Simple Promise: Your construction data stays on your device. Cloud backup is optional, and only you hold the key to decrypt it. We never see your business data.
What Data We Collect and Process
π§ Email Address & Authentication (Required)
What we collect: Your email address and authentication credentials
Local storage: Your email is also stored in your device's encrypted database (SQLCipher) for offline access
π± Data Stored Locally on Your Device
The following data is stored exclusively on your device in an encrypted SQLCipher database and is never transmitted to our servers unless you explicitly enable cloud backup:
Project Data: Project names, stages, status, dates, and associated team members
Inventory Data: Material names, quantities, rates, and consumption tracking
Daily Logs: Text notes and optional site photos attached to work logs
Security Data: Encrypted password hash (Argon2id), encrypted PIN code, and recovery phrase metadata (not the phrase itself)
User Preferences: Language selection (English/Malayalam), dark mode setting
Important: K-First does not access, view, or transmit this data to any server unless you enable cloud backup.
βοΈ Optional Cloud Backup (User-Controlled)
When you explicitly enable cloud backup:
All your local data (projects, expenses, logs, photos) is encrypted on your device using AES-256-GCM before any upload
The encryption key is derived from your unique 12-word recovery phrase, which you generate and must securely store
Encrypted backup files are uploaded to and stored in Firebase Storage (Google LLC)
Zero-knowledge architecture: K-First and Firebase cannot decrypt your backup. Only someone with your 12-word recovery phrase can restore the data
You control storage: Backups remain in Firebase Storage until you manually delete them from Settings β Data β Manage Cloud Backup
πΊ Advertising Data (Free Tier Only)
If you use the free tier, rewarded ads are provided by Google Mobile Ads SDK. Google may collect:
Device advertising identifiers (Advertising ID)
Ad interaction data (impressions, clicks)
Device type, OS version, and app version for ad serving
K-First does not receive, store, or use these identifiers. Google processes ad data per their Privacy Policy. You can reset your advertising ID or limit ad personalization in your device settings.
What We DON'T Collect
β No location tracking or GPS data
β No analytics or usage tracking (no Google Analytics, no Firebase Analytics)
β No access to contacts, SMS, phone calls, or microphone
β No sharing of your business data with third parties for marketing or analytics
β No selling or renting of personal data to advertisers or data brokers
β No behavioral profiling or cross-app tracking
How We Share Data
K-First shares data only in these limited, necessary cases:
Firebase Authentication (Google LLC): Your email and authentication credentials are shared with Firebase to provide secure login, password reset, and account management. Firebase processes this data under Google's privacy policies and Terms of Service.
Firebase Storage (Google LLC): When you enable optional cloud backup, encrypted files (which we cannot decrypt) are stored in Firebase Storage. Firebase cannot read your business data without your recovery phrase.
Google Mobile Ads (Google LLC): When ads are enabled (free tier), Google's SDK handles ad delivery using device identifiers per their Privacy Policy.
No Other Sharing: Your construction projects, expenses, inventory, and logs are never shared with, sold to, or disclosed to any other third parties.
Security: How We Protect Your Data
π Local Database Encryption
SQLCipher: Your local database is encrypted with SQLCipher (256-bit AES-CBC) and requires your password to unlock
Password Hashing: Passwords are hashed using Argon2id, an industry-standard memory-hard algorithm resistant to brute-force attacks
PIN Security: PIN codes are encrypted and stored in Flutter's secure storage (Keychain on iOS, EncryptedSharedPreferences on Android)
π Zero-Knowledge Cloud Backup
You generate a unique 12-word BIP39 mnemonic recovery phrase during setup (never stored on device or server)
This phrase derives a Data Encryption Key (DEK) using PBKDF2 with 100,000 iterations
Backups are encrypted with AES-256-GCM before leaving your device
True zero-knowledge: Without your recovery phrase, backups cannot be decryptedβeven by K-First developers, Firebase administrators, or government subpoenas
Change Email/Password: Update email in Settings β Account; reset password via "Forgot Password" on login screen
Manage Recovery Phrase: Generate, view, and verify your 12-word phrase in Settings β Security β Recovery Phrase
Control Ads: Reset your advertising ID or limit ad personalization in device settings (Android: Settings β Google β Ads; iOS: Settings β Privacy β Tracking)
Delete Firebase Account: Request deletion of your Firebase Authentication account (email + credentials) by emailing firstbridgestudios.app@gmail.com with your registered email
Account Deletion and Data Removal (GDPR/CCPA Compliance)
You have the right to request deletion of your K-First account and all associated data. Here's how:
1. Delete Local Data (Immediate, In-App)
Open K-First β Settings β Account β Delete Account
Confirm deletion (2-step verification with checkbox)
What gets deleted: All projects, expenses, logs, photos, user credentials, and encrypted database from your device
Timeline: Immediate (takes effect immediately)
2. Delete Cloud Backups (Immediate, In-App)
If you enabled cloud backup: Settings β Data β Manage Cloud Backup β Delete Backup
What gets deleted: All encrypted backup files stored in Firebase Storage
Timeline: Immediate (Firebase deletes files within seconds)
Note: After deletion, recovery of cloud backups is impossible (even with your recovery phrase)
Confirmation statement: "I request deletion of my Firebase account and all associated data"
Verification: We will verify your identity (by sending a confirmation email to your registered address) to prevent fraudulent deletion requests
Timeline: We will process verified requests within 30 days and send confirmation email upon completion
What Happens After Full Deletion?
