Security
Last updated: May 17, 2026
1. Overview
Kaiku processes sensitive wellbeing data: conversations, mood, health metrics and relationship reflections. We protect this data in multiple layers so that even if the database leaked, your messages would remain unreadable. This page describes the concrete technical safeguards we maintain continuously.
AES-256-GCM Encryption
Messages, memories and other sensitive content are encrypted using AES-256-GCM.
Automatic Anonymization
Summaries are anonymized. Real names never stored in titles.
Access Control
74 Row Level Security rules protect user data.
AI Security
Your messages are not used to train AI models.
You Are in Control
Download data, set auto-deletion, or delete everything.
7. Data location — EU
All database and analytics data is stored on EU-based servers. AI providers are partly in the United States, but transfers use Standard Contractual Clauses (Commission decision EU 2021/914) and the EU-US Data Privacy Framework where applicable. Exact provider list: see Privacy Policy.
8. What data is collected
As little as possible — only what's needed to function. We collect conversations, user settings and health data if you connect a wearable. Location isn't collected unless you share a workout's GPS route yourself. Contacts aren't collected unless you attach them. Product analytics runs only with your consent and collects pseudonymous usage statistics (page views, feature usage) — without your name or message content; see the Cookie Policy.
9. Compliance
What we commit to:
- ✓GDPR Art. 9 — explicit consent for sensitive data processing
- ✓AES-256-GCM — encryption at rest
- ✓TLS 1.3 — encryption in transit
- ✓EU data location
- ✓DPIA — data protection impact assessment done
- ✓Rate limiting — DDoS protection
- ✓Audit logging — access is recorded
- ✓Permanent deletion within 30 days of a deletion request
10. Data breaches
If a personal-data breach is likely to result in a risk to your rights, we notify the supervisory authority without undue delay and, where feasible, within 72 hours of detection (GDPR Art. 33), and — if the breach is likely to result in a high risk to your rights — notify you without undue delay (Art. 34) — in plain language, describing the nature of the breach, the likely consequences, the measures taken and a contact person.