Privacy Policy
Last updated 2026-07-17
This privacy policy covers two distinct processing activities, presented separately:
- The
usekayu.comwebsite — the marketing site you are currently reading. It is the subject of sections 1 to 8. - The Kayu mobile app — the iOS app downloaded from the App Store. Its broader processing is described in the "The Kayu app" section further down.
The data controller is the same for both: Lucas Tostee (see §1).
1. Who we are (the controller)
The usekayu.com website and the Kayu app are published by Lucas Tostee, sole proprietor (auto-entrepreneur / micro-entreprise regime), registered in France.
- Controller within the meaning of GDPR Art. 4(7): Lucas Tostee.
- Registered address: 66 rue des Remparts, 33000 Bordeaux, France.
- SIRET: 830 928 412 00014 (SIREN 830 928 412).
- Privacy contact:
app.kayu@gmail.com. - No Data Protection Officer (DPO) is appointed. The processing described does not require one under GDPR Art. 37: Kayu performs neither large-scale systematic monitoring nor large-scale processing of special-category data.
- Kayu is established in the European Union; no EU representative under GDPR Art. 27 is required.
2. What the website collects
The usekayu.com website is a marketing site. It has no form, no sign-up, no email capture, and no waitlist. It sets no advertising cookie and performs no cross-site tracking.
The site uses only the following:
- A locally stored country vote (
kayu-site-vote). If you indicate which country you would like Kayu to cover, your choice is stored in your browser'slocalStorage, on your device. This data contains no personal information, is tied to no identifier, and is never sent to a server: it only remembers that you have already voted. You can clear it at any time by clearing the site's data in your browser. - A language cookie (
NEXT_LOCALE). A strictly functional cookie that remembers your language preference (French or English) so the site displays in the right language. It is exempt from consent under Article 82 of the French Data Protection Act (a cookie strictly necessary for the service you requested). - Cookieless audience measurement (Vercel Web Analytics). See §3.
3. Website audience measurement (Vercel Web Analytics)
The site uses Vercel Web Analytics, a cookieless audience-measurement tool.
- Purpose: to measure site traffic in aggregate (page views, popular pages, approximate origin), in order to understand what interests visitors and improve the site.
- How it works: the tool sets no cookie, generates no persistent identifier, and does not track visitors across sites. Measurements are aggregated; no reusable individual record is built.
- Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — knowing the traffic to our own marketing site, a routine interest whose impact on you is minimal since no profile is built and no data is sold.
- Retention: aggregate audience data is kept by Vercel for the duration of our analytics subscription (at most 24 months), then deleted or consolidated into anonymous statistics.
- Why there is no cookie banner: in line with the CNIL's guidance on audience measurement, an audience-measurement tool is exempt from consent when it is strictly limited to measuring the site's own audience, sets no cookie or tracker within the meaning of Article 82, does not cross-reference data with other processing, does not track browsing across sites, and does not serve advertising. Vercel Web Analytics meets these conditions: it is cookieless, has no cross-site tracking, and no advertising purpose. No consent banner is therefore required.
You retain a right to object to this legitimate-interest processing (GDPR Art. 21): write to us at app.kayu@gmail.com.
4. Who receives the website's data (processors)
- Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA) — host of the site and provider of the cookieless audience measurement. Acts as a processor under a Data Processing Agreement (DPA). Any transfers to the United States are safeguarded (see §6).
The marketing site itself shares no data with the other providers listed below: those are involved only for the mobile app (see the "The Kayu app" section).
5. Your rights (site and app)
Under GDPR (Articles 15 to 22) and Quebec Law 25 (sections 27 and following), you have the right to:
- Access (Art. 15) — obtain a copy of the data we hold about you.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — delete your data (for the app, via Settings → Account → Delete account).
- Restriction (Art. 18) — pause processing.
- Portability (Art. 20) — receive your data in a structured, machine-readable format.
- Object (Art. 21) — object to legitimate-interest processing, including the site's audience measurement.
- Withdraw consent at any time where consent is the basis (Art. 7(3)).
To exercise these rights, write to app.kayu@gmail.com. We respond within one month (GDPR Art. 12(3)).
6. International transfers
The site's audience-measurement and hosting data may be processed by Vercel Inc. in the United States. This transfer is safeguarded by the European Commission's Standard Contractual Clauses (GDPR Art. 46) incorporated into Vercel's Data Processing Agreement, and where applicable by Vercel's certification under the EU–US Data Privacy Framework. No app data controlled by Kayu leaves the European Union (see the "The Kayu app" section).
7. Right to lodge a complaint
If you believe we have not handled your data correctly, you can complain to your supervisory authority. We will not retaliate.
