Privacy Policy
Kivaia – an app by ClayFactor GmbH
Effective: June 2026
At a Glance
We built Kivaia privacy-first. This Privacy Policy describes what that means in detail.
The most important point in one sentence: Your data only leaves your device when you explicitly trigger it — for example, for an AI analysis or when you actively share content.
What this means in practice:
- For your health, activity, and journal data we operate no servers of our own — it stays locally on your device.
- When you actively share content in the app (sharing features, e.g. a recipe via link), we store a temporary copy on our server in Germany for 30 days. Anyone who has the link can view and forward the shared content — see §3.7 for details.
- We never sell data to third parties.
- You can delete your Kivaia account in the app at any time.
1. Controller
The controller responsible for data processing is:
ClayFactor GmbH
Herderstraße 38
66292 Riegelsberg, Germany
Commercial Register: HRB 111746 (Local Court Saarbrücken)
Managing Director: Jens Thelemann
Contact for data protection inquiries:
Email: privacy@clayfactor.com
2. Data Minimisation as a Founding Principle
Kivaia is a lifestyle app that supports you in maintaining a balanced lifestyle and exploring longevity topics. It is built to operate with minimal data processing:
- No central server for your health and journal data — exceptions are actively triggered sharing features (see §3.7) and pseudonymous trial management.
- Minimal account management — Sign in with Apple is optional; for trial management we store only pseudonymous identifiers that cannot be directly reversed and delete active account bindings when you delete the account.
- No proprietary telemetry and no advertising tracking.
- No cookies, no third-party scripts in the app.
- No data sharing with third parties, except the processors named in section 4.
3. What Data Is Processed?
3.1 Data You Enter
You enter this data in the app and it stays on your device.
Profile data (optional):
- First name
- Date of birth (for age-appropriate calculations and recommendations)
- Profile picture
Body and lifestyle data (optional):
- Height, weight
- Biological sex
- Fitness level
- Training equipment
- Nutrition preferences, allergies, intolerances
Nutrition diary:
- Meals (photos, text entries)
- Times, estimated nutritional values
- Water intake
Activities:
- Workouts, exercises, training plans
- Manual activity entries
3.2 Data via Apple HealthKit (optional, Art. 9 GDPR)
If you connect Apple HealthKit, Kivaia can read selected values. These are particularly sensitive and are processed only with your explicit consent.
- Vital signs: heart rate, HRV, resting heart rate, blood pressure, SpO₂, respiratory rate, body temperature
- Activity: steps, distance, active/basal calories, workout minutes, VO₂ Max
- Sleep: sleep duration, phases, mindfulness sessions
- Body composition: BMI, body fat, lean mass
This data is processed locally and is only transmitted to Google Gemini if you have separately consented to AI data processing (see 4.2).
3.3 Photo Data
- Meal and activity photos are stored locally in the app database.
- For meal analysis, the photo is temporarily transmitted to Google Gemini (see 4.2).
- GPS metadata is not extracted or stored from meal photos.
3.4 Technical Data
- Apple system crash reports: If you have consented in
iOS Settings → Privacy & Security → Analytics & Improvements → Share with App Developers, Apple forwards anonymised crash reports to us. We cannot draw conclusions about your person from them. You control this setting exclusively in iOS, not in Kivaia. - Proprietary telemetry: none.
3.4a Trial and Optional Sign in with Apple
To manage the trial, the app sends an Apple-signed AppTransaction JWS to our server. If you optionally use Sign in with Apple, the app may additionally send an Apple identity token to the server. The server verifies Apple's signature, app audience, and environment. We permanently store only:
- A pseudonymous identifier:
HMAC(AppTransaction ID or Apple subject, server secret) - Trial start and end time
- Technical metadata for trial management, e.g. source and environment
We store no email address, no name, no plain Apple ID, and no plain AppTransaction ID for this purpose. If you optionally use Sign in with Apple for profile prefill, the app may store the profile data provided by Apple locally in your profile.
