Last updated: June 26, 2026
Who this policy applies to, and who we are
This policy covers the personal data that Kindred AI, PBC (“Kindred,” “we,” “us”) processes about you when you visit bekindred.ai, create an account, or use the platform. For most users, Kindred is the data controller, the party that decides what data is collected and how it is used, and is therefore the party accountable for it.
Where you use Kindred through a business account (for example, an employee on a company plan), that business is the controller of your data, and our handling of it is governed by our Data Processing Agreement with them.
What we collect
Your email address. Sign-in is passwordless: we email you a one-click link each time, and you prove who you are by showing control of the inbox. We never collect or store a password.
Your questions (Inputs). The questions and topics you submit for analysis.
Your analyses (Outputs). The analyses the platform builds from your questions, including the phase content, the sources, and any titles, tags, ratings, and links you save.
Aggregate usage metrics. Privacy-preserving counts about how the platform is used (analyses run, features used, error rates). We do not track your browsing across other websites.
Operational metadata. Request logs and AI call records used to run, secure, and account for the service. These hold metadata only (timing, model, token counts, cost, and a one-way hash), not the text of your questions or analyses. We explain how long we keep them under Retention below.
Your own API key, if you choose to add one. You may store your own Anthropic API key in Settings (see Bring your own key below). It is encrypted before it touches our database, never returned by the API, never written to logs, and removable anytime.
How we use your data
We use your data to provide the service you signed up for: to run analyses, store your library, apply your preferences, keep the platform secure, support you, and produce aggregate metrics that help us improve quality. We do not use your questions or analyses to train AI models, ever, without your explicit, opt-in consent. That is a foundational commitment, not a setting we can quietly flip.
How your questions and analyses are protected
Your content is encrypted at rest. Your analyses, your questions, and their titles are encrypted in our database using authenticated AES-256-GCM envelope encryption, an approach where each value is sealed with its own one-time data key, and that key is in turn sealed by a master key we hold in our backend environment, separate from the database. In plain terms: if someone stole a copy of our database, or obtained a database credential and read it directly, they would reach scrambled ciphertext, not your words, as long as they did not also obtain the separate master key.
Only you can reach your own data. Every table that holds user data uses row-level security, a database-level rule that lets you read or change only the rows you own. One user can never reach another user's analyses, questions, tags, links, preferences, or feedback. This is enforced by the database itself on every query, not by application code that could have a bug.
Even we do not read your content by default. Our internal console for support and for quality and safety review blanks out your question, title, and analysis content by default; an operator sees structure and metadata, not your words. Viewing actual content takes a deliberate action that requires a reason and writes one permanent, tamper-evident log entry recording who looked, whose content, which analysis, which field, why, and when. There is no exception for the founder; the founder's own reveals are logged the same way.
The honest boundary, stated plainly, is in The honest limits below: this is strong protection for data at rest, but it is not end-to-end encryption.
The AI provider, and what we send
To build an analysis, the text of your question and the analytical context are sent to Claude, the AI model that powers the engine, operated by Anthropic. We send only what the analysis needs. We do not send your name or email to the model.
We use Anthropic's commercial API. Under Anthropic's commercial terms, the content we send through the API is not used to train Anthropic's models, and Anthropic deletes API inputs and outputs on its standard retention schedule (a 30-day default at the time of writing). Anthropic is listed on our Subprocessor List. The current terms and retention window are set by Anthropic; we link their terms above so you can read the source rather than take our summary on faith.
A stricter arrangement called zero data retention (where the provider keeps nothing at all) is not in place today, and is not offered for the model we default to. If you want your analyses to run entirely under your own Anthropic account and data relationship, you can use your own API key.
Bring your own key
You may run your analyses under your own Anthropic API key instead of ours. Add it in Settings. Before we store it, we validate it with a no-charge check, then encrypt it at rest with AES-256-GCM using a secret that lives only in our backend. The key is never returned to the browser, never written to logs, and exists in readable form only for the instant it is used to make your request. You can replace or remove it at any time, and removing it deletes the stored key. When a key is stored, your analyses use it; your Anthropic data relationship is then directly with Anthropic.
Who we share data with
We share personal data only with the subprocessors (the vendors that process data on our behalf to run the service) listed on our Subprocessor List, with law enforcement when we are legally required to (see The honest limits), and with a successor entity in a merger, acquisition, or sale of assets, with notice to you. We notify business customers before adding a new subprocessor as described in the Data Processing Agreement.
We do not sell personal data, and we do not share it for cross-context behavioral advertising, as those terms are defined under U.S. state privacy laws including the California Consumer Privacy Act (CCPA).
Retention: how long we keep things
Your library is yours until you delete it. Your analyses, questions, titles, tags, links, and feedback stay in your library until you delete them or close your account. We do not expire your content on a timer.
