Privacy Policy

Effective date: June 8, 2026 · Last updated: 2026-06-26

Kensora is built around your privacy. This policy explains, in plain language, what stays on your device, what leaves it only when you choose, and what we never do. It covers the Kensora iOS app and this website (kensora.io), both operated by Kensora LLC ("Kensora," "we," "us"). Questions: privacy@kensora.io.

The short version

• Your journal, health readings, photos, contacts, calendar, location history, and any linked financial data stay on your device by default.
• We do not sell your data, run ads, or use your personal data to target you.
• The only personal data we hold off-device is what you knowingly send: your Sign in with Apple identifier, your email if you give one, and, only if you turn on the optional cloud chat, the messages you send plus the small slices of context it selects on your device to answer them (never your whole journal, health history, or calendar).
• The cloud chat is off by default and can be turned off at any time.
• Finding people you know is optional and off by default; if you turn it on, Kensora uploads only a one-way hash of your contacts' emails to find matches, never the emails themselves, and only shows people who chose to be findable.
• Kensora is intended for adults 18 and older.

What stays on your device

By design, the most sensitive things Kensora works with never leave your phone unless you explicitly choose to send them: your journal entries, your Apple Health readings, your photo library (Kensora labels what's in your photos on your device), your contacts, your calendar, and any map of places you've been (built and stored on-device only). Kensora reads these locally to be useful; opening the app does not upload them.

What we collect, and why

Account identity

You sign in with Apple. Apple gives Kensora a stable identifier (and, if you allow it, a name and a relay email). We use this only to establish your profile and sync your data through your own private store. There is no separate Kensora password to leak.

Health & fitness data (Apple Health)

If you connect Apple Health, Kensora reads signals such as sleep, activity, and heart-rate trends to make the day's guidance relevant. This data is processed on your device. It is never sold, never used for advertising, and never shared with third parties for their own purposes. See the Consumer Health Data Privacy Policy.

Location & weather context

To show weather and nearby-place context in the See area, Kensora sends an approximate, city-level location to Apple's weather and geocoding services. Only a coarse coordinate is sent, it is used only for that lookup, and Kensora does not store it or tie it to your account. This is separate from the map of places you've been, which is built and kept on your device only and is never uploaded. This context is on by default, and you can turn it off in Settings.

Email & contact

If you join the early-access list or email us, we keep the email address you provide so we can reach you.

Finding people you know (optional contact discovery)

Kensora can help you find which of your contacts already use Kensora, so you can invite them in the app. This is off by default, and it works two ways that both protect the actual addresses. To find people, Kensora creates a one-way hash (a scrambled fingerprint) of each contact's email on your device and sends only those hashes to check for matches; your contacts' real email addresses never leave your device, and you only see people who have themselves chosen to be findable. To be findable yourself, you can give an email, we send a one-time code to confirm it is yours, and we store only a hashed version of it linked to your account; you can turn this off or remove your email at any time, which deletes that entry. This directory holds only these hashes and a "findable" flag, never your messages, health data, or anything you have written. It matches on email only.

Payments

If you buy cloud credits, our payment processors (Apple and Stripe) handle the transaction. We receive confirmation that a purchase occurred and a record for your balance; we do not receive or store your full card number.

Financial data (optional, via Plaid)

Kensora can optionally connect to your bank or credit card accounts to power its budgeting features: seeing your spending, balances, upcoming bills, and recurring subscriptions inside the app. If you choose to link an account, the connection is made through Plaid Inc. You enter your bank credentials with Plaid directly, so Kensora never sees or stores your bank username or password. Through Plaid we receive read-only data: transactions, balances, and credit-card details such as due dates. Kensora cannot move money, make payments, or change anything in your accounts.

Your financial data is stored encrypted on your device, like your health data. Our server passes it through from Plaid to your device and does not keep a copy of that financial data; to keep the connection working, our server holds an encrypted Plaid access token, which is revoked when you unlink the account. It is never sold, never used for advertising, never used to train AI models, and never shared with anyone for their own purposes. You can unlink an account at any time in Settings, which stops all access; deleting your data or your account removes the financial data with it. You can also manage or revoke Plaid's connections directly at my.plaid.com. Plaid's own handling of your data is described in the Plaid End User Privacy Policy.