When you choose Delete Account in the app, we delete active server-side trial/account bindings and, for accounts linked with Sign in with Apple, revoke the Apple authorization on the server. To prevent abuse and enforce the one-trial rule, after deletion we retain only a minimal, non-login proof that a free trial has already been used: a pseudonymous one-way identifier, deletion status, and deletion timestamp. This proof contains no Apple ID, no AppTransaction ID, no binding token, no profile, and no content, and it cannot be used as an active account.
3.5 Support and Contact Requests via kivaia.app
The website provides direct email links for support and privacy requests. When you contact us, we process the following data:
- Email address and name, if provided by you
- Message content and attachments, if you include any
- Technical email metadata, such as sent time and subject
Purpose: To answer your request, provide support for app, subscription, privacy, and shared-link topics, and document the communication where necessary.
Legal basis: Art. 6(1)(b) GDPR (contract or pre-contractual measures), Art. 6(1)(f) GDPR (communication, support, abuse prevention), and, where applicable, Art. 6(1)(c) GDPR (legal obligations).
Storage location: Support and contact requests are processed in our email systems. Public website areas do not store these messages.
Retention: We retain contact requests only as long as required for processing. Resolved requests are routinely deleted after no more than 24 months, unless legal retention obligations or legitimate proof interests require longer storage. You can request deletion informally at any time by emailing privacy@clayfactor.com.
3.6 Server log files (kivaia.app website)
When you access the kivaia.app website, our hosting provider IONOS SE stores server log files transmitted automatically by your browser. These contain:
- Browser type and version (user agent)
- Operating system
- Referrer URL
- IP address
- Time of server request
Server log files are stored for a maximum of 8 weeks and are then automatically deleted. This data is not merged with support or contact requests from §3.5 or other data sources.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and error-free operation of the website).
Processor agreement: A data processing agreement (Art. 28 GDPR) is in place with IONOS SE.
3.7 Actively Triggered Content Sharing
Kivaia offers features that let you actively share content from the app with others via a link. This currently applies to recipes (recipe sharing); further content types such as meals may follow. More sensitive content types will be assessed separately before being activated.
When you actively share a recipe, the app stores a temporary copy on our server in Germany and makes it available under a short, unlisted link. You then forward that link yourself to the people you want to share the recipe with.
What is stored on our server in this process:
- The content of the shared item (name, data, instructions) — scope depends on the content type
- For content with a photo: the photo, automatically resized to 1200×630 pixels and compressed to approximately 300 KB or less (JPG) on upload
- Creation and expiry timestamp (technically required to drive the automatic deletion)
To protect against abuse, the server additionally calculates a non-reversible SHA256 hash of your IP address, combined with a non-public salt, when a share is created. This hash is not stored in the recipe record; it is kept separately as a short-lived rate-limit counter and removed from active storage after no more than 24 hours.
What is not processed in this context:
- No user identifier, no email address, no account data
- No plain-text IP address
- No tracking cookies, no advertising or analytics scripts
- No referrer data, no recipient data — we do not know whom you share the link with
Note on the link: The link contains a random, 8-character ID and is therefore effectively unguessable; we do not index it and we exclude search engines via robots.txt. Because the content is accessible to anyone who has the link, there is no recipient restriction. Please only share recipes — including any photos — that you are comfortable forwarding.
Retention: Shared content and photos are automatically deleted from our webspace 30 days after creation. Deletion happens both opportunistically with every new share operation (lazy cleanup) and via an additional daily cleanup job. Both mechanisms permanently remove the data from active storage.
Backups: Our hosting provider IONOS performs rolling backups of our webspace with a retention window of 14 days. Recipe-share data is included in these backups. The maximum possible lifespan of a shared copy including backups is therefore 44 days, after which the data is irrecoverably gone across all backup tiers.
