comparison with MaxMind IP. For more information about these vendors, see Figure 4. Location information and settings can be changed in your Profile or device settings.

iv. Communication data: User

If you communicate with other users of our Services, we save your conversation history so that the conversation history with your chat partners can be permanently displayed.

v. Communication data: Customer service

When you contact Customer Service, written communications between you and our service team staff and notes on such transactions are stored so that we can provide uninterrupted customer service when the communication thread is followed up by other members of our service team.

vi. Notification of Device Access

If you grant Koko access to your camera or photo album, we will only receive the data you actively provide, e.g. photos you upload to the Services and nothing beyond. The same applies to you consenting to the delivery of notifications and the way in which they are displayed. You can change these settings at any time in the device settings and revoke your consent there. Your list of contacts will never be accessed at any time.

vii. Social Sign-On:

You can also use the ‘Login with Facebook’ feature to create your profile. If you choose this feature, you transmit your username on the social network at ("Facebook"), your email address with which you have registered on Facebook, as well as your date of birth and profile photo to us.

3. Processing Purposes & Legal Bases

Nós processamos os seus dados exclusivamente para os seguintes fins:

  • Permitir que você e outros usuários usem os nossos serviços e garantir a sua funcionalidade
  • Providenciar serviços adicionais que você compre
  • Te manter atualizado com informação relevânte sobre os nossos serviços e enviar notificações de sistema ao email que você providenciou
  • Adaptar a provisão dos nossos serviços às suas necessidades
  • Mostrar propagandas que se encaixam aos seus interesses (incluindo participação em competições e rifas)
  • Sempre melhorar o serviço que oferecemos e corrigir erros
  • Detectar e evitar tentativas de fráude
  • Garantir a proteção de menores
  • Permitir a comunicação com atenção ao cliente em qualquer caso de perguntas
  • Analisar a informação que publicas no teu perfil ou que compartilhas usando os nossos serviços
  • Compartir os seus dados com terceiros em caso de uma obrigação legal
  • Guardar o cuidado com atos jurídicos e se defender contra disputas legais
  • Guarantir a segurança do sistema e nossas operações

Ao fazer isso, nós nos apoiamos em várias bases legais de acordo com a Regulação Geral de Dados Pessoais, a estrutura legal para as leis de proteção de dados da Europa ("RGPD"). Nós nos referimos em detalhe nas seguintes bases legais:

O seu consentimento

Quando você visita o nosso site, você concorda com a nossa política de Cookies. Se você deu o seu consentimento ao processamento de dados pessoais para fins específicos, esse consentimento assegura a legalidade do processamento. Ao se registrar e criar o seu perfil, você explicitamente concorda com os seus usos e fins descritos em detalhe na nossa política de privacidade ao preencher a caixa antes de confirmar o formulário de registro. De acordo com isso, se nós processamos os seus dados, é porque você nos deu permissão para fazer isso quando se registrou. O seu consentimento, por tanto, é a base legal mais importante para o processamento dos seus dados. Se você nos providenciar com informação sobre a sua orientação sexual, nós processaremos esse dado exclusivamente com base no seu consentimento.

Respeito de obrigações contratuais

O processamento dos seus dados pessoais é feito também com visão de providenciar serviços dentro do contexto do rendimento do nosso contrato com você. Em muitos casos, o processamento dos seus dados não é apenas justificado pelo seu consentimento, mas também porque estes são necessários para que a Koko possa comprir o contrato com você: para usar os serviços aos quais vocie tem direito descritos em detalhe nos nosso Termos e Condições. Por exemplo, pode ser necessário processar os seus dados se você deseja pagar por ser membro da Koko+, e o processamento de dados para o processamento de pagamento é necessário.

Cuidar de interesses legítimos

Ao se registrar para usar o nosso serviço, você consente ao processamento de dados de acordo com a nossa política de privacidade. Isso é porque nós processamos os seus dados, porque você nos deu permissão. Mas, há alguns casos nos quais nós estariamos no nosso direito de processar dados sem o seu consentimento porque é necessário para proteger os nossos interesses legítimos (ou interesses legítimos de terceiros). Neste sentido, a razão pela qual nós processamos os seus dados também são interesses legítimos. Nós cuidamos de interesses legítimos, por exemplo, se analisamos o conteúdo de imagens ou textos procurando por atos criminais, ou se tomamos ação para o respeito de direitos domiciliarios virtuais. Nestes casos, nós não vamos perguntar se você está de acordo ou não com este processamento, já que o processamento em questão é permitido.

