Kinship Privacy Policy
Effective date: 2026-06-05
Last updated: 2026-07-10
Version: v2.0 — product scope
Replaces: Privacy Policy v1.1 (pre-launch invite phase), archived at /legal/privacy/invite-phase.
0. Plain-English summary
- We are S4 Solutions, LLC ("S4", "we"). We operate Kinship at
kinshiprm.appand the in-product surface atmy.kinshiprm.app. - Kinship is a personal relationship manager. The data you give us is your contacts and what you remember about them. That data is sensitive. We treat it that way.
- We do not sell your data. We do not show ads inside the product. We do not train AI models on your data, and our AI subprocessors contractually do not use your inputs to train their models.
- Free tier never talks to any third-party AI model. Paid AI features only run after you opt in, on the specific note or query you point them at.
- You can export and delete your account from the in-product Settings (the export endpoint is on the GA punch list — see §11.2 — until then, ask us at /contact?topic=privacy).
- Today we offer Kinship to people in the United States. We do not yet target the EU, UK, Australia, or other jurisdictions; see §13 for what that means for your rights.
The rest of this policy is the long version.
1. Who we are and what this policy covers
The controller of your personal data is S4 Solutions, LLC, a Georgia limited liability company ("S4", "we", "us", "Kinship"). This policy describes how we collect, use, store, and share personal data through the Kinship product surface — the marketing site at kinshiprm.app and the application at my.kinshiprm.app and any sub-domain we operate as part of the Service.
- Privacy contact / DSAR: privacy@kinshiprm.app, /contact?topic=privacy, or /legal/data-request. The dedicated privacy mailbox forwards to founder and Counsel; we publish it per CCPA §1798.130(a)(1)(A) ("designated methods").
- General contact: /contact?topic=support.
- Response SLAs: privacy questions within 48 hours; data-rights requests within the deadlines in §11.
This policy supersedes Privacy Policy v1.0 of 2026-05-14 (the pre-launch invite-phase policy). v1.0 remains archived at /legal/privacy/invite-phase to document what we promised invite-form submitters.
2. The categories of personal data we process
2.1 Account data
Created when you sign up. Source: you, via Google or Microsoft OAuth (we do not offer email/password sign-up).
- Account email address, profile name, profile picture URL (from OAuth claim).
- Account creation, last sign-in, MFA enrollment, and plan-tier timestamps.
- A separate
profile.display_nameyou may set or change.
2.2 Contacts and the notes you keep on them
Created when you add a contact, take notes against them, log activities, or record life events.
- Contacts: name, email(s), phone(s), organization, role, tags, free-text fields you fill in.
- Activities: free-text "raw notes" you write, dates, the contact they relate to, an optional AI-generated summary (only if AI Features are on; see §3).
- Life events: title, description, date, the contact it belongs to.
- Snapshot shares you create: a frozen JSONB copy of the contact at the moment you shared it, the recipient email, the expiry time, and any revocation event.
This is the most sensitive category of data we hold. We treat this data as highly sensitive for design purposes (encryption, RLS, AI gating) regardless of whether U.S. law classifies it that way.
2.3 Integration data
Created when you connect a Google or Microsoft account. All scopes are read-only. See audit §5 for the per-scope inventory.
- The OAuth access/refresh tokens for the connected account (stored encrypted at rest; held in Supabase Auth's secure vault).
- The minimum metadata we need to do the sync: for contacts, the entries you have in Google Contacts / Outlook Contacts; for calendar/mail, subject/snippet/from/to/date metadata only — never message bodies.
- A pointer back to the source (so we can deduplicate and so you can disconnect).
We never send email, create calendar events, or write to any connected system on your behalf.
2.4 AI feature data (paid tier, opt-in)
Created only when you have a paid plan, you have opted into AI Features in onboarding or /settings/privacy, and you invoke a feature.
- The note/activity/query you direct the feature to operate on (sent to the AI subprocessor for that request — see §3).