Access and erasure: Because a share operation does not store a user identifier, a meaningful access or erasure request requires that you yourself provide the specific share link (or the ID it contains). In that case, we can delete the corresponding entry on request before the 30 days have elapsed. Requests can be sent to privacy@clayfactor.com. This version of the feature does not offer an active in-app revocation option; the automatic expiry after 30 days is, however, guaranteed without exception.
Storage location: Data is stored exclusively on our webspace at IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany). The data centres used are located in Germany. No third-country transfer takes place; no US cloud provider is involved.
Legal basis:
- For providing the sharing function and storing the shared content: Art. 6(1)(b) GDPR (performance of contract — the feature is part of the app's service and is rendered exclusively in response to your active action).
- For the short-lived processing of the IP hash for rate-limiting purposes: Art. 6(1)(f) GDPR (legitimate interest in preventing abuse and protecting infrastructure availability).
Processor agreement: A data processing agreement (Art. 28 GDPR) is in place with IONOS SE for the hosting operation.
4. External Services and Processors
4.1 Apple HealthKit
HealthKit is an Apple component on your device. Data from HealthKit does not leave the device through HealthKit itself. Apple has its own privacy terms for it.
You manage permissions in iOS Settings → Privacy & Security → Health → Kivaia.
4.2 Google Gemini via Firebase AI Logic (AI Analysis)
For optional AI-supported features, Kivaia uses Google Gemini via Firebase AI Logic. The recipient is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, via Firebase AI Logic (Google/Firebase). Requests are routed through Firebase AI Logic/Firebase App Check so app requests are protected and are not sent through a Gemini key stored in the app.
Purpose: The main purpose is to provide personalised recommendations and AI assistance within the app, for example meal/photo analysis, nutrition and recipe suggestions, planning, companion responses, and activity, sleep, and recovery guidance.
Possible categories: Depending on the AI feature you use, photos, text/voice transcripts, companion content, meal and nutrition data, goals, dietary profile, activity, sleep, recovery, and body metrics may be transmitted. Not every category is transmitted with every request; Kivaia sends only the data needed for the specific AI feature.
Protection and storage: Kivaia does not send direct personal identifiers such as name, email address, Apple ID, trial identifier, or AppTransaction ID to Gemini and does not keep a Gemini request or response history on its own servers that is assigned to a locally stored user profile. Depending on the feature, requests may still contain app context such as goals, dietary profile, meal, activity, sleep, recovery, or body values. Google may log API requests and responses for a limited time under the Gemini logging rules.
Details: The full purposes, data categories, data minimisation rules, voice notes, and withdrawal consequences are available in the separate AI Data Processing document.
Optionality and withdrawal: AI features are optional. Manual tracking and non-AI features remain available without consent; photo analysis, companion, and other AI features stay disabled. You can revoke consent at any time in the app settings under “AI Data Processing”.
Role: Google is our processor (Art. 28 GDPR).
Third-country transfer:
- Google is certified under the EU-US Data Privacy Framework (adequacy decision of 10 July 2023).
- Additionally: EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Note: According to official Gemini documentation, prompts and responses are not used for product improvement by default unless the project owner actively shares them. Google may log requests and AI responses for a limited time, including to detect abuse and meet legal obligations.
More: https://policies.google.com/privacy
More about Gemini logging: https://ai.google.dev/gemini-api/docs/logs-policy
4.3 Apple iCloud (optional)
If you enable iCloud sync, your app data is mirrored to your private iCloud database. Synchronisation is controlled separately through your Apple/iCloud settings:
- Default setting: disabled
- Storage location: your private iCloud — we have no access
- Encryption: in transit and at rest
- Purpose: sync between your Apple devices
Apple acts as a processor for you here, not for us. More: https://www.apple.com/legal/privacy/
4.4 Open Food Facts (optional)
When you scan a food barcode, the app queries Open Food Facts using only the barcode — a non-profit, open database. No personal data is transmitted.
https://world.openfoodfacts.org/
4.5 USDA FoodData Central (optional)
For food text search, the app queries the public US food database USDA FoodData Central. Only the search term and, where applicable, a brand name are transmitted — no account or health data. The request is routed through our own server proxy on Google Firebase infrastructure in Frankfurt (EU); your device never communicates with USDA directly. To prevent abuse, the app verifies its integrity via Apple App Attest (Firebase App Check); the device attestation token processed in this step does not allow any conclusions about you or your content.
