Privacy Policy
Last updated: June 2026 · Version 1.0
Koru Labs LLC ("Kōru", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Kōru wellness platform at korumind.ai.
1. Who We Are
Kōru is a wellness platform operated by Koru Labs LLC. We can be contacted at: hello@korumind.ai
For privacy-related requests, contact our Data Controller at: privacy@korumind.ai
2. What Personal Data We Collect
We collect the following categories of personal data when you use Kōru:
Account Data:
- Full name, email address, password (stored as a secure hash — never plain text)
- Account creation date and login history
Profile & Health Data (Special Category — requires explicit consent):
- Age, gender identity, location
- Height, weight, fitness level, physical injuries or limitations
- Fitness goals, mindset goals, training schedule
- Sleep patterns, wake time, stress levels, dietary preferences
- Personal story, hobbies, strengths, personal challenges
- Meditation practice, spiritual background and beliefs, life purpose
Activity Data:
- Workout sessions and exercise completion records
- Journal entries (text content, mood, type)
- Food and nutrition logs, meal photos
- Water intake records
- AI coaching conversation history
- Progress metrics and streak data
Technical Data:
- IP address (collected at consent/signup for legal record)
- Browser type and device information
- Session tokens (stored as HTTP-only cookies)
3. Why We Collect Your Data (Legal Basis)
We process your data under the following legal bases:
- Explicit Consent — for health data, spiritual data, and AI processing (you tick a box at signup)
- Contract Performance — to provide the wellness services you signed up for
- Legitimate Interests — for security, fraud prevention, and platform improvement
- Legal Obligation — for compliance with applicable laws
4. Third-Party AI Providers — Important
⚠️ Your data is processed by third-party AI providers
To provide personalised coaching, meal plans, and wellness advice, anonymised wellness data is sent to external AI services. By using Kōru, you explicitly consent to this processing.
What we send to AI providers:
- Anonymous wellness profile: age, gender, fitness level, height, weight, physical limitations
- Goals: fitness goal, mindset goal, training frequency
- Lifestyle: stress level, dietary preference
- Personal context: hobbies, strengths, personal story, spiritual background, life purpose
- Activity data: workout logs, journal entries, food logs, water intake
What we never send to AI providers:
- Your name
- Your email address
- Your location
- Any other personally identifiable information (PII)
AI providers used:
- Google LLC (Gemini AI) — used for all AI features: coach, plan generation, nutrition analysis, meal suggestions, journal reflection, daily briefings. Privacy Policy: policies.google.com/privacy
All data sent to AI providers is used solely to generate your personalised responses and is not used to train their models.
5. How Long We Keep Your Data
- Active account data — retained for as long as your account is active
- After account deletion — all personal data deleted within 30 days
- Consent records — retained for 7 years (legal compliance requirement)
- Anonymised usage statistics — may be retained indefinitely
6. Your Rights
Depending on your location, you may have the following rights:
- Right to Access — request a copy of all data we hold about you
- Right to Rectification — correct inaccurate data
- Right to Erasure — delete your account and all associated data
- Right to Portability — export your data in a machine-readable format
- Right to Restrict Processing — limit how we use your data
- Right to Object — object to processing based on legitimate interests
- Right to Withdraw Consent — withdraw consent at any time (does not affect past processing)
To exercise any of these rights, contact us at privacy@korumind.ai. We will respond within 30 days (GDPR) or 45 days (CCPA).
7. Data Security
- Passwords are hashed using bcrypt with 12 salt rounds — we never store plain text passwords
- Sessions use JWT tokens stored in HTTP-only cookies — not accessible to JavaScript
- All database queries use parameterised statements to prevent SQL injection
- Your GitHub repository is private — source code is not publicly accessible
- API keys for all AI providers are stored server-side only — never exposed to browsers
8. Children's Privacy
Kōru is intended for users aged 18 and over. We do not knowingly collect data from children under 18. If you believe a child under 18 has created an account, please contact us immediately at privacy@korumind.ai and we will delete the account.
9. Cookies
Kōru uses one essential cookie: koru_token — an HTTP-only session cookie required for authentication. This cookie is essential for the service to function and does not require consent under most jurisdictions. We do not use advertising, tracking, or analytics cookies at this time.
10. International Data Transfers
Your data may be transferred to and processed in the United States where our AI provider (Google) operates. These transfers are covered by Standard Contractual Clauses (SCCs) and our Data Processing Agreement with Google.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by displaying a prominent notice in the app. Your continued use of Kōru after changes constitutes acceptance of the updated policy.
12. Contact Us
For privacy questions or requests: privacy@korumind.ai
For account or product support: support@korumind.ai
For general enquiries: hello@korumind.ai
Koru Labs LLC · korumind.ai