- The structured "contact document" we build for natural-language search embedding (your contact's name, current role+org, tags, up to 20 activity summaries-or-notes, life events; see
lib/ai/embeddings.ts buildContactDocument). - The AI-generated outputs we choose to store back against your account (summaries, suggestions).
- A row in
ai_invocation_logrecording feature name, plan tier, consent status, success/denial reason, and timestamps — used for auditability, debugging, and (in aggregate) for the AI-denial alerting cron.
2.5 Billing data
Created when you start a paid subscription.
- Your Stripe customer ID, current subscription state and price, and the email Stripe surfaces back to us in webhooks.
- Cardholder data is processed by Stripe directly. We never see or store payment-card numbers.
2.6 Communications and support data
- Messages you send through
/contact, including topic, free text, your email, and any attached information. - Email correspondence with us (privacy, support, legal).
- In-app feedback you submit through the feedback form, including the page/version metadata so we can investigate.
2.7 Telemetry and operational data
- HTTP request metadata (IP, user-agent, path, referrer, timing) recorded by Vercel platform logs.
- Sentry error reports with PII stripped (email/name/IP redacted by
sentry.client.config.tsandsentry.server.config.ts). - Aggregate Google Analytics 4 events (consent-gated; ad signals hard-denied; IP anonymized; no cross-site tracking).
- Rate-limit and OTP counters (Upstash Redis / Vercel KV) keyed on hashed identifiers (IP, email-hash, account ID).
2.8 What we do not collect
We do not collect: government identifiers, biometric data, precise geolocation, financial-account numbers beyond the Stripe surface above, the contents of OAuth-connected mail bodies, or any "sensitive personal information" under Cal. Civ. Code § 1798.140(ae) except for "account log-in credentials" that we hold solely as the integration OAuth tokens described in §2.3.
3. AI Features and AI subprocessors
This is the area users tell us they care about most. Read this whole section before opting in.
3.1 Default posture
- AI Features are paid-tier only. Free-tier user content is never transmitted to any third-party large-language-model or embedding provider. This is enforced server-side in
lib/ai/gate.ts, not just by hiding UI. - Even on paid plans, AI Features are off by default. You must explicitly opt in (
/onboardingor/settings/privacy). You may opt out at any time; opt-out is immediate for new requests.
3.2 Which AI subprocessors process what
| Subprocessor | Used for | What we send | What we don't send |
|---|---|---|---|
Anthropic, PBC (claude-sonnet-4-6) | Note summarization, follow-up prompts, NL-search reranking, relationship-health digests | The specific note, activity, or query you direct the feature at, plus minimal scoping metadata | Full address book, OAuth tokens, payment information, other users' content |
Voyage AI Innovations, Inc. (voyage-3) | Embeddings that power natural-language search | The structured "contact document" — typically the contact's name, current role+org, tags, up to 20 activity summaries-or-notes, life-event titles+descriptions (buildContactDocument) | Anything for a contact whose ai_summarize_disabled=true, anything from free-tier users, anything from users without AI consent |
Both Anthropic and Voyage contractually do not use our inputs or outputs to train their models, under their commercial terms in force on the policy effective date. Per their respective stated retention windows, prompts may be retained for up to 30 days for trust-and-safety review and then deleted.
3.3 Notice and consent for Voyage AI
If you turned on AI Features under a version of our disclosure earlier than v1.3.0, Voyage AI was not enumerated by vendor at the time you consented. Embedding requests for your account are paused until you (a) see an in-product modal that names Voyage, the data sent, the U.S. processing location, and Voyage's up-to-30-day retention; and (b) explicitly acknowledge it. Anthropic-backed AI Features continue to operate because Anthropic was enumerated in v1.2.0.
3.4 Separation of raw notes and AI outputs
Your raw notes and any AI-generated summary are stored separately. Deleting AI output does not delete your raw notes; deleting raw notes does not retroactively delete an AI output already saved. Revoking AI consent nulls future AI summaries but preserves your raw notes (per DEC-009).