4.6 Bundeslebensmittelschlüssel (BLS)
The official German food database is bundled locally with the app. No network transmission takes place.
5. Legal Bases
| Processing | Legal basis |
|---|---|
| Provision of app features (input, local storage) | Art. 6(1)(b) GDPR (performance of contract) |
| Support and contact requests via kivaia.app | Art. 6(1)(b) GDPR (contract / pre-contractual measures); Art. 6(1)(f) GDPR (communication, abuse prevention); where applicable Art. 6(1)(c) GDPR |
| HealthKit integration | Art. 6(1)(a) + Art. 9(2)(a) GDPR (explicit consent) |
| AI analysis via Google Gemini | Art. 6(1)(a) GDPR (consent); for health context additionally Art. 9(2)(a) |
| Food database lookups (Open Food Facts, USDA via our own proxy) incl. app integrity check | Art. 6(1)(b) GDPR (performance of contract); integrity check: Art. 6(1)(f) GDPR (abuse prevention) |
| iCloud sync | Art. 6(1)(a) GDPR (consent) |
| Apple system crash reports | Art. 6(1)(f) GDPR (legitimate interest); controlled via iOS |
| Actively triggered content sharing (30-day storage) | Art. 6(1)(b) GDPR (performance of contract); rate-limit hash: Art. 6(1)(f) GDPR |
| Trial management and optional Sign in with Apple | Art. 6(1)(b) GDPR (performance of contract); Art. 6(1)(f) GDPR (abuse prevention) |
| Premium contract handling | Art. 6(1)(b) GDPR (Apple handles payment processing) |
6. Storage Location and Retention
- Locally on your device: as long as you have the app installed. Upon uninstallation, all local app data is removed by iOS.
- iCloud (when enabled): in your private iCloud, controlled by your iCloud settings.
- Google Gemini: Kivaia does not store Gemini request and response contents on its own servers. Google may log API requests and responses for a limited time under the Gemini logging rules; details are available in AI Data Processing.
- With us (health, activity, and journal data): we do not store this data on servers of our own. For trial management we store only the pseudonymous identifier and trial timestamps described above; after account deletion, only this minimal proof that the free trial has already been used is retained for as long as the one-trial rule applies.
- Shared content (sharing features): on our IONOS webspace in Germany, 30 days from creation, then automatically deleted; backup lifespan max. 44 days (see §3.7).
- Support and contact requests: in our email systems, only as long as required for processing; resolved requests are routinely retained for no more than 24 months unless legal retention obligations or legitimate proof interests apply (see §3.5).
Tax and commercial-law-relevant data (invoicing and contract data for Premium): Apple, as the contract partner for payment, handles these. We do not receive personal data about the buyer from Apple.
7. Your Rights
7.1 What You Can Do Yourself at Any Time
- Delete app data: uninstall the app — local data is removed by iOS. iCloud copies are deleted in iOS iCloud settings.
- Delete Account: Settings → “Privacy & Data” → “Delete Account” removes your Kivaia account connection, local Kivaia product data from SwiftData stores, profile, goals, preferences, meals, activities, locally stored HealthKit import copies, sensitive local health data, AI-derived content, local caches, App Group user preferences, local reminders derived from Kivaia data, and server-side binding tokens. For Sign in with Apple, you confirm deletion again with Apple; Kivaia revokes the Apple authorization on the server. Kivaia then starts in onboarding again.
- What account deletion does not delete: Apple Health source data, StoreKit subscriptions/purchases/transactions/entitlements, iCloud copies, and already shared recipe links. For the one-trial rule, only this minimal proof remains; it is not an account and cannot start a new trial.
