Privacy Policy

Last updated: 11 April 2026 · Version 1.3

Who we are

Kin is operated by Opal Harmony P.C. (Opal Harmony Private Company / Ιδιωτική Κεφαλαιουχική Εταιρεία), a private company registered in Greece, with registered office at Olympou 9, 54630 Thessaloniki, Greece("we", "us", "our"). We are the data controller for your personal data under Article 4(7) GDPR. You can reach us at privacy@getsinew.dev.

What data we collect

Guest users (no account): Your conversations are processed to generate responses but are only stored in your browser's local storage. We assign a random guest identifier to maintain your session. No personal data is stored on our servers.

Registered users: When you create an account, we collect and store:

  • Account data — email address, display name (if provided via Google Sign-In)
  • Conversation data — messages you send and responses you receive, conversation metadata (timestamps, message counts)
  • Person model data — the understanding Kin builds of you over time (personality traits, values, communication preferences, emotional patterns, relationship insights)
  • Social graph data — names and relationships of people you mention in conversations
  • User-created data — notes, tasks, reminders, and other content you create through Kin
  • Payment data — Stripe customer ID and subscription status (your card details are handled entirely by Stripe and never touch our servers)
  • Usage data — message counts, session counts, and feature usage for rate limiting and service operation

Legal basis for processing

We process your data under the following legal bases (GDPR Article 6):

  • Contract — processing your conversations, maintaining your account, and providing the subscription service (Article 6(1)(b))
  • Consent — building the Person model from your conversations. You can withdraw consent at any time by deleting your account (Article 6(1)(a))
  • Legitimate interest — rate limiting, fraud prevention, and service security (Article 6(1)(f))

Third-party processors

We share data with the following processors to provide the service. All are US-based and operate under Standard Contractual Clauses (SCCs) for EU-to-US data transfers:

  • OpenRouter (LLM routing, US) — your messages are routed through OpenRouter to upstream AI providers. As of 11 April 2026, OpenRouter does not publish a formal Data Processing Agreement; we rely on their published Terms of Service data-processing provisions. We monitor their legal page and will update this policy when a formal DPA becomes available.
  • Anthropic (AI model provider, US — sub-processor of OpenRouter) — Anthropic processes your messages to generate Claude's responses. Per Anthropic's API terms, your messages are not used to train models. International transfer is covered by Standard Contractual Clauses (SCCs).
  • Stripe (payments, US + EU) — processes subscription payments. Stripe receives your email and payment card details (card data is tokenised by Stripe and never touches our servers). Covered by Stripe's DPA, auto-accepted as part of Stripe's standard terms. See Stripe's Privacy Policy.
  • Resend (transactional email, EU — AWS eu-west-1) — sends magic links and subscription confirmations. Receives your email address. Covered by signed Resend DPA dated 11 April 2026.
  • ElevenLabs (voice synthesis, US) — only if you use voice features. Receives the text of Kin's responses for synthesis. No conversation context is shared.
  • Sentry (error tracking, EU — Frankfurt) — receives stack traces and request paths for debugging. No personal conversation content is included; a user ID may appear in error context. Covered by Sentry DPA v5.1.0, accepted 11 April 2026.
  • Hetzner (hosting, EU — Falkenstein/Nuremberg, Germany) — operates the physical infrastructure where our database and application servers run. Covered by signed Hetzner Auftragsdatenverarbeitung dated 11 April 2026.
  • Cloudflare (DNS, global anycast) — handles DNS resolution for thekin.chat. Receives your IP address and the requested hostname; does NOT proxy or terminate TLS for Kin traffic, so it never sees your conversations. Covered by Cloudflare's standard DPA, incorporated by reference into the Customer Agreement.

A Data Processing Agreement is available on request for any of the above processors.

What we do not do

  • Sell your data to third parties
  • Use your conversations to train AI models
  • Share your data with advertisers
  • Track you across other websites
  • Use cookies for advertising or analytics (we only use a session cookie for authentication)

Data retention

Your data is retained for as long as your account is active. When you delete your account:

  • Conversations, Person model, notes, and insights — permanently deleted immediately.
  • Billing records — Stripe transaction records are retained for 7 years to meet Greek and EU tax obligations (Article 6(1)(c) GDPR). Your email address is anonymised in our records. The actual card data was never stored by us.
  • Error tracking events (Sentry) — retained for 90 days, then automatically deleted. Contains stack traces and request metadata, no conversation content.
  • Security logs — retained for 12 months for fraud prevention, then deleted.

There is no recovery period for conversation data once deletion is initiated.

Guest session data stored in your browser can be cleared by you at any time through your browser settings.

Your rights

Under EU/GDPR law, you have the right to:

  • Access — request a copy of all data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — delete your account and all associated data
  • Data portability — export your data in a machine-readable format (JSON)
  • Restriction of processing — request that we limit how we use your data
  • Object to processing — object to processing based on legitimate interest
  • Withdraw consent — withdraw consent for Person model building at any time

You can exercise your access, portability, and erasure rights directly from the Settings page in the app. For all other requests, email privacy@getsinew.dev. We will respond within 30 days.

You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA, dpa.gr) or any EU supervisory authority.

Automated decision-making and profiling

Kin uses automated processing to build a model of you — your personality traits, communication preferences, emotional patterns, relationship dynamics, and values. This is what we call the "Person model." It is used to personalise Kin's responses and to generate periodic insights about your relationships and emotional state.

Under Article 22 GDPR, you have the right not to be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects on you. Kin does not make such decisions — the Person model influences how Kin responds in conversation, but it does not automatically grant or deny access to services, set prices, or produce other legally significant outcomes.

If you believe the Person model contains inaccurate information about you, you can request human review by emailing privacy@getsinew.dev. You can also delete your account at any time, which permanently erases the Person model.

International data transfers

Kin's servers are hosted in the EU (Hetzner, Germany). However, some of our sub-processors are based in the United States:

  • OpenRouter and Anthropic (US) — your messages are routed to US-based AI providers. These transfers are covered by Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR.
  • Stripe (US + EU) — payment processing. Stripe operates under Standard Contractual Clauses (SCCs) and is certified under the EU-US Data Privacy Framework (DPF). The EU-US Privacy Shield was invalidated by the Court of Justice of the European Union in July 2020 (Schrems II) and replaced by the DPF in 2023; we no longer rely on Privacy Shield for any transfer.
  • Resend (EU — AWS eu-west-1) — transactional email. Covered by signed Resend DPA (Module 2: Controller → Processor) and SCCs for any incidental US transfer.
  • ElevenLabs (US) — voice synthesis, if used. Covered by SCCs.

You can obtain a copy of the applicable SCCs or additional transfer safeguards by emailing privacy@getsinew.dev.

Children

Kin is not intended for anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to this policy

We may update this policy. Significant changes will be communicated through the app or by email. Continued use after changes constitutes acceptance. The "last updated" date at the top reflects when this policy was last revised.

Contact

For privacy-related questions or to exercise your rights: privacy@getsinew.dev