Kaiku
LEGAL

Security

Last updated: May 17, 2026

1. Overview

Kaiku processes sensitive wellbeing data: conversations, mood, health metrics and relationship reflections. We protect this data in multiple layers so that even if the database leaked, your messages would remain unreadable. This page describes the concrete technical safeguards we maintain continuously.

AES-256-GCM Encryption

Messages, memories and other sensitive content are encrypted using AES-256-GCM.

Automatic Anonymization

Summaries are anonymized. Real names never stored in titles.

Access Control

74 Row Level Security rules protect user data.

AI Security

Your messages are not used to train AI models.

You Are in Control

Download data, set auto-deletion, or delete everything.

7. Data location — EU

All database and analytics data is stored on EU-based servers. AI providers are partly in the United States, but transfers use Standard Contractual Clauses (Commission decision EU 2021/914) and the EU-US Data Privacy Framework where applicable. Exact provider list: see Privacy Policy.

8. What data is collected

As little as possible — only what's needed to function. We collect conversations, user settings and health data if you connect a wearable. Location isn't collected unless you share a workout's GPS route yourself. Contacts aren't collected unless you attach them. Product analytics runs only with your consent and collects pseudonymous usage statistics (page views, feature usage) — without your name or message content; see the Cookie Policy.

9. Compliance

What we commit to:

  • GDPR Art. 9 — explicit consent for sensitive data processing
  • AES-256-GCM — encryption at rest
  • TLS 1.3 — encryption in transit
  • EU data location
  • DPIA — data protection impact assessment done
  • Rate limiting — DDoS protection
  • Audit logging — access is recorded
  • Permanent deletion within 30 days of a deletion request

10. Data breaches

If a personal-data breach is likely to result in a risk to your rights, we notify the supervisory authority without undue delay and, where feasible, within 72 hours of detection (GDPR Art. 33), and — if the breach is likely to result in a high risk to your rights — notify you without undue delay (Art. 34) — in plain language, describing the nature of the breach, the likely consequences, the measures taken and a contact person.