Privacy Policy

Effective Date: June 9, 2026

1. Introduction & Scope

Welcome to Kairos. This Privacy Policy explains how Kairos ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our web application, habit tracker, decade planner, AI coaching features, and any related services (collectively, the "Service").

This Policy applies to all users, subscribers, and visitors of the Service. It operates in conjunction with our Terms of Service. By using Kairos, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

To provide you with a personalized and secure experience, we collect specific categories of information:

• Account Information: When you register, we collect your name, email address, password (stored as a secure bcrypt hash), and your local timezone to accurately track your daily habits.
• User-Submitted Content: We store the data you actively input into the Service. This includes your tracked habits, Time Buckets (decade planner goals), deep work sessions, and your universal inbox notes. Crucially, this includes your private Journal Entries, which are protected using application-level column encryption.
• Payment & Billing Information: If you upgrade to a premium tier, our third-party payment processor (Stripe) collects your billing details and credit card information. Kairos does not store your full credit card number; we only retain basic subscription status, tier information, and billing history to manage your account.
• Communications: If you contact customer support, we collect the contents of your messages and any contact information provided.
• Device, Log, & Usage Data: We automatically collect standard server log data for security and performance, including your IP address (used strictly by our rate-limiter to prevent brute-force attacks), browser type, operating system, and the timestamps of your interactions with our application.

Is this data required? Providing your Account Information (email, password) is strictly required to create an account and use the Service. Payment Information is required to access premium tiers. If you do not provide this mandatory information, we cannot provide the Service to you. Providing User-Submitted Content is entirely optional, but without it, the Service cannot generate your personalized habit insights or journal reflections.

3. How We Collect Data

• Directly from you: When you fill out forms, type in your journal, create habits, or interact with the AI Coach.
• Automatically: Through functional session cookies necessary to keep you logged in, server security logs, and Google Analytics (only if you consent).
• From Third Parties: We receive secure webhooks from Stripe confirming successful payments or subscription cancellations.

4. How We Use Information

We use the information we collect for the following purposes:

• Providing the Service: To maintain your account, save your daily progress, and render your Kairos dashboard.
• Operating the AI Features: To safely transmit your journal entries and habits to our AI models to generate personalized morning briefings and insights.
• Security & Authentication: To verify your identity, prevent unauthorized access (using Flask-Limiter), and protect against automated bot attacks on our authentication routes.
• Account Management & Billing: To process your subscriptions, handle upgrades to Pro/Limitless, and send administrative emails (like password resets).
• Analytics & Improvement: To understand how users navigate the platform, resolve bugs, and improve system performance.

5. Legal Bases for Processing (GDPR)

If you are an individual in the European Economic Area (EEA), our legal basis for collecting and using your personal information depends on the context:

• Contract Performance: Processing is necessary to fulfill our Terms of Service (e.g., maintaining your dashboard, generating AI insights, and billing).
• Legitimate Interests: Processing is necessary for our legitimate business interests, such as securing our infrastructure, preventing fraud, and improving the app, provided these interests are not overridden by your data protection rights.
• Consent: We rely on your explicit consent for non-essential tracking (like Google Analytics cookies) and for processing sensitive data entered into your journals.
• Legal Obligations: We process data to comply with tax and accounting laws in the Czech Republic.

6. Cookies, Tracking & Analytics

We use cookies and similar tracking technologies to track activity on our Service.

• Essential Cookies: These are strictly necessary for the application to function. This includes the Flask session cookie used to keep you securely logged in and CSRF tokens to prevent cross-site request forgery attacks. These cannot be disabled.
• Analytics Tracking (Google Analytics 4): We use GA4 to measure aggregate user behavior (e.g., page views, feature adoption). This script is strictly blocked by default and will not load until you explicitly click 'Accept' on our cookie consent banner.

7. AI and Machine Learning Specifics

Kairos integrates Large Language Models to act as your AI Coach. Because you may input highly sensitive reflections into the Service, we adhere to strict AI privacy standards:

• Zero Data Retention APIs: We interface with our AI providers (e.g., OpenAI, Google) exclusively via their enterprise/developer APIs. By default, these providers are contractually prohibited from using API data to train their public or foundational models.
• No Internal Training: Kairos does not train proprietary AI models on your private journal entries. The AI processing happens in memory to generate your specific insight and is not permanently retained by the model.
• No Automated Decision-Making: We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects. Our AI Coach provides optional, non-binding organizational suggestions.

