Short version: KinLetter is private by design. We collect the minimum we need to run a private newsletter for your inner circle. We don't sell your data, we don't show you ads, and we don't build advertising profiles about you. The longer version below explains exactly what we collect, why, and the rights you have over it.
This Privacy Policy describes how KinLetter ("KinLetter," "we," "us," or "our") collects, uses, and shares information about you when you use our mobile applications, websites, and related services (collectively, the "Service"). If you have questions, email us at hello@kinletter.com.
1. Information we collect
Information you give us
- Account information: your full name, username, email address, and password. Passwords are hashed by our authentication provider (Supabase) — we never see or store your password in plaintext.
- Profile information: your display name, an optional profile photo, and your preferred language.
- Content you create: the text, optional photos, mood, and title of each update you write. Updates remain drafts until you publish them.
- Voice input: if you use voice dictation, speech recognition runs on your device. The audio does not leave your device. Only the resulting transcribed text is sent to KinLetter once you submit the update.
- Inner circle data: the usernames of people you invite, and the invitations you accept from others.
- AI-generated content about you: KinLetter generates a "life context" — a short summary of recurring facts about your life (e.g., family members, job, hobbies) extracted from your published updates — so the AI can write summaries that feel personal without you re-explaining yourself each week. You can review, edit, approve, or dismiss this draft before it's used.
Information collected automatically
- Device push tokens: if you allow push notifications, we store the token your device gives us so we can notify you when someone in your circle publishes an update.
- Technical logs: server logs (IP address, timestamp, endpoint accessed) collected for security and debugging. These are retained for up to 90 days and are not used to build a profile of you.
- Error reports (optional): if we have error monitoring enabled, we may receive anonymized crash reports via Sentry to fix bugs.
What we do not collect
- We do not collect your contacts list.
- We do not collect precise location data.
- We do not collect advertising identifiers (IDFA / AAID).
- We do not record audio. Voice transcription is on-device.
- We do not track you across other apps or websites.
2. How we use your information
- To provide the Service: create your account, deliver your updates to the people you've invited, and store your content.
- To generate AI-assisted summaries from your raw notes (see "AI providers" below).
- To send transactional emails (account verification, password reset).
- To send push notifications to your circle when you publish.
- To protect the Service against abuse, fraud, and security incidents.
- To comply with legal obligations.
We do not use your content to train third-party AI models. When your notes are sent to OpenAI to produce a summary, they are processed under OpenAI's API data policy, which does not use API inputs for training by default.
3. How we share your information
Your content is shared only with the people you've invited to your inner circle after they've accepted the invitation. There is no public link, no shareable URL, and no audience beyond your circle.
Sub-processors
We use the following third-party services ("sub-processors") to operate KinLetter. Each receives only the data necessary to perform its function.
| Provider | Purpose | Data processed |
|---|---|---|
| Supabase | Database, authentication, file storage | Account info, content, photos, push tokens |
| Render | Backend API hosting | All API request traffic (account info, content, AI requests, in transit) |
| OpenAI | AI summary generation | Your raw notes (per request), your approved life context |
| Resend | Transactional email (signup, password reset) | Email address, message content |
| Expo Push Service | Delivery of push notifications | Device push token, notification payload |
| Apple / Google | App distribution, push relay (APNs, FCM) | Device token, notification payload |
| Sentry (optional) | Crash and error monitoring | Anonymized stack traces, device model, OS version |
We do not sell, rent, or trade your personal information to advertisers or data brokers.
Legal disclosures
We may disclose information if required by law, subpoena, or other legal process, or if we have a good-faith belief that disclosure is necessary to protect rights, property, or safety. We will attempt to notify you of any legal demand for your data unless we are prohibited from doing so.
4. How long we keep your information
- We keep your account information and content for as long as your account is active.
- When you delete your account, we delete your profile, updates, photos, and life context.
- Some records (transaction logs, abuse reports, anonymized analytics) may be retained for a limited period to meet legal or security obligations.
- Backups may briefly contain deleted data; backups roll off within 30 days.
5. Your rights
You can:
- Access your data: view your profile and updates inside the app at any time.
- Correct your data: edit your display name, profile photo, language, and individual updates.
- Delete your account: from Profile → Settings → Delete Account inside the app. See our Account Deletion page for details.
- Export your data: email hello@kinletter.com and we'll send you a machine-readable copy of your data.
- Object or restrict: email us if you want us to limit how we process your information.
If you live in the European Economic Area, UK, or Switzerland (GDPR / UK GDPR)
You have additional rights under the EU General Data Protection Regulation and the UK Data Protection Act, including the right to lodge a complaint with your local data protection authority. The legal bases on which we rely:
- Contract: to provide the Service you signed up for.
- Legitimate interests: to protect the Service against abuse and to improve it.
- Consent: for optional features like push notifications and error monitoring. You can withdraw consent at any time.
- Legal obligation: where required by law.
Data may be transferred to and processed in the United States. Where applicable, transfers are protected by Standard Contractual Clauses or equivalent safeguards.
If you live in California (CCPA / CPRA)
You have the right to know what personal information we collect, the right to delete it, the right to correct it, and the right not to be discriminated against for exercising these rights. We do not sell your personal information and we do not share it for cross-context behavioral advertising.
6. Children's privacy
KinLetter is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please email hello@kinletter.com and we will delete it.
7. Security
We use industry-standard practices to protect your data: encrypted connections (HTTPS / TLS), hashed passwords (managed by Supabase Auth), row-level security at the database layer so that only you and the people in your circle can read your published updates, and limited internal access. No system is perfectly secure; if you believe your account has been compromised, please contact us immediately.
8. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting a notice on this page and, where appropriate, by email or in-app notification. The "Last updated" date at the top of this page indicates when this policy was last revised.
9. Contact us
If you have questions about this Privacy Policy or our handling of your information, email us at hello@kinletter.com.