KINĒ
← Back to homepage

Privacy Policy

Last updated: 30 March 2026

1. Who We Are

Kinē Ltd ("we", "us", "our") operates kinefit.app. We are the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Contact: privacy@kinefit.app

2. Data We Collect

We collect the following categories of personal data:

Account data

Email address, password (hashed), authentication provider (e.g. Google).

Profile data

Name, height, weight (all optional).

Training data

Training goals, experience level, equipment, schedule preferences, exercise logs, lift history, session feedback, and progress photos you choose to take.

Health data (special category)

With your explicit consent, we collect: menstrual cycle data (period start/end dates, cycle length), health conditions (PCOS, fibroids, endometriosis, pelvic floor concerns), injuries, and comfort preferences. This data is used solely to personalise your training programme.

Payment data

Processed by Stripe. We store your Stripe customer ID and subscription status. We never see or store your full card number.

Technical data

IP address (for rate limiting only, not stored), device type, browser type.

3. Lawful Basis

We process your data on the following legal bases:

  • Contract: Account, profile, training, and payment data are necessary to provide the Service.
  • Explicit consent: Health data (cycle, conditions, injuries) is processed only with your explicit consent, given during onboarding. You may withdraw consent at any time by removing this data from your profile.
  • Legitimate interest: Technical data for security, rate limiting, and service reliability.

4. How We Use Your Data

  • Generate personalised training programmes via AI
  • Track your progress and suggest weight/rep progressions
  • Adjust programming based on cycle phase and health conditions
  • Process payments and manage your subscription
  • Provide coaching feedback and exercise education
  • Maintain security and prevent abuse

5. AI Processing

Your training profile (goals, equipment, injuries, cycle phase, session history) is sent to Anthropic's Claude API to generate personalised programmes and coaching feedback. This data is sent as part of API requests and is subject to Anthropic's Privacy Policy. Anthropic does not use API inputs to train their models.

We do not send your name, email, date of birth, or payment information to the AI. Only training-relevant data is included in AI requests.

6. Data Sharing

We share data with the following third-party processors:

  • Supabase (database & authentication) — EU-hosted
  • Stripe (payment processing) — PCI DSS compliant
  • Anthropic (AI programme generation) — API data not used for training
  • Vercel (hosting) — edge functions process requests

We do not sell your data. We do not share your data with advertisers or data brokers.

7. Data Storage & Security

Your data is stored in Supabase (cloud database) and locally on your device (localStorage for offline access). All data in transit is encrypted via TLS. Authentication tokens are managed by Supabase. Access cookies are signed with HMAC-SHA256.

Progress photos are stored locally on your device only. They are not uploaded to our servers.

8. Data Retention

  • Active accounts: Data retained while your account is active.
  • After cancellation: Training data retained for 90 days to allow resubscription, then deleted.
  • Account deletion: All data deleted within 30 days of request.
  • Inactive accounts: Accounts with no login for 24 months will receive a deletion notice. If no action is taken within 30 days, the account and all data will be permanently deleted.
  • Payment records: Retained as required by financial regulations (up to 7 years).

9. Your Rights (UK GDPR)

You have the right to:

  • Access your personal data
  • Rectify inaccurate data via your profile
  • Erase your data ("right to be forgotten")
  • Restrict processing of your data
  • Port your data in a machine-readable format
  • Withdraw consent for health data processing at any time via Profile → Privacy
  • Object to processing based on legitimate interest
  • Complain to the Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, contact privacy@kinefit.app. We will respond within 30 days.

10. Cookies

We use two functional cookies: kine_access (access session, 30-day expiry) and kine_sub (subscription verification, 1-hour expiry). Both are httpOnly, signed, and not accessible to client-side JavaScript. We do not use tracking cookies, analytics cookies, or advertising cookies.

11. Children

Kinē is not intended for users under 18. We do not knowingly collect data from anyone under 18. If we learn we have collected data from a minor, we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notice. The "last updated" date at the top reflects the most recent revision.

13. Contact

For privacy questions or data requests, contact: privacy@kinefit.app

© 2026 Kinē Ltd. All rights reserved.