Legal

Privacy Policy

Last updated: June 15, 2026

koko VR Theater (“koko,” the “App”) is a media player for Meta Quest published by Krafti SASU(“we,” “us”). This policy explains what data the App handles and why. The guiding principle is simple: koko is local-first. Your media, your servers, and your credentials stay on your device and talk directly to the services you choose. We operate no account system and collect no advertising or behavioural-analytics data.

Who we are

Data controller: Krafti SASU, a Société par actions simplifiée unipersonnelle (SASU) registered in France (RCS Paris 852 598 572), with its registered office at 75 rue Manin, 75019 Paris, France. Contact: contact@krafti.io.

What stays on your device

The following never leaves your headset and is never transmitted to Krafti:

Plex and Jellyfin credentials and tokens. When you sign in to a Plex or Jellyfin server, authentication happens directly between your headset and that server (and, for Plex sign-in, plex.tv). Tokens are stored locally on the device and used only to talk to your servers.
Your media and file metadata. Browsing and playing local, USB, and network files (SMB, FTP, SFTP, WebDAV, DLNA) happens directly between your headset and those sources. Library organisation, tags, watch history, bookmarks, and preferences are stored in a local database on the device.
App settings such as playback, image, and audio calibration.

Uninstalling the App removes this on-device data. You can also export or clear it from within the App’s settings.

Device permissions

Storage / All-files access (READ_MEDIA_VIDEO, MANAGE_EXTERNAL_STORAGE) — to let you browse and play video files you already have on the headset or attached storage. The App reads the files you open; it does not scan or upload your storage.
Microphone (RECORD_AUDIO, MODIFY_AUDIO_SETTINGS) — used only for (a) voice dictation in the system keyboard, which is captured by the Meta system keyboard process, not by koko, and (b) optional Watch Together voice chat (see below). koko does not record or store microphone audio.
Network and Wi-Fi multicast — to reach your servers and discover devices on your local network (DLNA/UPnP).

Watch Together (optional)

If you start or join a Watch Together session, the App uses a signaling server we operate to connect you with the other people in your room. To establish the connection it exchanges an ephemeral room code, short-lived session and peer identifiers, and WebRTC connection details (SDP and ICE candidates).

WebRTC connection details include IP addresses, and the voice and playback-sync streams travel peer-to-peer. This means the other participants in your room may be able to see your IP address. If you enable the “Hide my IP” option, traffic is routed through a relay (TURN) server so your address is not exposed to peers. Voice audio is transmitted directly between peers while a session is active and is not recorded by us.

Server-side room and identity data is minimised and ephemeral: it exists only to broker the connection and is discarded when the session ends. If you mute, block, or report another participant, a report may be written to an abuse log keyed to ephemeral, session-scoped identifiers so we can address misuse.

Diagnostics and bug reports (opt-in)

If you choose to send a bug report or feedback from Settings → Diagnostics, the App sends a scrubbed snapshot — recent application logs, your device model and OS version, and your app settings — to our reporting endpoint so we can diagnose the problem. This is sent only when you submit a report. We use it solely to operate and improve the App.

The in-app web browser

koko includes an optional web browser for sites you choose to visit. Browsing happens between your headset and those websites; their own privacy policies apply. Browsing data is stored locally and can be cleared from the browser settings.

What we do not do

No advertising and no third-party advertising or tracking SDKs.
No behavioural analytics or profiling.
No sale of personal data.
No user accounts hosted by Krafti.

Third parties

The services you connect to handle data under their own policies, including Plex, Jellyfin, your own servers and NAS, any websites you visit in the browser, and Meta (which operates the headset platform and the store through which you obtained the App).

Your rights

Because koko stores your data on your own device, you remain in direct control of it. Where the GDPR or comparable laws apply, you have rights of access, rectification, erasure, and objection regarding any personal data we process (for example, an abuse report you are named in or a bug report you submitted). Contact us at contact@krafti.io to exercise them.

Children

koko is not directed at children and we do not knowingly collect data from them.

Changes

We may update this policy as the App evolves. Material changes will be reflected here with a new “last updated” date.