Skip to main content
KKiro

Privacy Policy

Last updated: March 2026

Lawful basis for processing (GDPR Article 6 & 9)

Kiro processes health data (a special category under GDPR Article 9) based on your explicit consent, collected during onboarding before any health information is gathered. You may withdraw consent at any time in Settings — upon withdrawal, your data will be deleted.

What we collect

We collect the information you provide during onboarding (medication type, goals, injection schedule) and daily check-ins (mood, symptoms, weight). We do not collect sensitive financial data. Your email is used solely for account management and, with your consent, for personalized health tips.

How we use your data

Your data is used exclusively to personalize your Kiro experience — daily coaching, progress tracking, and AI-driven support. We never sell your data. We never share it with third parties without your explicit consent.

Sub-processors & data transfers

Your data is processed by the following third-party services, each bound by Data Processing Agreements (DPAs): Supabase (PostgreSQL database, US East region), Clerk (authentication, US), Anthropic (AI coaching via Claude, US), and Vercel (hosting, US). For EU/UK users, transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission. No health data is shared beyond these processors.

Privacy & GDPR compliance

Kiro is designed with privacy first, following GDPR (EU/UK) standards. All health information is encrypted at rest (AES-256 via Supabase) and in transit (TLS 1.3). Access is strictly role-based. All data access is logged in an immutable audit trail.

Data retention

Active patient data is retained for the duration of your account. Check-in and chat data is retained as long as your account exists. Lead emails (quiz) are deleted after 12 months of inactivity. Flagged escalation messages are reviewed within 30 days and anonymized after 90 days. Upon account deletion, all data is permanently removed within 30 days.

Your rights (GDPR Articles 15–22)

You have the right to: access your data (Article 15), export a full copy in machine-readable format (Article 20 — available in Settings), correct inaccurate data (Article 16), delete your account and all data (Article 17 — available in Settings), restrict processing (Article 18), and withdraw consent at any time. Exercise these rights in Settings or contact privacy@getkiro.org.

Cookies

We use strictly necessary cookies for authentication and session management. We do not use advertising or tracking cookies. No third-party analytics cookies are loaded without your prior consent.

Contact & DPO

Questions? Email privacy@getkiro.org. We respond within 72 hours. You also have the right to lodge a complaint with your local supervisory authority (e.g. CNIL in France, ICO in UK).