Privacy Policy

The short version: WhoKin encrypts your relationship data on your device before it ever leaves. We don't sell your data. We don't use it for advertising. The AI features run on your interactions only to help you — never to profile you. You can delete everything at any time.

Who We Are

WhoKin is operated by WhoKin Ltd ("WhoKin", "we", "us", or "our"). We provide a personal relationship management app designed to help you stay meaningfully connected with the people who matter most.

For privacy questions or requests, contact our privacy team at privacy@whokin.app.

What We Collect

We collect only what's necessary to provide the service.

Category	Examples	Purpose	Encrypted?
Account data	Email address, display name	Authentication and account recovery	In transit (TLS)
Kin profiles	Names, phone numbers, emails, notes, relationship type, birthday	Core app functionality	✅ AES on device + in transit
Interactions	Interaction type, date, notes you log	Pulse tracking, AI features	✅ AES on device + in transit
AI insights	Facts, preferences, milestones extracted from your notes	Brief me, Catch-up, memory features	✅ Stored encrypted
Usage data	Feature interactions (anonymous), crash reports	App improvement, bug fixing	Anonymised / no PII
Device data	OS version, app version, device model	Crash diagnostics, compatibility	No PII
Purchase data	Subscription tier, purchase timestamp	Feature access, billing	Handled by App Store / Play Store

What we do NOT collect

🚫

Contacts listWe never access your phone's contacts without explicit permission for import only.

🚫

Location dataWe don't collect or track your location at any point.

🚫

Microphone / cameraWe never access your microphone or camera.

🚫

Advertising IDsWe don't use IDFA, GAID, or any advertising identifiers.

How We Protect Your Data

WhoKin uses end-to-end AES encryption for all relationship content (kin profiles, interactions, notes, and AI insights). Encryption and decryption happen exclusively on your device using a key derived from your account credentials. This means:

🔐

On-device encryptionData is encrypted before it leaves your device. Our servers never receive plaintext relationship data.

🌐

Encrypted in transitAll communication with our servers uses TLS 1.3. We enforce HTTPS everywhere.

🗄️

Encrypted at restCiphertext stored on our servers cannot be read by WhoKin employees.

🤝

Shared kinWhen you share a kin with a partner, both parties use the same encryption key scoped to that relationship.

AI Features & Third-Party AI Services

WhoKin uses AI to power three features: AI Catch-Up, Memory Extraction, and Smart Reach-Out Drafts. To provide these features, we send anonymised, encrypted excerpts of your notes to third-party AI providers.

AI providers we use

Provider	Feature	Data shared	Retention by provider
Anthropic (Claude)	Catch-Up Briefs, Smart Reach-Out Drafts	Interaction notes and kin context (decrypted in transit for this request only)	Per Anthropic's API data policy — no training on your data
OpenAI	Memory Extraction (fallback)	Interaction notes	Per OpenAI's API data policy — zero data retention option enabled

AI requests are made only when you trigger an AI feature. We do not batch-process your data in the background. We have data processing agreements (DPAs) with all AI providers. Your data is not used to train any AI models.

On-device AI

The pulse scoring system (warm / cooling / cold classification) runs entirely on-device using a lightweight TFLite model. No data is sent to any server for this feature.

Shared Kin Feature

When you invite a partner or family member to share a kin profile, both parties can view each other's logged interactions and AI insights for that specific person. By accepting a share invitation, you agree that the invitee will have read access to that kin's history within WhoKin.

Shared relationship data remains encrypted with the same guarantees as personal data. You can revoke sharing at any time from the kin's profile.

How We Use Your Data

We use your data strictly for the following purposes:

Purpose	Legal basis (GDPR)
Providing the WhoKin service and its features	Contract performance
Sending push notifications for cold pulses and birthdays (if enabled)	Consent (per-kin toggle)
Processing subscription payments via App Store / Play Store	Contract performance
Improving the app using anonymised usage data	Legitimate interest
Responding to your support requests	Legitimate interest / contract
Complying with legal obligations	Legal obligation

We do not sell, rent, or license your personal data to any third party for commercial purposes. We do not use your relationship data for advertising of any kind.

Data Retention

We retain your data for as long as your account is active. When you delete your account:

All kin profiles, interactions, and AI insights are permanently deleted within 30 days.
Your account email is removed immediately.
Anonymised aggregate analytics (e.g. "N users used AI catch-up this month") may be retained for up to 2 years as they contain no personal data.
Subscription records may be retained for up to 7 years to comply with financial regulations.

Your Rights

Depending on your location, you have the following rights over your personal data. To exercise any of them, email privacy@whokin.app.

AccessRequest a copy of all personal data we hold about you.

CorrectionCorrect inaccurate or incomplete data. Most corrections can be made directly in the app.

DeletionDelete your account and all associated data. Available in app under Settings → Delete Account.

PortabilityReceive your data in a machine-readable format (JSON export).

RestrictionRequest that we limit processing of your data in certain circumstances.

ObjectionObject to processing based on legitimate interest (e.g. analytics).

Withdraw consentWithdraw notification consent at any time in app Settings or device settings.

ComplaintLodge a complaint with your local supervisory authority (e.g. ICO in the UK).

We will respond to all privacy requests within 30 days (GDPR) or 45 days (CCPA).

Children's Privacy

WhoKin is not directed at children under the age of 13 (or 16 in the EU/UK). We do not knowingly collect personal data from anyone under these ages. If we become aware that a child has provided us with personal data, we will delete it promptly. If you believe a child has provided us with their data, please contact privacy@whokin.app.

International Data Transfers

WhoKin operates globally. Your encrypted data may be stored on servers located outside your home country. Where data is transferred from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on:

Standard contractual clauses (SCCs) approved by the European Commission, or
The UK International Data Transfer Agreement (IDTA).

Changes to This Policy

We may update this privacy policy from time to time. Material changes will be notified to you via in-app notification or email at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the current version.

Continued use of WhoKin after a policy update constitutes acceptance of the revised policy.

Questions about your privacy?

Our privacy team is happy to help. We aim to respond within 2 business days.

privacy@whokin.app