8. Sharing and Disclosure of Information

We do not, under any circumstances, sell your personal data. We only share information with third parties in the following limited circumstances:

• Service Providers (Sub-processors): We share necessary data with trusted vendors acting on our behalf. This includes Oracle Cloud (database and server hosting), Stripe (payment processing), external LLM providers (for AI coaching), and email delivery services (for password resets).
• Legal Compliance: We may disclose data if legally required to do so by a valid subpoena, court order, or binding request from Czech or applicable EU authorities, or to protect the safety and rights of Kairos and our users.

9. International Data Transfers

Our primary database and application servers are hosted on Oracle Cloud Infrastructure within the European Union. However, some of our sub-processors (such as Stripe or certain AI API providers) may process data in the United States. When transferring personal data outside the EEA, we ensure adequate safeguards are in place, primarily through the execution of the European Commission's Standard Contractual Clauses (SCCs) or reliance on the EU-US Data Privacy Framework.

10. Data Retention

We retain your personal data and User Content only for as long as your account is active or as needed to provide you the Service. If you choose to delete your account, your personal data and encrypted journals are immediately removed from our active databases. Routine automated server backups containing encrypted snapshots of the database will be securely overwritten in the standard 30-day lifecycle. We may retain basic billing records longer as required by tax and accounting laws.

11. Security Measures

We implement robust, multi-layered security to protect your data:

• Encryption in Transit & at Rest: All traffic is secured via HTTPS/TLS. Our underlying Oracle Cloud servers utilize Block Volume encryption at rest to protect against physical data breaches.
• Application-Level Encryption: Highly sensitive text fields, specifically your Journal Entries and Inbox Brain Dumps, are encrypted at the application level (using SQLAlchemy `StringEncryptedType` and secure Fernet keys) before touching the database.
• DDoS & Brute Force Protection: Critical authentication routes are strictly protected by server-side rate limiters to prevent bot attacks.

While we follow industry best practices, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. Your Privacy Rights

Depending on your location, you have rights regarding your personal data:

• Access & Portability: You can request a copy of the personal data we hold about you.
• Correction: You can edit your account details and habits directly within the dashboard.
• Deletion: You can delete specific items (using the global delete/archive modal) or request full account deletion.
• Withdraw Consent: Where we rely on consent (e.g., analytics cookies), you can withdraw it at any time.

13. GDPR Disclosures (EEA, UK, Switzerland)

If you are a resident of the European Economic Area (EEA), the UK, or Switzerland, you have the right to object to processing based on legitimate interests, request restriction of processing, and lodge a complaint with your local Data Protection Authority. The data controller for your personal information is the Provider listed in Section 19.

14. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you specific rights regarding your personal information. We do not sell your personal information, nor do we share it for cross-context behavioral advertising. Therefore, we do not require a "Do Not Sell or Share My Personal Information" opt-out link.

Your rights include: the right to know what personal information is collected, the right to delete personal information, the right to correct inaccurate information, the right to limit the use and disclosure of sensitive personal information, and the right not to receive discriminatory treatment for the exercise of your privacy rights. Please submit requests to exercise these rights via the contact email below.

15. Children's Privacy

Kairos is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will take immediate steps to delete that information from our servers. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

16. Third-Party Integrations

The Service may contain links to third-party websites or offer integrations (such as our planned conversational WhatsApp sync). If you choose to use these integrations, the third party may receive your information. We do not control and are not responsible for the privacy practices of third-party platforms. We encourage you to review their privacy policies.

17. Business Transfers

If Kairos is involved in a merger, acquisition, corporate restructuring, or sale of assets, your personal data may be transferred as part of that transaction. We will provide notice via email or a prominent notice on our website before your personal data is transferred and becomes subject to a different privacy policy.

18. Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. If we make material changes (e.g., changing how we process your encrypted data or AI data sharing practices), we will notify you by email or through a prominent notice on the dashboard prior to the change becoming effective. We encourage you to review this page periodically for the latest information.

19. Contact Information

If you have any questions, concerns, or requests to exercise your data rights regarding this Privacy Policy, please contact the Data Controller: