Privacy

Treated like therapy notes.

KAIZEN holds a lot of sensitive material per user — voice, story, blockers, journals. This page is the formal version. The shorter never-list lives at What we'll never do. This page may be amended; we'll email account holders before any change that materially affects how we collect or use data.

Last updated: May 2026.

Our four principles

1. Consent is explicit, granular, and revocable. Never one big "agree to everything."
2. Delete means delete. Including at third-party providers (voice clones, LLM caches).
3. Anonymity by default in social. You choose to deanonymise; never the other way around.
4. We never replace a professional. KAIZEN is not therapy, medicine, or legal counsel.

What we collect

• Account. Your email address (required) and the nickname you choose during onboarding.
• Your story and goal. What you wrote or recorded during onboarding to describe where you are and where you're going.
• Journal entries. Everything you write or record inside the daily journal.
• Voice recordings. Only with your explicit toggle ON. Used to build a private voice model for your future-self messages. You can revoke at any time; we wipe the model within 24 hours, including at our voice provider (Cartesia).
• Device + diagnostic data. App version, OS version, crash reports (via Sentry), anonymised product analytics (via PostHog) so we know which screens are broken. No precise location, no contacts, no advertising IDs.
• Subscription data. Receipt status from Apple App Store or Google Play (via RevenueCat). We do not see your card number.

What we use it for

• Generating your daily affirmation, daily story, and future-self message — all written for you, from your own dossier.
• Surfacing anonymous community spaces where other users are working through similar themes.
• Grounding affirmations in anonymised success-story moments from other users walking a similar path (never identifying details, never your own data leaving your dossier).
• Keeping the product working: crash diagnostics, performance, billing.

We do not sell data, do not train third-party models on your data, do not show advertising, and do not share your content with other users.

Where your data lives

• Primary database — Neon (Postgres), in the EU or US region matching your account.
• Audio + media files — Cloudflare R2, app-layer AES-256-GCM encrypted per user.
• Cache — Upstash Redis.
• Voice model — Cartesia (held by external ID; deletion is synchronous and confirmed).
• Text generation — Anthropic (Claude). Prompts are sent without your name; Anthropic does not retain inputs/outputs for model training under our agreement.
• Email — Resend.
• Push notifications — Expo Push.
• Crash / analytics — Sentry and PostHog. Both configured to scrub PII.
• Payments — Apple App Store, Google Play, mediated by RevenueCat.

In transit: TLS everywhere. At rest: encryption provided by each vendor; voice and journal audio additionally encrypted at the application layer with a per-user key.

Anonymity in community

• Every group post and 1:1 message defaults to anonymous.
• Your real name is never exposed in social, ever.
• Location precision is capped at city.
• No photos in groups by default — likely never.
• 1:1 DMs require mutual opt-in.

Sensitive content

KAIZEN routes sensitive content (self-harm, abuse, substance use, eating concerns) to in-app resource screens with jurisdiction-aware hotlines. We suppress AI generation that could harm rather than help. We do not alert humans on private-journal sensitive content — you wrote it for yourself.

Your rights

• Export. Settings → Export downloads a JSON of your dossier and a zip of your audio.
• Delete. Settings → Delete account. Voice model + voice audio are deleted immediately at our provider. The rest is purged within 30 days.
• Correct. You can edit any answer captured during onboarding.
• Restrict. Toggle off voice cloning, push notifications, or community participation at any time.
• Object. Email us at [email protected] and we'll act within 30 days.
• Complain. EU/UK users can lodge a complaint with their local data protection authority.

Retention

Account active: as long as you keep the account. Account deleted: full data wipe within 30 days, including at third-party providers. Crash diagnostics (with no user ID): retained 90 days. Aggregated, non-identifying product metrics: retained indefinitely.

Children

KAIZEN is built for people 16 and older. We collect month + year of birth once, for the age check; we don't display it in the app and it's deleted with your account. We do not knowingly accept users under 16.

Contact

Privacy questions, data requests, and complaints: [email protected].

This plain-language policy reflects current behaviour. A full legal version is being prepared with counsel; until then, this page is the binding statement of our practices.