Privacy Policy

Kinora is currently operated by its founders as joint data controllers while incorporation of Kinora Health Ltd in England and Wales is in progress. We are assessing and completing our Information Commissioner's Office (ICO) registration and data protection fee obligations as required.

Once Kinora Health Ltd is incorporated, it will assume responsibility for the service as data controller and we will update this policy.

You can contact us about privacy at: privacy@kinora.health

This policy covers the Kinora website and the current website features: account creation, login, profile settings, waitlist sign-up, co-creator applications, contact forms, password reset, and security controls.

The community and survey areas are currently not operational while we complete privacy and data protection work. We will update this policy before those features are relaunched.

Depending on how you use the website, we may collect:

• name and email address
• account and authentication details, such as your user ID and login session
• profile details you choose to add, such as display name, pronouns, date of birth, avatar, community username, and mailing-list preference
• waitlist details, such as first name, last name, and email address
• co-creator application details, including your answers and any hormonal or reproductive health experience you choose to share
• contact form messages and the contact details you provide
• technical and security information, such as IP address, browser information, request timestamps, rate-limit records, and bot-protection results

If you use Ari, your conversation history is stored locally in your own browser storage and is not stored in our database by the website.

Information about hormonal or reproductive health can be special-category health data under UK GDPR. We only ask for this kind of information where it is necessary for a specific purpose, such as co-creator applications, and we ask for explicit consent at the point you submit it.

The contact form is not intended for detailed health information. Please avoid sharing health information in the contact form unless it is necessary for your enquiry. If you do include it, we will use it only to respond to that enquiry and will not use it for product development or research without asking for separate consent.

We use personal data for the following purposes:

• Accounts and login: to create and secure your account. Lawful basis: contract and legitimate interests.
• Profile settings: to let you manage your Kinora profile. Lawful basis: contract and consent where optional details are provided.
• Waitlist: to record your interest and contact you about Kinora updates if relevant. Lawful basis: consent.
• Co-creator applications: to review your application and contact you about participation. Lawful basis: consent; for health information, explicit consent under Article 9 UK GDPR.
• Contact form: to respond to your message. Lawful basis: legitimate interests or steps taken at your request.
• Security and abuse prevention: to protect the website, prevent spam, investigate abuse, and maintain service integrity. Lawful basis: legitimate interests.
• Legal compliance: to meet legal, regulatory, or rights-request obligations. Lawful basis: legal obligation.

You may withdraw consent at any time where consent is the lawful basis.

• We do not sell your personal data.
• We do not share identifiable health information with advertisers.
• We do not use advertising cookies or cross-site tracking cookies.
• We do not currently use analytics cookies.
• We do not currently sync waitlist data to MailerLite or another mailing-list platform.

A processor is a service provider that handles personal data for us so the website can work. We use the following categories of processors:

• Database, authentication, and storage: Supabase.
• Website hosting and serverless functions: Vercel.
• Bot and abuse protection: Cloudflare Turnstile.
• Contact-form email delivery: Resend.

These providers process data on our behalf under their own security terms and data processing agreements. We may update this list if the website's processors change.

We choose UK or European processing locations where available. Supabase database data is hosted in the European Union. Some service providers, including infrastructure, security, and email providers, may process data outside the UK or EEA.

Where personal data is transferred internationally, we rely on appropriate safeguards such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to Standard Contractual Clauses, or equivalent contractual safeguards where required.

• Account and profile data: kept while your account exists, then deleted or anonymised after account deletion unless we need to keep limited records for legal or security reasons.
• Waitlist records: kept until you ask us to remove them or until the waitlist purpose ends.
• Contact messages: normally kept for up to 24 months, unless a longer period is needed to handle a request, dispute, or legal obligation.
• Co-creator applications: if not selected, deleted within 30 days of our decision. If selected, we will ask for renewed consent before retaining health information beyond the selection process.
• Security and abuse logs: normally kept for 30 to 90 days unless needed for investigation, fraud prevention, or legal reasons.
• Backups: overwritten on a rolling basis according to our providers' standard backup schedules.

If you have a Kinora account, you can delete it from the danger zone in your profile settings. This deletes your account, profile, profile photo, and current website form submissions linked to your account email where we no longer need them.

You can also request deletion of your account or personal data by emailing privacy@kinora.health. We will respond within one month.

Some limited information may be retained where necessary for legal compliance, security, fraud prevention, dispute handling, or backup deletion cycles.

We use technical and organisational measures to protect personal data, including encryption in transit, access controls, database row-level security, bot protection, rate limiting, and security monitoring.

No online service can guarantee perfect security, but we review our controls and limit access to people who need it for service, support, security, or compliance reasons.

You may ask us to:

• provide access to your personal data
• correct inaccurate data
• delete your data
• restrict processing
• transfer your data where applicable
• object to processing where applicable
• withdraw consent where consent is our lawful basis

Requests may be sent to: privacy@kinora.health

We aim to respond within one month.

You also have the right to complain to the Information Commissioner's Office at ico.org.uk.

We use strictly necessary cookies and similar technologies for website functionality, authentication, and security. We do not currently use analytics, advertising, or cross-site tracking cookies.

More detail is available in our Cookie Policy.

Kinora is intended for adults aged 18 and over. We do not knowingly collect data from anyone under 18. If we become aware that we have collected data from someone under 18, we will delete it.

Kinora does not provide medical advice, diagnosis, treatment, or prescriptions.

Any information or tools we provide are for informational and educational purposes only. Medical decisions should always involve a suitably qualified healthcare professional.

We may update this policy from time to time. If changes materially affect your rights or how we use your data, we will provide a clear notice before those changes take effect where appropriate.