Privacy Policy

Privacy Policy

Last Updated: April 3, 2026

This Privacy Policy explains how Tesselabs LLC, operating as Kinali ("we," "us," or "our"), collects, uses, shares, and protects your personal information when you use our family caregiving coordination platform ("Service"). This policy applies to all users worldwide, with jurisdiction-specific provisions for users in the European Union (including Spain), Argentina, Mexico, and the United States.

By using the Service, you consent to the data practices described in this Privacy Policy.

1. Introduction and Scope

Kinali processes highly sensitive information, including:

• Protected Health Information (PHI): Medical records, diagnoses, medications, lab results, appointment notes
• Personal Identifiable Information (PII): Names, photos, identity documents, voice recordings
• Children's data: Health and personal information of minors
• AI-processed data: Voice transcriptions, OCR from documents, AI-extracted medical data

We take your privacy seriously and are committed to transparency about our data practices.

2. Data Controller Information

Data Controller: Tesselabs LLC 1209 Mountain Road PL NE, STE R, Albuquerque, NM 87110, USA hello@tesselabs.com

Data Protection Officer (DPO) — EU/Spain Users: Guillermo Pascual dpo@tesselabs.com

Privacy Contact: For privacy questions or to exercise your rights, contact us at hello@tesselabs.com.

3. Legal Basis for Processing

We process your personal data under the following legal bases, depending on your jurisdiction:

For EU/EEA/Spain Users (GDPR):

• Consent: For processing health data, children's data, and AI processing
• Contract Performance: To provide the Service you've subscribed to
• Legitimate Interests: To improve the Service, prevent fraud, ensure security

For Argentina Users (LPDP 25.326):

• Explicit Consent: Required for sensitive data (health records)
• Written Consent: For international data transfers

For Mexico Users (LFPDPPP):

• Express Written Consent: Required for sensitive data processing
• Implied Consent: For non-sensitive operational data

For US Users (CCPA, COPPA, State Laws):

• Consent: For data collection and sharing
• Parental Consent: For children under 13 (COPPA requirement)

You may withdraw consent at any time by contacting us, but this may affect your ability to use the Service.

4. Types of Data We Collect

4.1 Account and Profile Data

• Email address (required for account creation)
• Name and profile information
• Preferred language/locale (es-AR, es-MX, es-ES, en-US)
• Account settings and preferences
• Date of consent to Terms and Privacy Policy

4.2 Health Information (Highly Sensitive)

• Medical diagnoses and conditions
• Medications, dosages, and prescriptions
• Allergies and adverse reactions
• Medical appointment notes and summaries
• Lab results and test reports
• Healthcare provider information
• Medical history and treatment plans
• Symptoms and health observations

Important: This data is considered "sensitive personal data" or "special category data" under GDPR, LPDP, LFPDPPP, and other privacy laws. We collect it only with your explicit consent.

4.3 Personal Documents and Images

• Identity documents (IDs, passports, insurance cards)
• Medical records (PDFs, images, scanned documents)
• Photos of medications, medical equipment, or care environments
• Medical certificates and prescriptions

4.4 Voice Recordings and Transcriptions

• Audio recordings you create in the app
• AI-generated transcriptions of voice notes (processed by Google Gemini via Vertex AI)
• Text extracted from audio

4.5 AI-Processed and Extracted Data

• Text extracted from images via OCR (processed by Google Gemini via Vertex AI)
• Structured medical data extracted by AI from unstructured notes
• AI-generated summaries or categorizations

4.6 Care Circle and Sharing Data

• Care Circle membership information
• Permissions and access levels granted to other users
• Shared health records and documents

4.7 Usage and Analytics Data

• Device information (type, OS, browser)
• IP address and geolocation (for regional settings)
• Usage patterns (features used, pages visited, time spent)
• Error logs and crash reports

4.8 Cookies and Tracking Technologies

• Session cookies (to maintain login state)
• Preference cookies (language, theme settings)
• Analytics cookies (to understand Service usage)

See Section 14 for details on cookies and tracking.