3.5 30-day notice before adding or replacing an AI subprocessor
This is the contractual commitment in ToS §6 and is restated here.
4. Integrations
The full integration story is in the Subprocessor List. Summary:
- Google (Contacts/Gmail/Calendar/Tasks):
*.readonlyonly. Mail/calendar bodies are not stored; only subject/snippet/from/to/date metadata for activity-logging purposes. - Microsoft Graph (Outlook Contacts/Mail/Calendar/Tasks): same posture as Google.
- LinkedIn: Archive-import only. Your browser parses files from your LinkedIn data export and we store the parsed rows in Supabase. We do not call any LinkedIn API; we use no LinkedIn scrapers or unofficial intermediaries. Parsed files and the purpose of each:
connections.csv— contact records (name, company, title); creates person entries in your CRM.messages.csv— conversation metadata (sender, recipients, date, message body); stored as activity records linked to matching contacts.invitations.csv— sent/received invitation events and any attached note; stored as activity records linked to matching contacts.Contacts.csv— contact-method enrichment (email addresses, phone numbers) added to existing persons only; never creates new person entries (enrich-only, per DEC-014).Recommendations_Given.csv/Recommendations_Received.csv— recommendation text; stored as activity records linked to matching contacts.Endorsement_Given_Info.csv/Endorsement_Received_Info.csv— skill endorsement events; stored as activity records linked to matching contacts.
Disconnecting an integration in /settings/integrations revokes the OAuth grant on our side and deletes the stored token. Source-side data already imported is yours to delete from the relevant contact records.
5. Lawful bases for processing (where it matters)
Under U.S. law, lawful-basis disclosure is generally optional. We disclose it here because we plan to operate in higher-protection jurisdictions later and because the discipline is good for us.
| Data category | Lawful basis (GDPR Art. 6 / CCPA "business purpose") |
|---|---|
| Account data (§2.1), billing data (§2.5), communications (§2.6) | Contract — necessary to provide the Service you signed up for. |
| Contacts/notes/life events (§2.2) — about the user themselves | Contract — we process this data to provide the Service to you. |
| Contacts/notes/life events (§2.2) — about third parties in the user's address book | Legitimate interest (GDPR Art. 6(1)(f)) as a personal-CRM service provider acting on behalf of the user, who is the controller of the contact record. Subject to the third-party rights process at §11.6. |
| Integration data (§2.3) | Consent — at OAuth grant; revocable at any time by disconnecting. |
| AI feature data (§2.4) | Consent — opt-in in onboarding or settings; revocable at any time. |
| Telemetry (§2.7) for security, fraud, abuse | Legitimate interest — minimum necessary, no advertising use, anonymized where possible. |
| GA4 (§2.7) | Consent — cookie banner; consent-gated, no ad signals. |
| Legal claims, compliance with subpoenas | Legal obligation. |
6. How long we keep your data (retention schedule)
| Data category | Retention |
|---|---|
Account record (profile) | Lifetime of account; deleted within 30 days of account deletion. |
| Contacts, activities, life events | Lifetime of account; deleted within 30 days of account deletion, except backup retention below. |
| AI summaries and embeddings | Lifetime of the underlying contact / activity, or until you revoke AI consent (summaries are nulled at revocation per DEC-009). |
| Raw notes | Lifetime of account; deletion is independent of AI summaries. |
| OAuth refresh tokens (Google/Microsoft) | Until you disconnect the integration. |
| Vercel runtime logs | 24 hours rolling on Vercel Pro. |
| Vercel build logs | 30 days. |
| Sentry error reports | 30 days. |
| GA4 raw events | 2 months (admin-set). |
| Rate-limit / OTP counters | Auto-expire on rolling windows; no long-term storage. |
| Supabase point-in-time-recovery backups | 7 days on the Supabase Pro tier. |
ai_invocation_log (auditability) | Lifetime of account, then 90 days post-deletion after we replace user_id with an HMAC-hashed identifier (mirrors the DSAR audit-log pattern in this table). Raw user_id is not retained past account deletion. |
| DSAR audit log (identifier-hashed) | 24 months (legal-defense; identifiers are HMAC-hashed). |
| Email correspondence with us | Up to 36 months, or sooner on request. |
| Snapshot-share records | 7 days from creation (the share itself), plus 24 months of revocation audit. |
In-app self-delete. Account deletion confirmed from in-app account settings is immediate and final, with no post-deletion export window. Encrypted backups age out as stated above.
