Privacy Notice

This Privacy Notice explains how Kin AI ApS (“Kin”, “we”, “us”) processes personal data when you use the Kin mobile app and our website mykin.ai (together, the “Services”).

‍

Kin is built to be privacy-first. Most of your content—such as conversations, journal entries, and memory—stays locally on your device. Some data may be sent from your device to third‑party AI service providers when you use certain AI features (see Section 5).

‍

‍

1. Who we are

Kin AI ApS is the data controller for the personal data described in this Notice.

‍

Kin AI ApS
CVR: 43118420
Sortedam Dossering 55
2100 Copenhagen Ø
Denmark
Email: [email protected]

‍

We do not currently have a Data Protection Officer. If you have questions, contact us at the email above.

‍

2. Key privacy principles

‍

• Local-first by default: Your Kin content (e.g., chats, journal entries, memory) is stored on your device.
• Private AI requests: AI requests are typically routed via a Kin-controlled proxy for secure API handling and reliability, with zero data retention, then forwarded to the AI provider.
• Data minimization: We aim to process the minimum data needed to operate and improve the Services.
• User control: Integrations like Apple Health/Health Connect and optional diagnostics are opt-in and can be disabled.
  ‍

‍

3. Your rights (GDPR)

Depending on the circumstances, you may have the right to:
‍

• Access your personal data
• Rectification of inaccurate data
• Erasure (“right to be forgotten”)
• Restriction of processing
• Data portability
• Objection to processing based on legitimate interests
• Withdraw consent at any time (where processing is based on consent)

‍

You can also complain to the Danish Data Protection Authority (Datatilsynet). For details, visit their website.

‍

4. What data we process and why

This section describes the main categories of personal data we process, our purposes, and legal bases.

‍

4.1 Account and service operations (server-side)

‍

What we process

• Account identifiers and metadata (e.g., internal user ID)
• Authentication-related data necessary to sign in (managed by our identity provider)
• Email address and other account details you provide
• Security and fraud-prevention signals (e.g., device/session information)

‍

Where it is stored/processed

• Our Kin API runs on Cloudflare Workers.
• Certain server-side service data needed to operate accounts and the Services may be stored in Cloudflare D1.

‍

‍

Why we process it

• Create and manage your account
• Authenticate you and secure the Services
• Provide customer support

‍

Legal basis

• Contract (GDPR Art. 6(1)(b)) for providing the Services
• Legitimate interests (GDPR Art. 6(1)(f)) for security, fraud prevention, and service improvement

‍

4.2 Product analytics (PostHog)

‍

What we process

- Pseudonymous usage analytics (e.g., feature usage, events, performance metrics)

- Approximate device/app info needed for diagnostics (e.g., app version, OS)

‍

Why we process it

- Understand how the product is used
- Improve reliability, performance, and user experience

‍

Legal basis

- Legitimate interests (GDPR Art. 6(1)(f)) for product improvement

- Where required by applicable law for certain analytics/cookies: **Consent** (GDPR Art. 6(1)(a))

‍

4.3 “Help Improve Kin” (optional LLM traces via Langfuse)

‍

If you enable “Help Improve Kin” in the app, we log selected AI request/response data (“traces”) to diagnose issues and improve Kin.

‍

What we process

- AI request/response payloads related to the interaction (trace data)
- Technical context needed to debug (e.g., timestamps, model/provider metadata)
- A pseudonymous identifier that is not linked to your identifiable account data (such as email or phone number) within Langfuse

‍

How we use it

- Automated analysis flags unusual or problematic behavior (e.g., errors, failed answers, or user‑reported issues)
- A limited set of Kin engineers may review flagged traces to improve reliability and quality

‍

Retention

- Traces are automatically deleted after 30 days.

‍

Legal basis

- Consent (GDPR Art. 6(1)(a)) — you can disable this at any time.

‍

Your memory and other Kin content remains stored on your device by default.

‍

4.4 Communications (newsletter and service messages)

‍

We use Customer.io to send newsletters and certain service-related messages (for example onboarding or product updates), in accordance with your preferences.
‍

‍What we process

- Email address, name (if provided), and subscription metadata

‍

Why we process it

- Send newsletters when you opt in
- Send essential service communications (e.g., security notices)
- Send in-app service messages

‍

Legal basis

- Newsletter: Consent (GDPR Art. 6(1)(a)) — withdraw anytime via the unsubscribe link
- Service messages: Contract (GDPR Art. 6(1)(b)) or Legitimate interests (GDPR Art. 6(1)(f))

‍

5. Local content and AI processing (device-first)

‍

5.1 Content stored on your device

By default, your Kin content—such as conversations, journal entries, and memory—is stored locally on your device.

‍

5.2 How AI requests are routed

When you use AI features (for example, asking an advisor for help), your device sends:

- Your prompt/message

- Limited, relevant context needed to answer (which may include selected memory or integration summaries)

- System instructions required to operate the feature

‍

To protect our API credentials and ensure reliable delivery, requests (including AI requests) are typically routed through our backend running on Cloudflare Workers. The proxy forwards the request to the relevant AI provider and returns the response to your device.

