Skip to main content
Kayu

Privacy Policy

Last updated 2026-07-17

This privacy policy covers two distinct processing activities, presented separately:

  1. The usekayu.com website — the marketing site you are currently reading. It is the subject of sections 1 to 8.
  2. The Kayu mobile app — the iOS app downloaded from the App Store. Its broader processing is described in the "The Kayu app" section further down.

The data controller is the same for both: Lucas Tostee (see §1).

1. Who we are (the controller)

The usekayu.com website and the Kayu app are published by Lucas Tostee, sole proprietor (auto-entrepreneur / micro-entreprise regime), registered in France.

2. What the website collects

The usekayu.com website is a marketing site. It has no form, no sign-up, no email capture, and no waitlist. It sets no advertising cookie and performs no cross-site tracking.

The site uses only the following:

3. Website audience measurement (Vercel Web Analytics)

The site uses Vercel Web Analytics, a cookieless audience-measurement tool.

You retain a right to object to this legitimate-interest processing (GDPR Art. 21): write to us at app.kayu@gmail.com.

4. Who receives the website's data (processors)

The marketing site itself shares no data with the other providers listed below: those are involved only for the mobile app (see the "The Kayu app" section).

5. Your rights (site and app)

Under GDPR (Articles 15 to 22) and Quebec Law 25 (sections 27 and following), you have the right to:

To exercise these rights, write to app.kayu@gmail.com. We respond within one month (GDPR Art. 12(3)).

6. International transfers

The site's audience-measurement and hosting data may be processed by Vercel Inc. in the United States. This transfer is safeguarded by the European Commission's Standard Contractual Clauses (GDPR Art. 46) incorporated into Vercel's Data Processing Agreement, and where applicable by Vercel's certification under the EU–US Data Privacy Framework. No app data controlled by Kayu leaves the European Union (see the "The Kayu app" section).

7. Right to lodge a complaint

If you believe we have not handled your data correctly, you can complain to your supervisory authority. We will not retaliate.

8. Changes to this policy

This policy may evolve as Kayu grows. The "Last updated" date at the top reflects the most recent change. Previous versions remain available in our public Git history.


The Kayu app

The section below concerns the Kayu mobile app (iOS), which is distinct from the marketing site above. The app processes more data because it lets you optionally create an account. The controller remains Lucas Tostee (§1) and the contact remains app.kayu@gmail.com.

A. What the app collects

In Phase 0 (the current, free, non-subscription phase), the app collects:

We do not collect: name, postal address, payment information, health data, biometric data, precise location, photos, contacts.

DataPurposeLegal basis (GDPR Art. 6)
Phone number, Cognito identifierCreate and authenticate your account; deliver SMS codesPerformance of a contract (Art. 6(1)(b))
Apple ID identifierAuthenticate you via Sign in with ApplePerformance of a contract (Art. 6(1)(b))
Email address (Apple Sign-In)Anchor your Apple identity to your account; reserved for Phase 1 marketing, only after explicit opt-in(a) Contract (Art. 6(1)(b)) for storage; (b) Consent (Art. 6(1)(a)) for marketing, not active today
Device identifierAttribute requests to one installationLegitimate interest (Art. 6(1)(f))
Telemetry eventsUnderstand usage to improve the appLegitimate interest (Art. 6(1)(f)) — opt-out available
Backend logsDiagnostics, security, abuse preventionLegitimate interest (Art. 6(1)(f))
Feedback, votes, document requestsRoadmap and product qualityLegitimate interest (Art. 6(1)(f))

A Legitimate Interest Assessment (LIA) is documented for each legitimate-interest basis, available on request.

C. Recipients (app)

We do not share your data with advertisers or data brokers.

D. Retention (app)

DataRetention
Cognito account (phone, identifiers)Until account deletion; tokens expire 30 days after last sign-in
Email address (Apple)Until account deletion or invalidation of the relay address on Apple's side
Backend logs (CloudWatch)30 days, then purged
auth.signin events (deletion lookup)1 year, then purged
Anonymous telemetry events90 days (TelemetryDeck default)
Feedback, votes, document requestsWhile the account exists; anonymised on deletion
Pins / preferences (on device)Until uninstall or app-data clear

E. Account deletion

You can delete your account at any time from the app: Settings → Account → Delete account. Deletion runs immediately on the device and is propagated across our systems within 30 days (Cognito record, anonymised Postgres data, linking events). Local data is cleared on sign-out.

F. Automated decision-making and children

The app performs no automated decision-making with legal or similarly significant effects (GDPR Art. 22) and no profiling. The app is not directed at children under 15 (the French digital age of consent transposing GDPR Art. 8); the App Store age rating is 17+. If you believe a child has created an account, write to app.kayu@gmail.com.


This document was drafted with AI assistance and reflects regulatory requirements as understood on 17 July 2026. It is not a substitute for review by a licensed lawyer. Before any major change, review it against the current text of the cited regulations.

Back to home