5. How We Collect Data

We collect data through:

• Direct Input: Information you manually enter into the Service
• File Uploads: Documents, images, and audio files you upload
• Voice Recording: Audio captured through the app's recording feature
• AI Processing: Data extracted automatically from your uploads (transcription, OCR)
• Automatic Collection: Usage data, device information, cookies
• Third-Party Integrations: Data from third-party service providers used to deliver the Service

6. How We Use Your Data

We use your personal data for the following purposes:

6.1 Service Provision

• Create and maintain your account
• Store and organize your health information
• Process voice recordings and transcribe audio (via Google Gemini)
• Extract text from images and documents (via Google Gemini OCR)
• Structure and categorize medical data using AI
• Enable Care Circle sharing and collaboration
• Provide calendar and appointment management
• Send service-related notifications

6.2 Communication

• Send important service updates
• Respond to support requests
• Notify you of policy changes
• Send marketing communications (with your consent, opt-out available)

6.3 Service Improvement and Analytics

• Analyze usage patterns to improve features
• Identify and fix bugs
• Conduct research and development
• Improve AI accuracy

6.4 Security and Fraud Prevention

• Detect and prevent unauthorized access
• Investigate security incidents
• Comply with legal obligations

6.5 Legal Compliance

• Respond to lawful requests from authorities
• Enforce our Terms of Service
• Comply with court orders or regulatory requirements

7. Third-Party Data Sharing and Processors

We share your data with the following third-party service providers. Each processor operates under a Data Processing Agreement (DPA) and is contractually required to protect your data.

7.1 Google Cloud (Gemini via Vertex AI) — Multimodal AI Processing

• What we share: Voice recordings, images, documents, and text data you submit for AI processing
• Purpose: Voice transcription, OCR, medical data extraction and structuring
• Data location: United States
• DPA: Google Cloud Data Processing Addendum (last modified November 8, 2023)
• BAA: HIPAA Business Associate Addendum in place (covers Vertex AI as a Covered Service)
• AI Training: Google does not use customer data to train its AI models under the Cloud Data Processing Addendum
• Retention: Data is processed transiently and not retained by Google beyond processing

7.2 Supabase — Database, Storage, and Authentication

• What we share: All data stored in the Service (health records, documents, account data)
• Purpose: Database hosting, file storage, user authentication
• Data location: United States (us-east-1, North Virginia)
• Retention: Ongoing while you use the Service
• DPA: Supabase User DPA, signed March 12, 2026. Acknowledges processing of special categories of personal data including health data and data of minors
• Subprocessors: AWS (Amazon Web Services) — as set out in Schedule 3 of the DPA

7.3 Cloudflare — Web Hosting and Security

• What we share: Web traffic and API requests
• Purpose: Host web application, provide CDN and security services
• Data location: Global edge network (with data residency options)
• DPA: Cloudflare Customer DPA v6.3 (June 20, 2025). Includes EU Standard Contractual Clauses, UK International Data Transfer Addendum, and Data Privacy Framework certification

7.4 Resend — Transactional Email

• What we share: Email addresses and email content (service notifications, OTP codes)
• Purpose: Send transactional emails (account verification, notifications)
• Data location: United States
• DPA: Resend Data Processing Addendum (December 31, 2025). Includes EU and UK Standard Contractual Clauses
• Subprocessors: Listed at resend.com/legal/subprocessors

7.5 PostHog — Product Analytics

• What we share: Usage patterns, device information, and anonymized interaction data
• Purpose: Understand how users interact with the Service, improve features
• Data location: United States
• DPA: PostHog Data Processing Agreement, signed April 2, 2026. Includes EU Standard Contractual Clauses (Module 2, controller-to-processor)
• Note: We do not send health data, medical information, or personally identifiable health records to PostHog

8. International Data Transfers

8.1 Where Your Data is Stored and Processed

Your data is transferred to and processed in the United States, regardless of where you are located. This includes:

