1. Introduction & Scope
Kynso ("we," "us," or "our") is committed to protecting your personal data and your right to privacy. This Privacy Policy outlines our practices regarding the collection, use, and safeguarding of your personal information, including highly sensitive health and biometric data, when you use the Kynso mobile application and associated services.
We process your data in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, the General Data Protection Regulation (GDPR) in Europe, and the California Consumer Privacy Act (CCPA).
2. Information We Collect
To provide our comprehensive fitness and health tracking services, we collect the following specific categories of information:
- Identity & Profile Data: Legal name, username, email address, password, date of birth, gender, height, and user biography.
- Health & Biometric Data: Weight, daily resting heart rate, Heart Rate Variability (HRV), total daily steps, calorie logs, and specific workout data (including resistance training sets, cardiovascular sessions, and mobility routines). Note: Processing of this special category data requires your explicit, affirmative consent during registration.
- Location Data: With your explicit operating-system-level permission, we collect your current physical location (GPS data) to allow you to log and map the geographic location of your workouts or select an address. You may revoke this permission at any time via your device settings.
- Technical & Device Data: IP address, mobile device identifiers, operating system version, and system logs.
3. How We Use Your Information
We strictly limit the use of your personal and health data to the following purposes:
- Core Functionality: To calculate fitness metrics, track progression, and render your historical workout data.
- Authentication & Security: To verify your identity, secure your account, and detect unauthorized access.
- Internal Analytics (Anonymized Data): We aggregate and mathematically anonymize your data—stripping it entirely of personally identifiable information (PII)—to analyze system performance, improve our algorithms, and monitor general usage trends. We do not sell your personal data to third parties.
4. Third-Party Integrations & Data Flows
Kynso utilizes a tiered architecture to ingest and export health data. You have absolute control over these data flows:
- Inbound Data Collection: If authorized by you, Kynso pulls health and fitness metrics from hardware integrations (e.g., Oura, Garmin) and software aggregators (e.g., Strava, Apple Health, Google Fit) to centralize your fitness profile.
- Outbound Data Sharing: We do not share your health data with external entities unless explicitly directed by you. On an opt-in basis, you may choose to write your Kynso workout data and calorie logs outbound to Apple HealthKit or Android HealthConnect.
5. Data Storage, Security & Offline Processing
Your data is securely stored on enterprise-grade infrastructure utilizing Amazon Web Services (AWS). We employ industry-standard encryption both at rest and in transit.
Offline-First Architecture: Kynso is designed to function seamlessly offline. If you log data without a network connection, your sensitive health information is encrypted and temporarily queued locally on your physical device. When a secure network connection is re-established, this data synchronizes with our servers. During any offline period, the security of this locally queued data is dependent on your device’s security measures (e.g., biometric locks, passcodes).
6. Data Retention & Account Deletion
You may initiate the deletion of your account at any time via the application settings.
The 30-Day Account Recovery Grace Period: Upon requesting deletion, your account and all associated data enter a strict 30-day quarantine phase. During this period, your data is isolated from our active database and is explicitly not used for analytics, marketing, or operations. This soft-delete mechanism serves two legal purposes: (1) to provide you with a grace period to reverse the deletion request, and (2) to comply with active fraud investigations or legal obligations. Upon the expiration of the 30-day period, a permanent, irreversible hard deletion of your data is executed.
7. Your Privacy Rights
Depending on your jurisdiction (under the GDPR, CCPA, or PIPEDA), you possess statutory rights regarding your data, including:
- Right to Access & Portability: You may download an export of your personal data, workouts, sets, health metrics, and calorie logs in CSV format directly through the app.
- Right to Erasure: You may invoke the deletion of your account and data, subject to the 30-day grace period outlined above.
- Right to Withdraw Consent: You may withdraw your consent for the processing of your biometric/health data at any time, acknowledging that this will terminate your ability to use the Kynso core services.
8. Children’s Privacy
Kynso does not knowingly collect personal data from individuals under the age of 16. We utilize age-gating during the registration process. If we become aware that we have collected personal data from a minor without verified parental consent, we will take immediate steps to delete that information.
9. Updates to This Policy
We may update this Privacy Policy to reflect changes in our operational practices or regulatory requirements. Material changes, particularly those affecting the processing of your health data, will be communicated to you via email or a prominent in-app notification before they take effect.
10. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or your data, please contact our Privacy Officer:
[Insert Corporate Mailing Address, Toronto, ON]