- France (CNIL): Commission Nationale de l'Informatique et des Libertés, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.
www.cnil.fr. - Quebec (Commission d'accès à l'information): 525, boulevard René-Lévesque Est, Bureau 2.36, Québec (Québec) G1R 5S9.
www.cai.gouv.qc.ca. - Other EEA users: your local supervisory authority — list at
https://edpb.europa.eu/about-edpb/about-edpb/members_en.
8. Changes to this policy
This policy may evolve as Kayu grows. The "Last updated" date at the top reflects the most recent change. Previous versions remain available in our public Git history.
The Kayu app
The section below concerns the Kayu mobile app (iOS), which is distinct from the marketing site above. The app processes more data because it lets you optionally create an account. The controller remains Lucas Tostee (§1) and the contact remains app.kayu@gmail.com.
A. What the app collects
In Phase 0 (the current, free, non-subscription phase), the app collects:
- Device identifier (UUID). Generated locally on first launch, sent with every backend request. Attributes usage to one installation without identifying you personally.
- Phone number (E.164 format). Only if you sign in with phone + SMS code. Stored in AWS Cognito as your account alias.
- Apple ID identifier (
sub) and associated email. Only if you sign in with Apple. Apple returns either your real address or a private relay address (@privaterelay.appleid.com). In Phase 0 this address is stored only — we send you no email. - Cognito user identifier (
cognitoSub). A UUID Cognito generates, anchoring your account across sessions. - Anonymous telemetry events (via TelemetryDeck). Such as
app_open,first_scan,drug_detail_view. They carry no drug names, search queries, free-text content, or your IP address (dropped at ingest). You can turn them off at any time in Settings → Privacy → Share usage analytics. - Backend logs (AWS CloudWatch). Request metadata, retained 30 days.
- Feedback, country votes, document requests. Stored in our Postgres database, anchored to your identifier.
- Pinned drugs, history, preferences. Stored locally on your device; not transmitted in Phase 0.
We do not collect: name, postal address, payment information, health data, biometric data, precise location, photos, contacts.
B. Purposes and legal bases (app)
| Data | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Phone number, Cognito identifier | Create and authenticate your account; deliver SMS codes | Performance of a contract (Art. 6(1)(b)) |
| Apple ID identifier | Authenticate you via Sign in with Apple | Performance of a contract (Art. 6(1)(b)) |
| Email address (Apple Sign-In) | Anchor your Apple identity to your account; reserved for Phase 1 marketing, only after explicit opt-in | (a) Contract (Art. 6(1)(b)) for storage; (b) Consent (Art. 6(1)(a)) for marketing, not active today |
| Device identifier | Attribute requests to one installation | Legitimate interest (Art. 6(1)(f)) |
| Telemetry events | Understand usage to improve the app | Legitimate interest (Art. 6(1)(f)) — opt-out available |
| Backend logs | Diagnostics, security, abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Feedback, votes, document requests | Roadmap and product quality | Legitimate interest (Art. 6(1)(f)) |
A Legitimate Interest Assessment (LIA) is documented for each legitimate-interest basis, available on request.
C. Recipients (app)
- AWS (Amazon Web Services EMEA SARL, Luxembourg). All backend services run in region eu-west-3 (Paris, France). AWS acts as a processor.
- Apple Inc. (Cupertino, California, USA). For Sign in with Apple, Apple acts as a separate, independent controller, under the EU–US Data Privacy Framework adequacy decision.
- TelemetryDeck (TelemetryDeck GmbH, Germany). Anonymous telemetry processor.
- Vercel Inc. (USA). Host of the marketing site (see §4); does not receive the app's account data.
We do not share your data with advertisers or data brokers.
D. Retention (app)
| Data | Retention |
|---|---|
| Cognito account (phone, identifiers) | Until account deletion; tokens expire 30 days after last sign-in |
| Email address (Apple) | Until account deletion or invalidation of the relay address on Apple's side |
| Backend logs (CloudWatch) | 30 days, then purged |
auth.signin events (deletion lookup) | 1 year, then purged |
| Anonymous telemetry events | 90 days (TelemetryDeck default) |
| Feedback, votes, document requests | While the account exists; anonymised on deletion |
| Pins / preferences (on device) | Until uninstall or app-data clear |
E. Account deletion
You can delete your account at any time from the app: Settings → Account → Delete account. Deletion runs immediately on the device and is propagated across our systems within 30 days (Cognito record, anonymised Postgres data, linking events). Local data is cleared on sign-out.
F. Automated decision-making and children
The app performs no automated decision-making with legal or similarly significant effects (GDPR Art. 22) and no profiling. The app is not directed at children under 15 (the French digital age of consent transposing GDPR Art. 8); the App Store age rating is 17+. If you believe a child has created an account, write to app.kayu@gmail.com.
This document was drafted with AI assistance and reflects regulatory requirements as understood on 17 July 2026. It is not a substitute for review by a licensed lawyer. Before any major change, review it against the current text of the cited regulations.