• Google Cloud (Vertex AI) processing — United States
• Supabase hosting (database and storage) — us-east-1 East US (North Virginia)
• Cloudflare Workers (web hosting) — Global edge network
• Resend email processing — United States
• PostHog analytics — United States

8.2 Safeguards for International Transfers

For EU/EEA/Spain Users (GDPR Article 46):

• We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to the US. SCCs are incorporated into DPAs with all processors:
  • Google Cloud: Cloud Data Processing Addendum includes SCCs (Appendix 3 — covering European Data Protection Law and CCPA)
  • Supabase: User DPA includes EU Standard Contractual Clauses (Module 2, controller-to-processor)
  • Cloudflare: Customer DPA v6.3 includes EU SCCs, UK International Data Transfer Addendum, and Data Privacy Framework certification
  • Resend: Data Processing Addendum includes EU and UK Standard Contractual Clauses
  • PostHog: Data Processing Agreement includes EU Standard Contractual Clauses (Module 2, controller-to-processor)
• Transfer Impact Assessments should be conducted for all processors handling EU data

For Argentina Users (LPDP Article 12):

• We obtain your explicit written consent for cross-border transfers
• We ensure processors provide adequate data protection safeguards

For Mexico Users (LFPDPPP Article 37):

• We obtain your express consent for international transfers
• We inform you of the countries where your data will be processed

8.3 Your Rights Regarding International Transfers

You have the right to:

• Know where your data is stored and processed (see Section 8.1)
• Object to international transfers (may limit Service functionality)
• Request a copy of the safeguards in place (SCCs, DPAs)
• Withdraw consent for transfers (may result in account termination)

9. Data Retention and Deletion Policies

9.1 How Long We Retain Your Data

9.2 Soft Deletes vs. Hard Deletes

Current Implementation (as of February 17, 2026):

• Our database uses "soft deletes" — deleted records are marked with deleted_at timestamp but NOT permanently removed
• Storage files (images, audio) currently persist even after record deletion

IMPORTANT - GDPR/LPDP Compliance Issue: This soft delete approach does NOT fully comply with GDPR Article 17 ("Right to Erasure") or Argentina LPDP Article 16 (deletion rights), which require actual deletion.

Our Commitment:

• We are implementing a true hard delete process
• When you exercise your "Right to be Forgotten," we will permanently delete your data within 30 days (except data we are legally required to retain)
• Until hard delete is implemented, you can request manual permanent deletion by contacting our DPO

9.3 Data Deletion Upon Account Termination

When you delete your account:

• You have 30 days to change your mind or export your data
• After 30 days, your data will be permanently deleted (except legally required records)
• Shared data in Care Circles may be retained if other members still have access rights

9.4 Third-Party Data Retention

We cannot control how long third-party processors (Google Cloud, Supabase, Cloudflare, Resend, PostHog) retain your data. See Section 7 for each processor's retention policies.

Your Rights: You can request deletion from third-party processors directly or ask us to facilitate the request.

10. Your Privacy Rights (By Jurisdiction)

Your rights vary based on your location. Below are the rights available to you under applicable laws.

10.1 Rights for EU/EEA/Spain Users (GDPR)

You have the right to:

1. Access: Request a copy of your personal data
2. Rectification: Correct inaccurate or incomplete data
3. Erasure ("Right to be Forgotten"): Request deletion of your data
4. Restriction of Processing: Limit how we use your data
5. Data Portability: Receive your data in a machine-readable format
6. Object to Processing: Object to data processing based on legitimate interests
7. Withdraw Consent: Withdraw consent for data processing at any time
8. Automated Decision-Making: Not be subject to decisions based solely on automated processing (including AI)

Response Time: We will respond to requests within 1 month (extendable to 3 months for complex requests).

How to Exercise Rights: Email our DPO at dpo@tesselabs.com or use the data export/deletion features in your account settings.