- Revoke HealthKit access: iOS Settings → Privacy & Security → Health → Kivaia
- Disable iCloud sync: app settings
- Disable AI data processing: app settings → “AI Data Processing”
7.2 Your Rights Under GDPR
- Access (Art. 15): privacy@clayfactor.com
- Rectification (Art. 16): directly in the app or by email
- Erasure (Art. 17): see 7.1 — you delete local app data and active account bindings directly in the app; the minimal trial proof is retained only as necessary for abuse prevention. Server-side contact, share, and log data is deleted on request unless legal or technical retention reasons apply.
- Restriction (Art. 18): privacy@clayfactor.com
- Data portability (Art. 20): You can export your local app data in the app under Settings → “Privacy & Data” as a ZIP file. The export contains structured JSON data for profile, nutrition, activity, locally imported HealthKit data, AI-derived content and media, where productively maintained in Kivaia. Apple Health source data is exported directly from the Health app; for server-side trial, contact, share and log data, you can request access or deletion by emailing privacy@clayfactor.com.
- Objection (Art. 21): privacy@clayfactor.com
- Withdrawal of consent (Art. 7(3)): see 7.1, possible at any time
7.3 Right to Lodge a Complaint
You may lodge a complaint with a supervisory authority. The authority responsible for us is:
Unabhängiges Datenschutzzentrum Saarland
The State Commissioner for Data Protection and Freedom of Information
Fritz-Dobisch-Straße 12, 66111 Saarbrücken, Germany
Email: poststelle@datenschutz.saarland.de
Website: https://www.datenschutz.saarland.de/
8. Minimum Age
Kivaia is not intended for persons under 16 years of age. This corresponds to the GDPR standard for independent consent in Germany.
Single age threshold: Kivaia's App Store age rating is deliberately set to 16+ — aligned with the GDPR minimum age stated here. This means the legal consent threshold and technical access through the App Store age rating, Screen Time, and Family Sharing refer to the same age threshold.
We deliberately do not run our own age check. By using the app, you confirm that you are at least 16 years old. If we receive concrete indications that a person under 16 is using the app, we block access and delete the associated data.
9. Data Security
- Encryption locally (iOS Data Protection) and in transit (TLS 1.3)
- Secure authentication via Sign in with Apple
- Secure Enclave for security-critical keys
- Data minimisation as a founding principle
In the unlikely event of a data breach, we will report it to the supervisory authority within 72 hours and inform affected users where there is a high risk.
10. Changes to This Privacy Policy
We update this policy when app features or the legal landscape change. We will inform you of significant changes at least 30 days before they take effect via in-app notification. The current version is always available in the app under Settings → “Privacy”.
11. Summary by Data Type
| Data type | Storage location | Transmitted to whom? | Legal basis |
|---|---|---|---|
| Profile data | Local / iCloud (optional) | — | Contract |
| Meals + photos | Local / iCloud (optional) | Google Gemini for photo/companion analysis | Consent |
| HealthKit values | Local | Google Gemini only with AI consent | Explicit consent |
| Workouts / activities | Local / iCloud (optional) | — | Contract |
| Pseudonymous trial identifier / used-trial proof | IONOS webspace Germany | — | Contract / legitimate interest |
| Apple crash reports | Apple (anonymous, aggregated) | — | Legitimate interest |
| Shared content (name, data, instructions, optional photo) | IONOS webspace (DE), max. 30 days | — | Contract |
| Support/contact request (email, content, voluntary details) | Email systems of ClayFactor GmbH | — | Contract / legitimate interest / where applicable legal obligation |
12. Authoritative Version
This is an English translation of the German original. In case of any discrepancies between the German and English versions, the German version shall prevail.
13. Contact
ClayFactor GmbH
Herderstraße 38
66292 Riegelsberg, Germany
Email: privacy@clayfactor.com
We typically respond within 14 days.
Effective: June 2026
← Back to Kivaia overview