‍

No content retention by Kin: The proxy is designed to process requests transiently for forwarding (i.e., in-memory) and Kin does not store your request/response content as part of this routing. We may, however, collect minimal technical metadata (such as timestamps, request IDs, error codes, and aggregated performance metrics) for security, abuse prevention, and reliability.

‍

5.3 AI service providers we use

‍

- Anthropic

- OpenAI

- Cerebras

‍

We configure these providers under terms/controls intended to prevent the use of your data for training and to avoid retention beyond what is needed to serve the request.

‍

What we do not do

- We do not store your data on our servers.
- We do not sell your AI inputs.
- We do not use your data for advertisement

‍

6. Health Data Integrations (Apple Health & Android Health Connect)

‍

6.1 Overview

Kin offers optional integrations with Apple Health (HealthKit) and Android Health Connect so you can import selected health and fitness metrics into Kin. These integrations are optional. You can use Kin without connecting Apple Health or Health Connect.

‍

^{6.2 What health data we access (only with your permission)}‍

If you connect Apple Health or Health Connect and grant permissions, Kin may read some or all of the following categories of data (depending on what you approve):

‍

- Activity & movement: step count (and step cadence where available), distances (walking/running/cycling/swimming)
- Workouts/exercise: workout/exercise sessions (including cycling cadence where available)
- Energy/calories: active energy burned and total/basal energy burned
- Sleep: sleep sessions / sleep analysis
- Heart metrics: heart rate, resting heart rate, and heart rate variability (HRV)

‍

Kin only accesses the specific data types you explicitly approve in the Apple Health or Health Connect permissions flow.

‍

6.3 How we use health data

We use these metrics to provide features inside Kin, such as:

- Personalized energy, sleep, recovery, and activity insights
- Trend and pattern detection over time (e.g., relationships between sleep, activity, and energy)
- More relevant advisor check-ins and suggestions (e.g., recovery nudges after high exertion or lighter planning after short sleep)

‍

Kin is not a medical device and does not provide medical diagnosis, treatment, or emergency services.

‍

6.4 Where health data is processed and stored

Health metrics imported via Apple Health / Health Connect are stored on your device. When you request insights that rely on these metrics, the app may include limited, relevant health summaries (for example, “sleep duration trend”, “resting heart rate trend”, “steps trend”) in requests sent directly from your device to our AI service providers solely to generate the requested response.

We do not store raw health metrics on our servers.

‍

6.5 Your choices and controls

You remain in control:

- You can connect or disconnect Apple Health / Health Connect at any time in Kin
- You can grant, deny, or revoke specific data types in iOS/Android settings
- If you revoke permissions, Kin stops reading those data types going forward

‍

6.6 Legal basis

Where required under applicable law (including GDPR), we rely on your consent to access health data via Apple Health / Health Connect. You can withdraw consent at any time by disconnecting the integration and/or revoking permissions.

‍

7. Recipients, international transfers, and disclosures

‍

7.1 Service providers

We use certain service providers to operate parts of the Services (for example, identity/authentication, analytics, AI processing, and infrastructure). These providers act as our processors where applicable and are subject to contractual obligations.

‍

Key providers include:

- Clerk (authentication)
- Cloudflare (Workers and D1 for Kin API; network security and routing)
- PostHog (product analytics)
- Customer.io (email communications)
- Intercom (customer support and support messaging)
- Langfuse (optional tracing when “Help Improve Kin” is enabled)

- Anthropic, OpenAI, Cerebras (AI processing)

‍

7.2 Transfers outside the EU/EEA

Some providers may process data outside the EU/EEA. Where this occurs, we use appropriate safeguards such as the EU Commission’s Standard Contractual Clauses (SCCs) and other lawful transfer mechanisms.

‍

7.3 Legal disclosures

We may disclose data if required by law, to enforce our agreements, or to protect the rights and safety of Kin, our users, or others.

‍

8. Security

We use reasonable administrative, technical, and organizational measures to protect personal data. No method of transmission or storage is 100% secure, but we work to reduce risk through measures such as encryption, access controls, and least-privilege practices.

‍

9. Account deletion

You can delete your account at any time in the Kin app (Settings → Account → Delete account).

‍

Local content: Your chats, journal, memory, and imported health data are stored on your device. Deleting your account will remove server-side account data associated with your account. Local device data can be removed by deleting the app and/or using any in-app deletion options provided.

‍

Processing time: After initiating deletion, we will delete applicable server-side account records within a reasonable period (and in any case in accordance with applicable legal requirements). Some minimal records may be retained where required by law (e.g., compliance, fraud prevention, or accounting), but we aim to minimize such retention.

‍

10. Changes to this Notice

We may update this Notice as Kin evolves. When we make changes, we will publish the updated Notice and update the “Last updated” date above. If changes are material, we may provide additional notice within the app or via email where appropriate.

‍

11. Contact

Questions or requests about this Privacy Notice: [email protected]

‍