β All local data removed from your device
β All cloud backups deleted from Firebase Storage
β Your email and authentication credentials removed from Firebase Authentication
β No data recovery possible (zero-knowledge architecture prevents K-First from retaining decrypted data)
β You can re-register with the same email after deletion completes
Important: K-First does not retain any decrypted business data on our servers. After deletion, we cannot recover your projects, expenses, or logs. Ensure you have exported your data before requesting deletion.
Children's Privacy
K-First is designed for adult professionals (18+) in the construction industry. The app is not intended for, and does not knowingly collect data from, children under 13 years of age. If you believe a child under 13 has created an account, please contact us immediately at firstbridgestudios.app@gmail.com.
Data Retention
Local Data: Remains on your device until you delete it manually (via Settings β Account β Delete Account) or uninstall the app
Firebase Authentication: Your email and authentication data remain in Firebase until you request deletion via our support email (firstbridgestudios.app@gmail.com); processed within 30 days
Cloud Backups: Stored in Firebase Storage until you manually delete them (Settings β Data β Manage Cloud Backup β Delete Backup)
Ads Data: Handled by Google Mobile Ads per their retention policies (typically 90 days for ad interaction logs)
No Server-Side Storage: K-First does not operate its own servers or retain any decrypted user data (zero-knowledge architecture)
International Users and Data Transfers
If you enable cloud backup or use Firebase Authentication, your data may be processed in Firebase's global infrastructure:
Firebase locations: Firebase operates data centers globally, including in the United States, Europe, and Asia-Pacific regions per Google's data practices
Encryption in transit: All data transfers use TLS 1.3 encryption
Zero-knowledge protection: K-First does not possess decryption keys for your backups, regardless of Firebase's geographic location
GDPR compliance: Firebase complies with GDPR for EU users (Google LLC has Standard Contractual Clauses for international transfers)
Kerala users: If you are based in Kerala, India, your encrypted backups may be stored in Firebase's Mumbai region (asia-south1) based on Firebase's regional selection. However, due to zero-knowledge encryption, geographic location does not affect data confidentiality.
App Permissions
K-First requests the following Android/iOS permissions:
Internet (android.permission.INTERNET): Required for account creation, login, password reset, optional cloud backup, and ad delivery (free tier)
Storage (READ/WRITE_EXTERNAL_STORAGE): To save local backups (.kfirst files) and store project photos
Camera (android.permission.CAMERA / iOS NSCameraUsageDescription): To capture site photos for daily work logs (optional)
Photo Library (iOS NSPhotoLibraryUsageDescription): To attach existing photos to logs (optional)
Permissions we DON'T request: Location (GPS), Contacts, SMS, Phone, Microphone, Bluetooth, Calendar, Biometric (Face ID/Fingerprint outside of device OS authentication)
All permissions are used only for stated purposes and can be managed in device settings (Android: Settings β Apps β K-First β Permissions; iOS: Settings β K-First).
Third-Party Services
K-First integrates the following third-party services (processors):
Firebase Authentication (Google LLC): For secure user authentication, login, and password reset. Privacy Policy | Terms of Service
K-First does not use other analytics, crash reporting, or tracking SDKs (no Google Analytics, no Firebase Analytics, no Crashlytics, no Mixpanel, no Amplitude).
Changes to This Policy
We may update this privacy policy as we add features or comply with legal requirements. Material changes will be:
Reflected in the "Last Updated" date at the top of this page
Announced in app release notes (visible in Google Play Store changelog)
Notified via in-app banner for significant privacy changes (e.g., new third-party services)
Continued use of K-First after policy updates constitutes acceptance of the revised policy. If you do not agree, please delete your account before the update takes effect.
π§ Contact Us
For privacy questions, data access requests, deletion requests, or to remove your Firebase account data:
We will respond to verified requests within 30 days and can assist with deleting your data from Firebase services upon request. For urgent security concerns, include "[URGENT]" in the subject line.