7. How we secure your data
- Encryption in transit: TLS for all client-server and server-vendor traffic.
- Encryption at rest: Supabase-managed AES-256 on database + storage.
- Row-level security (RLS): every Supabase table that holds account-scoped data carries an RLS policy keyed on
auth.uid(). - OAuth scopes: read-only across every integration tier.
- AI gating: a single chokepoint in
lib/ai/gate.tsenforces plan tier, consent version, opt-out, and age-gate before any third-party AI call. - MFA: available via Supabase Auth.
- Auditing:
ai_invocation_log, share-revocation audit, and DSAR audit log. - Vulnerability disclosure: email security@kinshiprm.app. We will acknowledge a report within 5 business days.
8. Subprocessors and where data is processed
Our full subprocessor list — Anthropic, Voyage AI, Google, Microsoft, Supabase, Vercel, Stripe, Resend, Sentry, Upstash — lives at /legal/subprocessors. Each entry names the legal entity, role, data categories sent, processing location, and a link to the vendor's DPA and privacy doc.
All current subprocessors process personal data in the United States. We do not currently offer the Service to users outside the United States; signups from outside the supported jurisdictions are routed to a waitlist. If and when we begin serving non-U.S. users, this section will be updated to describe the transfer mechanisms we rely on (e.g., EU Standard Contractual Clauses + UK Addendum).
9. Sharing your data
We do not sell or rent personal data to anyone. We share with:
- Subprocessors (§8) — strictly for the purposes named, under DPA.
- Snapshot share recipients you yourself designate — only the frozen snapshot you choose to share, only at the link you generated, only until you revoke or the 7-day expiry hits. ToS §8 representations attach to your share action.
- Legal disclosures — when required by valid legal process. We will fight overbroad requests where it makes sense.
- Successor entities in a merger, acquisition, or asset sale — under the same or stronger privacy commitments. We will notify users via in-product banner and email at least 30 days before the transfer, except where prohibited by law.
We do not share with: advertising networks, data brokers, employers, recruiters, outplacement firms, or training-data buyers.
10. Cookies and similar technologies
The marketing site at kinshiprm.app uses GA4 cookies (only if you accept the cookie banner) and the standard set of essential cookies the app needs to maintain your session and prevent CSRF. We do not use advertising cookies, beacons, or pixels.
We do not respond to "Do Not Track" (DNT) signals. We do not engage in behavioral advertising or cross-site tracking. If you decline analytics cookies in our cookie banner, Google Analytics 4 will not load.
11. Your rights and how to exercise them
11.1 Rights available to all users
- Access — request a copy of the data we hold about you.
- Correct — fix anything that is wrong. Contact and profile edits are self-service in the app.
- Delete — your account and the data tied to it. Self-service in
/settings/delete-account. Deletion is immediate; there is no soft-delete grace window today. A self-service export endpoint and a 30-day post-termination export window are on the GA punch list; until they ship, request your data via /legal/data-request per §11.2. - Withdraw consent — for AI Features (
/settings/privacy), for OAuth integrations (/settings/integrations), for marketing-site GA cookies (cookie banner). - Submit a DSAR for someone else's data we may hold — through the public form at /legal/data-request, with email/OTP identity verification.
11.2 Self-service data export
Self-service data export from /settings/export is on the punch list. Until that ships, use /contact?topic=privacy and we will return a structured JSON export within 30 days.