Website analytics

This website uses Plausible Analytics, a privacy-respecting, cookieless service. It collects only aggregate, anonymous usage data (page views, referrer, approximate country, device type) and does not store your IP address, use cookies, or track you across sites.

Diagnostics

Kensora keeps basic crash and performance diagnostics on your device to help us fix problems. They leave your device only if you choose to send them, by tapping Report a problem in Settings, which attaches the on-device log to an email you send us. Kensora does not collect crash or usage data automatically.

The optional cloud AI (and what it sends)

Kensora can use a cloud AI (Claude, by Anthropic) to help with the Kensora chat. It is off by default. When you turn it on and use it, the following leaves your device:

• The text of the messages you write in the Kensora chat.
• A short, app-generated "day digest" (e.g. sleep was short, a busy calendar) so replies are relevant.
• Small, relevant slices of context the app selects on your device, such as a short health signal, a brief journal excerpt, or a calendar item, only when it helps answer what you asked. Kensora does not upload your whole journal, full health history, or entire calendar.
• For people in your life, only a first name or a role ("your brother," "a coworker"), never phone numbers, emails, or your address book.
• Photos are described on your device by default. Richer cloud photo descriptions are a separate opt-in, off unless you choose them.
• Web search (optional, off by default). If you turn on web search for the on-device model, your search query is sent through Kensora to a search provider (Brave Search) to fetch results. Only the query is sent, not your health data, journal, or identity.
• Finances (optional, off by default). If you turn it on, relevant slices of your linked accounts (balances, recent spending, safe-to-spend) are sent only when they help answer what you asked, never your full financial history.
• Assessment scores (optional, off by default). If you turn it on, your recorded check-in scores (such as PHQ-9 or GAD-7) can be sent so the chat can reference your own numbers. They are never treated as a diagnosis.

You can narrow or turn off each category in Settings.

Who else is involved (service providers)

We share data only with the providers needed to run Kensora, and only for that purpose:

• Apple: Sign in with Apple, your private data sync, and in-app purchases.
• Anthropic: receives cloud-chat text to generate replies. Under Anthropic's commercial API terms this data is not used to train their models and is automatically deleted within 30 days. Where Anthropic offers Zero Data Retention and Kensora qualifies, we will enable it so this data is deleted sooner.
• Netlify: hosts this website and the chat proxy. The proxy forwards your request and keeps only a usage count for billing limits, not your message contents.
• Stripe: processes credit purchases made on the web.
• Plaid: if you link a bank or credit card account, Plaid connects to your financial institution and delivers read-only account data to your device. See Plaid's End User Privacy Policy.
• Brave Search, only if you turn on web search for the on-device model: receives a search query (sent through Kensora, which doesn't store it) to return results. Brave's handling of the query is governed by Brave's privacy policy.
• Neon, only if you use contact discovery: a managed database that stores the small "find people you know" directory (hashed emails and phone numbers mapped to accounts, plus a "findable" flag), never your messages, health data, or real email addresses or phone numbers.
• Resend, only if you choose to be findable by email: sends the one-time code that confirms you own the email you want to be found by. Resend is a U.S. provider that participates in the EU-US Data Privacy Framework and operates under a data processing agreement with us; it does not receive your health data or messages.
• Twilio, only if you choose to be findable by phone: sends and checks the one-time code that confirms you own the phone number you want to be found by. Twilio is a U.S. provider that operates under a data processing agreement with us; it receives only your phone number to text you the code, and does not receive your health data or messages.

What we never do

• We never sell your personal data.
• We never use your personal data to target advertising. There is no ad business.
• We never train our own models on your personal data, and we never sell it to be used as training data.
• We never message anyone on your behalf.
• We never embed third-party advertising, analytics, or tracking software in the Kensora app.

