Legal
Privacy Policy
This policy explains what data Kai collects, why we collect it, who we share it with, and the rights you have over it. We’ve tried to write it in plain language. If anything is unclear, email privacy@kaicoach.app.
Who we are
Kai is operated by Thymen van de Lagemaat, an independent developer based in the Netherlands (referred to as “we,” “us,” or “Kai” in this policy). For privacy questions, account deletion requests, or to exercise any of your rights described below, contact us at privacy@kaicoach.app.
Under EU data protection law (GDPR), we act as the data controller for the personal data described in this policy.
What data we collect
Information you provide
- Account information: email address and (optionally) your name, provided when you sign up.
- Profile context: your training goals, background information you write into your “About me” section, and any injuries or limitations you choose to share.
- Chat messages: everything you write to Kai in the app, and Kai’s responses.
- Check-in preferences: when you want Kai to reach out (day of week, time of day).
- Training data: workouts you import from Hevy, either by sharing a CSV export or by connecting your Hevy account via API (Premium only).
Information collected automatically
- Usage data: the number of messages you’ve sent in the current billing period (used to enforce plan limits).
- Subscription state: whether you’re on the free or premium plan, and your trial status.
- Push tokens: a device-specific identifier issued by Apple Push Notification Service or Firebase Cloud Messaging, so we can deliver Kai’s scheduled check-ins.
- Technical metadata: app version, device platform (iOS or Android), and timestamps of significant events (account creation, last sync, last check-in).
Information we do not collect
- We don’t collect your precise location.
- We don’t access your phone’s contacts, photos, microphone, or camera.
- We don’t use third-party advertising or marketing trackers in the app.
- We don’t sell your data to anyone, ever.
Why we collect it
We use your data only for the purposes below. The legal basis for each purpose under GDPR is noted in parentheses.
- To provide the core service: chatting with Kai, generating personalized advice grounded in your training data, and delivering scheduled check-ins. (Performance of contract.)
- To enforce plan limits and process subscriptions. (Performance of contract.)
- To improve service reliability through technical logs and error detection. (Legitimate interest.)
- To send transactional emails such as password resets and account verification. (Performance of contract.)
- To comply with legal obligations, such as tax record-keeping for paid subscriptions. (Legal obligation.)
We do not use your chat content, profile, or training data to train AI models. See “AI processing” below for details.
Who we share it with (sub-processors)
Kai relies on a small number of third-party service providers to operate. Each is contractually obligated to handle your data according to GDPR standards. We share only the minimum data each service needs to do its job.
| Service | What it does | Data it sees |
|---|---|---|
| Supabase | Primary database, file storage, and authentication | All account data, profiles, conversations, messages, training data files |
| DigitalOcean | Hosts our backend API server | All requests in transit (chat messages, training queries). No persistent storage of your data. |
| OpenAI | Generates Kai’s replies (GPT model inference) | Your chat messages, profile context, and relevant slices of your training data when needed to answer a question |
| LangSmith | Records traces of AI requests for debugging and quality monitoring | Same content as sent to OpenAI, plus metadata about how the agent reasoned through your request |
| RevenueCat | Manages subscriptions and entitlements | An anonymous user identifier, your plan, and purchase history. No chat or training data. |
| Apple App Store / Google Play | Processes payments for subscriptions | Payment information and store account identifiers. We never see your full payment details. |
| Resend | Sends transactional email (sign-up, password reset) | Email address and the contents of those emails |
| Apple Push Notification Service / Firebase Cloud Messaging | Delivers push notifications to your device | Push tokens and notification text (e.g., the body of a check-in) |
| Expo Application Services | App builds, over-the-air updates, push notification routing | Anonymous device installation IDs, app version, push tokens, and the content of notifications routed through their service |
| Hevy | Source of your training data (Premium API sync) | Receives an authenticated request from Kai using an API key you provided. Hevy does not receive any Kai data; the flow is one-way (Hevy → Kai). |
| Cloudflare | Hosts this website (kaicoach.app) and provides DNS | Standard web request data: IP address, user agent, page visited. Not linked to your Kai account. |
Several of these services are based in the United States. Where personal data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses or equivalent safeguards approved by the European Commission to protect that data.
AI processing
Kai’s replies are generated by large language models running at OpenAI. When you send a message, that message, your profile context, and any relevant portions of your training data are sent to OpenAI to generate a response.
OpenAI has confirmed in their API terms that data sent through the API is not used to train their models. We do not opt into any training-data sharing. Your data is used only to generate the response you asked for.
We use LangSmith to record traces of these AI requests. This means the prompts sent and responses received, along with technical metadata about how the agent processed your request. We use these traces only to diagnose problems, improve quality, and detect bugs. They are never shared externally and are stored according to LangSmith’s default retention policy (currently up to 400 days).
Data retention
We keep your data only as long as we need it to provide the service:
- Account data, conversations, and training data: kept until you delete your account.
- Usage records: kept for the current billing period plus the previous 12 months.
- Subscription and payment records: kept for 7 years to meet Dutch tax obligations.
- Technical logs and AI traces: retained automatically by our service providers (typically 30 to 400 days), then deleted by them.
- Encrypted backups: overwritten on a rolling schedule of up to 30 days.
When you delete your account, your profile, conversations, training data, and push tokens are removed from our active systems immediately. Copies in encrypted backups are overwritten within 30 days. AI traces in LangSmith and request logs at our hosting providers are not retroactively deleted, but expire automatically according to their retention policies. We are actively improving this; future versions will scrub user-identifying metadata from traces sooner.
Your rights
Under GDPR (and similar laws in other regions), you have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: correct inaccurate data (you can edit your profile and goals directly in the app).
- Deletion: permanently delete your account and associated data. You can do this from the app: Menu → Settings → Delete account. See our account deletion page for details.
- Restriction: ask us to limit how we process your data.
- Portability: receive a machine-readable copy of your data.
- Objection: object to processing based on legitimate interests.
- Withdraw consent: where processing relies on consent, you can withdraw it at any time.
- Lodge a complaint: if you believe we’re mishandling your data, you can complain to your local data protection authority. In the Netherlands, that’s the Autoriteit Persoonsgegevens.
To exercise any of these rights, email privacy@kaicoach.app. We’ll respond within 30 days. We may ask you to verify your identity before fulfilling a request that concerns your account.
Children
Kai is not intended for children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us at privacy@kaicoach.app and we will delete it.
Security
We take reasonable technical and organizational measures to protect your data, including encryption in transit (HTTPS / TLS), encryption at rest in our database and backups, encrypted storage of third-party API keys (e.g., your Hevy API key) using industry-standard symmetric encryption, access controls limiting who on our team can see what, and regular software updates to address security issues.
No system is perfectly secure. If we ever experience a data breach that affects you, we will notify you and (where required) the relevant regulator without undue delay.
This website (kaicoach.app)
This website is hosted on Cloudflare Pages. We use Cloudflare Web Analytics to understand basic traffic patterns (page views, referrers, country-level location). It does not use cookies, does not track individuals across sites, and does not collect personally identifiable information. Because of this, we do not show a cookie consent banner.
We do not use Google Analytics, advertising trackers, or any cross-site tracking technology on this site or in the app.
Changes to this policy
We’ll update this policy as the service evolves. The “Last updated” date at the top reflects the most recent revision. For material changes (new sub-processors, changes to data use, expanded data collection), we’ll notify users by email or in-app message before the change takes effect.
Contact
For any privacy question, request, or concern: privacy@kaicoach.app.