LEGAL

Privacy Policy

Last updated: June 2026 · Version 1.0

Korumind ("Kōru", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Kōru wellness platform at korumind.ai.

1. Who We Are

Kōru is a wellness platform operated by Korumind. We can be contacted at: hello@korumind.ai

For privacy-related requests, contact our Data Controller at: privacy@korumind.ai

2. What Personal Data We Collect

We collect the following categories of personal data when you use Kōru:

Account Data:

Full name, email address, password (stored as a secure hash — never plain text)
Account creation date and login history

Profile & Health Data (Special Category — requires explicit consent):

Age, gender identity, location
Height, weight, fitness level, physical injuries or limitations
Fitness goals, mindset goals, training schedule
Sleep patterns, wake time, stress levels, dietary preferences
Personal story, hobbies, strengths, personal challenges
Meditation practice, spiritual background and beliefs, life purpose

Activity Data:

Workout sessions and exercise completion records
Journal entries (text content, mood, type)
Food and nutrition logs, meal photos
Water intake records
AI coaching conversation history
Progress metrics and streak data

Technical Data:

IP address (collected at consent/signup for legal record)
Browser type and device information
Session tokens (stored as HTTP-only cookies)

3. Why We Collect Your Data (Legal Basis)

We process your data under the following legal bases:

Explicit Consent — for health data, spiritual data, and AI processing (you tick a box at signup)
Contract Performance — to provide the wellness services you signed up for
Legitimate Interests — for security, fraud prevention, and platform improvement
Legal Obligation — for compliance with applicable laws

4. Third-Party AI Providers — Important

⚠️ Your data is processed by third-party AI providers

To provide personalised coaching, meal plans, and wellness advice, your profile data is sent to external AI services. By using Kōru, you explicitly consent to this processing.

Google LLC (Gemini AI) — used for plan generation, nutrition analysis, meal suggestions, journal reflection. Privacy Policy: policies.google.com/privacy
Anthropic PBC (Claude AI) — optional AI coach provider. Privacy Policy: anthropic.com/privacy
OpenAI LLC (GPT) — optional AI coach provider. Privacy Policy: openai.com/privacy

We have Data Processing Agreements (DPAs) in place with each of these providers. Your data is used only to generate responses and is not used to train their models under our enterprise agreements.

5. How Long We Keep Your Data

Active account data — retained for as long as your account is active
After account deletion — all personal data deleted within 30 days
Consent records — retained for 7 years (legal compliance requirement)
Anonymised usage statistics — may be retained indefinitely

6. Your Rights

Depending on your location, you may have the following rights:

Right to Access — request a copy of all data we hold about you
Right to Rectification — correct inaccurate data
Right to Erasure — delete your account and all associated data
Right to Portability — export your data in a machine-readable format
Right to Restrict Processing — limit how we use your data
Right to Object — object to processing based on legitimate interests
Right to Withdraw Consent — withdraw consent at any time (does not affect past processing)

To exercise any of these rights, contact us at privacy@korumind.ai. We will respond within 30 days (GDPR) or 45 days (CCPA).

7. Data Security

Passwords are hashed using bcrypt with 12 salt rounds — we never store plain text passwords
Sessions use JWT tokens stored in HTTP-only cookies — not accessible to JavaScript
All database queries use parameterised statements to prevent SQL injection
Your GitHub repository is private — source code is not publicly accessible
API keys for all AI providers are stored server-side only — never exposed to browsers

8. Children's Privacy

Kōru is intended for users aged 18 and over. We do not knowingly collect data from children under 18. If you believe a child under 18 has created an account, please contact us immediately at privacy@korumind.ai and we will delete the account.

9. Cookies

Kōru uses one essential cookie: koru_token — an HTTP-only session cookie required for authentication. This cookie is essential for the service to function and does not require consent under most jurisdictions. We do not use advertising, tracking, or analytics cookies at this time.

10. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our AI providers operate. These transfers are covered by Standard Contractual Clauses (SCCs) and Data Processing Agreements with each provider.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by displaying a prominent notice in the app. Your continued use of Kōru after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions or requests: privacy@korumind.ai

For general enquiries: hello@korumind.ai

Korumind · korumind.ai

Terms & Conditions →← Back to Home