11.3 California (CCPA / CPRA) notices
- Categories of personal information collected — see §2.
- Categories of sources — directly from you, from Google/Microsoft OAuth when you connect those accounts, from CSV files you upload, from your own browsing of the Service.
- Categories of recipients — the subprocessors at §8.
- Purposes of collection and use — providing the Service per §3, §4, §6.
- We do not sell or share personal information as those terms are defined in the CCPA, including for cross-context behavioral advertising. There is therefore no "Do Not Sell or Share My Personal Information" link to publish, but if you wish to make a formal request you may do so through /legal/data-request.
- Right to limit use of sensitive personal information — the only category we hold that qualifies is OAuth credentials (§2.3), which we already restrict to providing the integration. You may revoke at any time in
/settings/integrations. - We will not discriminate against you for exercising your rights.
11.4 Virginia, Colorado, Connecticut, Utah, Texas, and similar U.S. state laws
You have access, correction, deletion, and opt-out (of sale, targeted advertising, profiling for legal-effect decisions) rights. Sale, targeted advertising, and consequential profiling do not occur in Kinship. The other rights are available through the same channels as §11.1.
11.5 Children
The Service is not directed at children under the applicable age of digital consent in your jurisdiction (13 in the United States under COPPA; 13–16 in EU member states, depending on jurisdiction), and Kinship is 18+ under ToS §2. We do not knowingly collect data from children. If you believe we have done so, contact us and we will delete it.
11.6 If you are a contact in a Kinship user's account
Kinship's content store includes information that Kinship users have recorded about other people — that is, about you, if a Kinship user has added you as a contact. If you believe a Kinship user is storing information about you and you want to exercise rights over that data, contact us at /legal/data-request or privacy@kinshiprm.app.
Because the relevant data is held under another user's account, our default action is to route the request to that account holder, who is the controller of the contact record. We will act on our own to delete a contact record on credible evidence of harassment, doxxing, or other unlawful retention, or where a deletion request comes with a court order or comparable legal process.
12. International data transfers
We are a U.S. company. All current subprocessors process data in the United States. If you access the Service from outside the U.S., your data is transferred to the U.S. for processing.
Today we do not target the EU, UK, Australia, Canada, or any non-U.S. jurisdiction. Signups from outside the supported jurisdictions are routed to a waitlist (SignupWaitlistGate); see lib/geo.ts.
If and when we begin serving non-U.S. users, we will publish an update to this section identifying the transfer mechanisms we rely on (e.g., EU Standard Contractual Clauses + UK Addendum) and any additional safeguards.
13. Australia notice
We do not currently offer the Service in Australia. The signup geo-gate routes Australian IPs to a waitlist. If we begin offering the Service to Australian residents, we will update this section to describe our Australian Privacy Principles posture and our handling of overseas disclosures under APP 8.
14. Children's privacy
Kinship is offered to adults aged 18+. We do not knowingly collect data from anyone under the applicable age of digital consent in your jurisdiction (13 in the United States under COPPA; 13–16 in EU member states, depending on jurisdiction). If we discover we have collected such data, we will delete it.
15. Changes to this policy
We will post material changes here, with the new effective date and a changelog at the bottom. For changes that materially expand the data we collect or the parties we share with, we will give at least 30 days' notice via in-product banner and email to paid-plan account holders before the change takes effect.
For changes to the Subprocessor List — including any addition or replacement of an AI subprocessor — the 30-day notice in ToS §6 controls.
16. Contact us about privacy
- DSAR / formal data-rights requests: /legal/data-request.
- Other privacy questions: /contact?topic=privacy.
- Privacy mailbox: privacy@kinshiprm.app.
- We aim to respond within 48 hours to questions and within the deadlines in §11 for rights requests.
Changelog
- 2026-06-05 — v2.0. First product-scope Privacy Policy. Supersedes the invite-phase Privacy Policy v1.1, which is archived at /legal/privacy/invite-phase.