Requerimentos legais ou interesse público

Além disso, temos uma obrigação legal de providenciar certa informação a promotores criminais ou autoridades em casos individuais.

4. To Whom We Transmit Your Data

We treat your personal data with care and confidentially and will only share them with third parties to the extent described below and not beyond.

a. To other users:

As our Services are platforms for getting to know each other, it is in the nature of things that we transmit your profile data and other data (e.g. messages you write and other communication you conduct with other users of the community) to the corresponding users of the Services at your request and on your behalf.

b. To group companies:

We transfer data to our affiliated companies, which form a group with us, within the framework of strict data protection requirements. This is the case, for example, when you make a customer service request. We will then forward this request to SmH GmbH, a service company associated with us. In addition, our development company, TheNetCircle Network Co Ltd. and our Community Management and Marketing teams at Playamedia S.L. receive the information they need to ensure the security and functionality of the Services.

c. To third parties:

In addition, we transmit data to external service providers that enable us to provide the Services. These include hosting providers and providers of analytics platforms. We require these service providers to comply with strict rules to ensure the security of your data when processing personal data on our behalf. Such processing is generally based on contractual regulations. When we state - further below - that there is ‘no adequate level of data protection’, it means that there is no adequacy decision by the European Commission - in these cases, however, we regulate the processing on the basis of other guarantees, such as Data Processing Agreements or standard data protection clauses.


Google LLC is a Privacy-Shield certified provider from the USA. Google Analytics is used to analyse the behaviour of users of our Services. In order to display distances between members or approximate location data in the regional search, we use the services from Google Maps (i.e. Google Geocoding API and Google Places API). We use Google AdWords and its so-called conversion tracking. When you click on an ad placed by Google, a conversion tracking cookie is generated. This cookie loses its validity after 30 days, does not contain any personal data and is therefore not used for personal identification. Google Fabric (including Crashlytics and Answers) and Google Firebase help us monitor the performance of our mobile applications, identify crashes and analyse user behavior. For Android users we also use Google Firebase and its Firebase Cloud Messaging (FCM) service for sending push notifications which can contain personal data. YouTube videos are embedded in our Services in ‘enhanced privacy mode’. While no YouTube cookies are set by this particularly data protection-friendly type of embedding, loading suchpages leads to a connection with YouTube and the DoubleClick network nonetheless. Therefore, a click on an embedded video can trigger further data processing activities which we no longer control.


We use Apple (location USA, Privacy-Shield certified) and its Apple Push Notification Service (APNS) for sending push notifications to iOS users which can contain personal data.


With this survey tool (location Spain, adequate level of data protection) we improve and maintain our community, through means of permanent feedback surveys, as well as regular quizzes, other types of surveys and evaluations. The type of information that is passed on to Typeform depends on the respective survey, and you also decide yourself what content your contribute to such activities.


Sparkpost (location USA, Privacy-Shield certified) is a provider for sending emails. In order to supply you with information via e-mail, we transmit your email address. Sparkpost will delete your email address immediately after an email has been sent to it.


We use Facebook (location USA, Privacy-Shield certified) to facilitate the ‘Log in with Facebook’ feature. All data required during the registration process (e-mail address, date of birth, profile photo) will be transmitted to us by Facebook, on your behalf. We use Facebook's Invite feature to allow users to invite friends from their group of friends on the social network and for usage analysis of our mobile applications. Facebook also publishes advertising through the so-called ‘Facebook Audience Network’ (FAN).


Adjust (location Germany, adequate level of data protection) is used for the evaluation of usage statistics and for the analysis of marketing activities. When you open the app, Adjust collects installation and event data. We use this information to understand how our users interact with our app and to analyze mobile ad campaigns. For such an analysis Adjust uses your anonymized IDFA (iOS) or GAID (Android) and your anonymized IP address. It is not possible to identify you individually.


Kayako (location UK, adequate level of data protection) is our ticketing system to manage customer queries. For each query, your email address, your preview profile picture and your username will be transmitted to Kayako.


This storage service (location Israel, adequate level of data protection) is used to store and deliver users’ videos and images.

Virtual Business Support

In order to approve uploaded images, we work with Virtual Business Support (based in the Philippines, no adequate data protection level). There, uploaded pictures are reviewed and categorised by qualified personnel.