Operational records are kept only as long as they are useful, then deleted automatically. The operational metadata described above (AI call logs, usage events, validation records, and the operator access log) is purged on a schedule, on per-record-type windows, so it does not accumulate indefinitely. The operator access log, the record of who viewed content and why, is kept the longest so that accountability remains meaningful, but it too is bounded.
Deleting your account is a complete deletion. When you delete your account, we permanently remove your content and the operational records tied to it, with no shadow copy, within thirty (30) days. Two narrow exceptions remain: the content-free operator-access audit log, retained for the bounded accountability window described above so the record of who viewed content, and why, cannot be erased; and the minimal records the law requires us to keep (for example, billing records for tax). See Your rights for how the deletion works.
Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you.
- Export everything you own, anytime. A single action in your account downloads a complete, machine-readable JSON file of your data: your analyses with their full content, sources, and feedback, plus your tags, links, and preferences. The export is scoped to you alone and never includes operational/internal records or any encryption keys. You can also export any single analysis as Markdown, Word, or PDF for reading and sharing.
- Delete your data with a true hard delete. From Settings, confirming deletion removes your analyses (and their phase outputs, sources, and links), tags, preferences, feedback, your stored API key if you saved one, and the operational records tied to your account (AI call logs, usage events, and validation records), then deletes your sign-in account. The one deliberate exception is the operator-access audit log: content-free metadata that records any time an operator viewed your content, and why. It is retained for the bounded accountability window described in Retention, precisely so the record of access cannot be erased, not even by deletion. Apart from that audit trail, nothing carrying your content is left behind, and the deletion is scoped strictly to you, so no other user is affected.
- Correct inaccurate or incomplete data.
- Object to or restrict certain processing, and withdraw consent you previously gave.
- Complain to your data protection authority if you are in the EEA, the UK, or Switzerland.
California residents have additional rights under the CCPA, including the right to know what categories of personal data we collect, and the rights to delete it, correct it, and not be discriminated against for exercising these rights. To exercise any right, email privacy@bekindred.ai. We respond within the timeframes the applicable law requires.
The honest limits
Strong privacy claims are only worth making if the limits are stated just as plainly. Here are ours.
This is not end-to-end encryption. To analyze your question, our backend and our AI provider must read it in ordinary, readable form. Encryption at rest protects your stored data from someone who steals the database or its credentials. It does not hide your content from the running service that performs the analysis for you.
Encryption at rest protects stored data, not the running system. The keys that decrypt your content live in our backend so it can show you your library and run new analyses. Someone who fully compromised the running backend, both its code execution and its environment, could reach decrypted content. Encryption at rest defends against stolen data; the rest of our security posture defends against a compromised live system.
Lawful legal requests. If we receive a legally valid and binding request from law enforcement or a court, we will comply with it. Where the law permits, we will tell the affected user. We do not hand over more than the request compels, and we push back on requests that are overbroad or improper.
The AI provider processes your question. As described above, your question and analysis are processed by Anthropic's commercial API under its terms; zero data retention is not in place today and is model-dependent.
Citations link to sources; they do not yet verify claims. A resolved citation opens the real source a claim drew on, but the content of each claim is not yet mechanically checked against that source. That verification is on our roadmap, and we say so on the architecture page.
Legal bases for processing (EU/UK)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on these legal bases under the GDPR or UK GDPR, the laws that require us to have a specific, lawful reason for each use of your data:
- Performance of a contract, to create your account, provide the platform, and handle billing.
- Legitimate interests, to secure the platform, prevent abuse, debug, and improve quality, balanced against your rights.
- Consent, for any AI-training opt-in, certain communications, and any non-essential cookies (we do not currently set any).
- Legal obligation, for tax and accounting records and for legally required law-enforcement responses.
International transfers
Kindred and its current subprocessors operate from the United States, so if you use Kindred from elsewhere, your data is transferred to and processed in the United States. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the recognized safeguards for international transfers: the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and the corresponding Swiss safeguards. Business customers can request the executed transfer documentation. [PLACEHOLDER: confirm executed SCC modules, UK Addendum, and Swiss safeguards, and attach as annexes, before publishing.]
Security
We protect your data with encryption in transit and at rest (including the application-level content encryption described above), database-enforced row-level isolation, secret management for credentials, and a security review on every change. The plain-language overview is in the Trust Center privacy page and the security page, and the deeper technical detail is on the security architecture page.
Children's privacy
Kindred is not directed to children under 13 (or the higher minimum age in your jurisdiction), and we do not knowingly collect personal data from them. If we learn we have, we delete it. If you believe a child has provided us data, contact privacy@bekindred.ai.
Changes, and how to reach us
We may update this policy. If a change is material, we will give you reasonable advance notice by email or in-product before it takes effect, and the “Last updated” date above will always reflect the current version.
For privacy questions or to exercise any right above, email privacy@bekindred.ai. [PLACEHOLDER: data protection contact name/title, if a Data Protection Officer is appointed.] Postal notices to Kindred AI, PBC should be sent to [PLACEHOLDER: registered mailing address].