How Kivly protects your data

Your privacy and data security are our top priorities. Here's how we protect your personal health information.

Encryption

Data in transit

All data transmitted between your device and our servers uses:

• TLS 1.3 encryption (same as banks)
• 256-bit encryption keys
• Certificate pinning to prevent man-in-the-middle attacks

Data at rest

Your stored data is protected with:

• AES-256 encryption
• Encrypted databases
• Secure key management (AWS KMS)

Compliance & Certifications

HIPAA Compliance

Kivly is fully HIPAA compliant:

• Business Associate Agreements (BAA) available
• Regular compliance audits
• Staff trained in HIPAA requirements

SOC 2 Type II

We maintain SOC 2 Type II certification for:

• Security
• Availability
• Confidentiality
• Privacy

GDPR

For European users:

• Right to access your data
• Right to deletion
• Right to portability
• Data processing agreements

Access controls

Authentication

• Multi-factor authentication (MFA) available
• Biometric login (Face ID, Touch ID, fingerprint)
• Session timeout after 30 days inactivity
• Password requirements (12+ characters, complexity)

Authorization

• Role-based access control (RBAC)
• Principle of least privilege
• Regular access reviews

Data practices

What we collect

• Account information (name, email)
• Wellness activities and progress
• Device information (for app functionality)
• Usage analytics (anonymized)

What we DON'T collect

• Social security numbers
• Financial information (handled by Stripe)
• Unnecessary personal information
• Data from other apps without permission

How we use your data

• Provide personalized wellness recommendations
• Track your progress
• Improve our services
• Send important updates (with your permission)

How we DON'T use your data

• ✗ Sell to third parties
• ✗ Share with advertisers
• ✗ Use for unrelated purposes
• ✗ Share without your consent

Security measures

Infrastructure

• AWS cloud hosting (enterprise-grade security)
• Redundant backups (multiple geographic locations)
• DDoS protection
• 24/7 security monitoring

Application security

• Regular security audits
• Penetration testing (quarterly)
• Dependency scanning
• Secure code review

Team practices

• Background checks for all employees
• Security training (annual)
• Limited data access (need-to-know basis)
• Confidentiality agreements

Your privacy controls

Data visibility

Control who sees your information:

• Profile visibility (public, friends, private)
• Activity sharing preferences
• Community participation level

Data export

Download your data anytime:

1. Settings → Privacy
2. Click "Download my data"
3. Receive export within 48 hours

Account deletion

Permanently delete your account:

1. Settings → Account
2. Click "Delete account"
3. Confirm deletion
4. Data deleted within 30 days

Learn more about account deletion

Incident response

If a breach occurs

We will:

1. Contain and investigate immediately
2. Notify affected users within 72 hours
3. Provide guidance and support
4. Report to authorities as required

Report security concerns

Found a vulnerability? Contact our security team

We offer a bug bounty program for responsible disclosure.

Third-party services

We carefully vet all third-party services:

• Stripe - Payment processing (PCI DSS Level 1)
• AWS - Cloud hosting (SOC 2, ISO 27001)
• SendGrid - Email delivery (SOC 2)

All partners sign data processing agreements.

Transparency

Privacy Policy

Read our full Privacy Policy for complete details.

Data Subprocessors

View our list of subprocessors (updated quarterly).

Security Updates

Follow our security blog for updates.

Questions?

Contact our Data Protection Officer:

• Email: privacy@kivly.org
• Mail: Kivly Privacy Team, [Address]

We respond to privacy inquiries within 5 business days.