New Relic

New Relic (location USA, Privacy-Shield certified) enables statistical evaluations of the speed of our apps. For this purpose, New Relic processes system data on hardware and software and times-of-use, so-called application data.


Jira and Confluence from Atlassian (location USA, Privacy-Shield certified) are online applications that we use for error management, troubleshooting and operational project management. Principally, no personal data is processed systematically, but in individual cases, when technical issues are reported , personal data like e.g. a username may be mentioned in so-called "tickets" in order to be able to correct these malfunctions in our technical applications as quickly as possible, especially in the case of malfunctions reported by users of the Services.


Slack (US site, Privacy-Shield certified) is an online application that we use for internal communication. Principally, no personal data is processed systematically, but in individual cases, when technical issues are reported, personal data like e.g. a username may be mentioned in so-called "tickets" and therefore also in internal chats of this platform, in order to be able to correct these malfunctions in our technical applications as quickly as possible, especially in the case of malfunctions reported by users of the Services.


We work with "Sentry" from Functional Software, Inc. (US site, Privacy-Shield certified) to find and remove errors that occur in our backend. In the event of a crash or other unexpected errors, information such as the version of the operating system and technical data about the cause of the error is transmitted to Sentry. However, this information does not contain any personal data. We use this tool data solely to increase the stability of our applications.


Koko uses the GeoIO2-Precision database provided by MaxMind Inc. (US site, Privacy-Shield certified). The database contains approximate location/geolocation data for the IP addresses used. This allows us to offer you special services (e.g. approximate distance from other users, search function by location etc.), even if you do not grant us access to GPS data.

Advertising Networks & Affiliates

When you use our app, our ad networks and affiliates can use so-called device IDs to create an anonymous profile of your mobile advertising click behavior. In our app, we work with several mobile advertising partners, including the following companies (the link to their current Privacy Policy and an option to disable behaviour-based advertising, if any, can be found in our cookie matrix. Further information on the stored data can be obtained there.):

  • MoPub (location USA, Privacy-Shield certified)
  • Liftoff (location USA, Privacy-Shield certified)
  • AppLovin (location USA, Privacy-Shield certified)
  • Chartboost (location USA, Privacy-Shield certified)
  • YouAppi (location USA, no adequate level of data protection)
  • Vungle (location USA, no adequate level of data protection)
  • Minimob (location Singapore, no adequate level of data protection)
  • Apple Search Ads (location USA, Privacy-Shield certified)
  • Creative Matters (location Spain, adequate level of data protection)
  • Mobiplay (location USA, no adequate level of data protection)
  • SpykeMedia (location Germany, adequate level of data protection)
  • Appnext (location British Virgin Islands, no adequate level of data protection)
  • Ironsource (location USA, no adequate level of data protection)
  • Fyber (location Germany, adequate level of data protection)
  • Glispa (location Germany, adequate level of data protection)

These cookies and device identifiers can be used to display personalised advertisements. A profile is also created based on look-alike information obtained which Google, Facebook and other third-party ad networks (see list above) receive due to your visits to other websites or apps on their networks. You can disable personalized advertising by changing the settings your device:


On Android, this option is located in the app for Google settings. Depending on the device, this is called ‘Google Settings’ or just ‘Settings’. Under the menu item ‘Google’ -> ‘Ads’ you will find the option ‘Disable interest-based advertising’ or ‘Disable personalized advertising’, depending on the device. Selecting this feature will deactivate personalized advertising.


On iOS, this option is located in the ‘Preferences’ app. Under the menu item ‘Privacy’ -> ‘Advertising’ you will find the option ‘No Ad-Tracking’. The selection can be used to deactivate personalized advertising.

Review of Pictures / Fake Check

In exceptional cases (for example in cases of suspicion of fraud, reporting by other users, etc.) we use the following platforms for checking uploaded images and carry out a so-called fake check by uploading images to the respective search engines:

  • Google Search of Google LLC (location USA, privacy-shield certified)
  • Tineye (location Canada, adequate level of data protection)
  • Bing von Microsoft Corporation (location USA, privacy-shield certified)
  • Yandex (location Switzerland, adequate level of data protection)
  • Baidu (location China, no adequate level of data protection)

We report data to authorities in the event of a legal obligation to do so, based on a request for information from such entitled authorities. All purchasing processes are handled either entirely through iTunes or Google Play, depending on the operating system, in accordance with their Terms & Conditions and Privacy Policy.