We do not make legal or similarly significant decisions about you through automated processing; any patterns Kensora surfaces are for your own reflection, not a diagnosis.

Safety

Kensora runs a deterministic, on-device safety check before anything is sent to the cloud. If a message contains crisis-related language, the app shows support resources (including 988), or, only if you've set one up, reminds you of your trusted contact. That text is handled entirely on your device and is never sent to the cloud. Kensora is not a crisis service and does not detect or prevent emergencies. See Safety & crisis resources.

Your privacy rights

Depending on where you live, you may have the right to access the personal data we hold, to correct or delete it, to obtain a copy, and to opt out of any "sale" or "sharing" of personal data. Kensora does not sell or share your personal data, and we will never discriminate against you for exercising a privacy right. Most of your data lives on your device and is yours to export or delete directly in Settings:

• Access & export your data from in-app Settings.
• Delete your chat history, or your account and all its data, from in-app Settings.
• Turn off the cloud chat at any time; new messages stop being sent immediately.
• Disconnect Apple Health or any connected device.
• Turn off contact discovery and remove your findable email at any time in Settings, which deletes the hashed entry that made you findable.

For anything held off-device, email privacy@kensora.io and we'll respond within 45 days (extendable once, with notice, where the law allows), and within 45 days for health-data requests.

Do Not Sell or Share / Global Privacy Control. We do not sell or share your personal information, so there is nothing to opt out of. If your browser sends a Global Privacy Control (GPC) signal on our website, we honor it; because we do not sell or share, no personal information is sold or shared regardless.

Limit sensitive data use. We use your sensitive health and wellbeing data only to provide the features you have turned on, never for advertising, profiling, or sale. You can further limit or stop this at any time by turning off a feature, disconnecting a source, or deleting the data in Settings.

California residents, categories of personal information.

In the past 12 months we have collected: identifiers (your Sign in with Apple identifier; your email if you provide one); commercial information (purchase records); internet or usage information (aggregate, cookieless website analytics); financial information (only if you link an account through Plaid, stored encrypted on your device); and sensitive personal information (health and wellbeing data you enter or connect, processed on your device). Sources: directly from you, your device, and the services you connect (Apple, Plaid). We disclose personal information only to the service providers described above, and only to operate the app. We do not sell or share personal information, and we do not use or disclose sensitive personal information beyond providing the service you requested.

Data retention

On-device data persists until you delete it or remove the app. Cloud-chat content sent to Anthropic is automatically deleted within 30 days under Anthropic's commercial API terms; where Anthropic offers Zero Data Retention and Kensora qualifies, we will enable it so this content is deleted sooner. Financial data from linked accounts lives only on your device and is removed when you unlink the account, delete your data, or remove the app. Purchase records are kept as long as needed for accounting and legal obligations.

Server function logs (metadata only, never message content) are kept for roughly 24 hours. Usage and credit-balance counters are kept while your account is active and deleted when you delete your account, except minimal purchase records we must keep for tax and accounting law (typically up to 7 years).

Children

Kensora is intended for adults 18 and older and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact privacy@kensora.io and we will delete it.

Security

We design Kensora to keep your most personal information on your device and to minimize what leaves it, and we maintain administrative, technical, and physical safeguards appropriate to the data we handle. No method of transmission or storage is perfectly secure, but security is a first-class goal, not an afterthought.

To report a security concern, email privacy@kensora.io.

If there's a data breach.

If we discover a breach affecting your identifiable health data, we will notify you and the appropriate regulators (including the Federal Trade Commission under the Health Breach Notification Rule) without undue delay and within the timelines the law requires, and tell you what happened, what data was involved, and what steps to take.

Changes to this policy

If we make material changes we'll update this page and the "last updated" date, and note significant changes in-app where appropriate.

Contact

Questions about privacy? Email privacy@kensora.io or hello@kensora.io.

You can also reach us by mail at: Kensora LLC, 701 South St., Ste 100, Mountain Home, AR 72653.

Read the Terms of Use → Consumer Health Data Policy → Safety & crisis resources →