5. Processing of Payment Data

If you wish to use your Profile as a Koko+ account or use other paid offers, depending on the payment method you choose, you will provide such information directly to the Apple App Store or Google Play Store, having accepted Terms and Conditions and Privacy Policies. You make your purchases directly through the respective store.

6. Transmission to Countries Outside the EU or the EEA

All servers of the Services are located in the EEA, hence initially your data does not leave the EEA technically, but the technical provision and processing of the data for the operation of the Services takes place in the European Union. However, when you submit data to us, it will be legally transferred to a country outside the EEA, as we have our registered office in the People's Republic of China. In addition, our development company is also based in China, from where it has technical access to the servers in the European Union.
According to the GDPR, China is a so-called "Third Country" in which an adequate level of data protection cannot be guaranteed in principle; there is no corresponding decision on adequacy and there are also no specific guarantees to compensate for this deficit. However, we have concluded strict Data Processing Agreements and standard contractual clauses that work towards a secure level of data protection. What do we mean with the information about China? It means that we may have to transmit data to government agencies there under less stringent conditions than is the case within the EEA. The legal hurdles to the protection of personal data in China are thus generally regarded as lower from a European point of view, as would also be the case for processing in Australia, Russia or India, for example. Until 17.05.2018 (= preparation of this document) there has not been a single case of disclosure of Data to Chinese authorities, also because as a former British colony, Hong Kong continues to enjoy a special status until at least 2047, despite belonging to the People’s Republic of China. In preparation towards GDPR, we have committed ourselves to full transparency in accordance with the GDPR and are therefore happy to comply with this legal requirement and our voluntary commitment, although this transparent approach may at first unsettle some users. Due to the use of external service providers, some data is also transferred to other so-called "Third Countries". You can see exactly what these are and whether there is an adequate level of data protection in each case under point 4c.

7. How Long Will My Data Be Stored?

We process and store your personal data as long as it is necessary for the fulfilment of our contractual or legal obligations. Therefore, we store the data only as long as our contractual relationship with you exists and also after termination only, as far as the laws of the Federal Republic of Germany and the People's Republic of China require this. If the data are no longer necessary for the fulfilment of such obligations, they will be regularly and promptly deleted, unless their further processing is necessary for the protection of legitimate interests or for the preservation of evidence within the framework of statute of limitations.

8. Information on the Voluntary Nature of the Information

You are not required by law to provide us with the above information. In principle, the contractual relationship that you have entered into with us by agreeing to our General Terms and Conditions does not give rise to any obligation to provide this personal data. However, the transmission of mandatory information is a basic prerequisite for concluding a contract with us. Furthermore, you cannot use the Services, or only to a limited extent, if you do not provide us with certain data or object to their use. This is because our Services are essentially only ‘brought to life’ by the content posted by our users. It is not possible to delete an uploaded and approved profile photo if it’s the only one in your profile. However, you could at any time replace your profile picture or delete the entire profile.

9. Information About Your Rights

You can assert the following rights:

  • Your right to information and access under Article 15 GDPR,
  • Your right to rectification under Article 16 GDPR,
  • Your right to erasure under Article 17 GDPR,
  • Your right to restriction of processing under Article 18 GDPR and
  • Your right to data portability under Article 20 GDPR.

If you have any questions in this regard, please contact customer service at support [at] You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before May 25, 2018. However, this revocation will then only be effective for the future. Processing that took place before the revocation is not affected by this. In addition, you have a right of appeal to the competent data protection supervisory authority. This can be the supervisory authority of the representative named under point 1, or the supervisory authority responsible for your place of residence.

10. Information About Your Right of Objection

a. Right of objection on a case-by-case basis

In addition to the rights already mentioned, you have the right to object at any time for reasons arising from your particular situation to the processing of personal data concerning you, which is based on Article 6 para. 1e GDPR (data processing in the public interest) and Article 6 para. 1f GDPR (data processing on the basis of a balance of interests). If you file an objection, we will no longer process your personal data, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

b. Right of objection on the processing of data for advertising purposes

You also have the right to object at any time to the processing of personal data concerning you for the purpose of direct marketing. If you object, we will no longer process your personal data. Please also note the information in Section 8 of this Privacy Policy: If we terminate the processing due to your objection, it may be that the Services can no longer or only to a limited extent be made available to you. The objection can be made informally and should be addressed to support [at] if possible.