Complaint Rights: If you believe we have violated your rights, you may lodge a complaint with your national data protection authority:

• Spain: Agencia Española de Protección de Datos (AEPD) — www.aepd.es
• Other EU countries: See https://edpb.europa.eu/about-edpb/board/members_en

10.2 Rights for Argentina Users (LPDP 25.326)

You have the ARCO Rights:

1. Access (Acceso): Request information about what data we hold about you
2. Rectification (Rectificación): Correct inaccurate data
3. Update (Actualización): Update outdated data
4. Deletion (Supresión): Request deletion of your data

Response Time: We will respond to requests within a reasonable timeframe (best practice: 10 business days).

How to Exercise Rights: Email hello@tesselabs.com with your request.

Complaint Rights: File a complaint with Argentina's Data Protection Authority:

• Agencia de Acceso a la Información Pública (AAIP): www.argentina.gob.ar/aaip

10.3 Rights for Mexico Users (LFPDPPP)

You have the ARCO Rights:

1. Access (Acceso): Request access to your personal data
2. Rectification (Rectificación): Correct inaccurate or incomplete data
3. Cancellation (Cancelación): Request deletion of your data
4. Opposition (Oposición): Object to certain data processing

Response Time: We will respond within 20 business days of receiving your request.

How to Exercise Rights: Email hello@tesselabs.com or use our ARCO Rights Request Form [TBD: create form].

Complaint Rights: File a complaint with Mexico's Data Protection Authority:

• Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI): www.inai.org.mx

10.4 Rights for California (US) Users (CCPA/CPRA)

You have the right to:

1. Know: Request disclosure of what personal information we collect, use, and share
2. Access: Request a copy of your personal information
3. Delete: Request deletion of your personal information
4. Opt-Out of Sale: We do NOT sell personal information, but you can opt-out if we ever do
5. Non-Discrimination: We will not discriminate against you for exercising your rights

Response Time: We will respond within 45 days (extendable to 90 days for complex requests).

How to Exercise Rights: Email hello@tesselabs.com or call [toll-free number, TBD].

Do Not Sell My Personal Information: We do not sell personal information. If this changes, we will update this policy and provide an opt-out mechanism.

10.5 Data Export and Portability

All users (regardless of location) can request a machine-readable export of their data in JSON format. Contact us at hello@tesselabs.com to request an export.

11. Children's Data and Parental Consent

11.1 Age Requirements

• Users 18 and older: May use the Service independently
• Users under 18: May use the Service only with parental/guardian involvement and consent
• Children under 13 (US/COPPA): Require verifiable parental consent

11.2 Parental Consent Requirements

For Children Under 13 (US Users):

• We comply with COPPA (Children's Online Privacy Protection Act)
• Parents must provide verifiable parental consent before we collect a child's data
• COPPA Compliance Deadline: April 22, 2026 (new COPPA rules take effect)
• Parents can review, request deletion, or refuse further collection of their child's data

For Children Under 13-16 (EU Users):

• GDPR requires parental consent for children under the age of consent (13-16, varies by country)
• In Spain, the age of consent is 14 years
• Parents must consent to data processing for children under the applicable age

Current Status (as of February 17, 2026):

• Age verification mechanism: [TBD — implement before launch]
• Parental consent process: [TBD — implement before launch]

11.3 Parental Rights

Parents/guardians have the right to:

• Access their child's data
• Request deletion of their child's data
• Withdraw consent at any time
• Control who can access the child's information in Care Circles

11.4 Age Transition Policies

When a child reaches the age of majority (13, 16, or 18, depending on jurisdiction):

• [TBD — define process for transitioning account control to the individual]
• Notify parents and the individual of the transition
• Obtain consent from the now-adult individual for continued data processing

11.5 Sensitive Health Data for Minors

Special considerations for adolescent health data (reproductive health, mental health):

• [TBD — define policies for adolescent privacy rights in sensitive health matters]
• Balance parental rights with adolescent privacy as required by law

12. Data Security Measures

We implement industry-standard security measures to protect your data:

12.1 Technical Safeguards

• Encryption at Rest: All data stored in Supabase is encrypted using AES-256
• Encryption in Transit: All data transmitted over HTTPS/TLS 1.3
• Access Controls: Row-Level Security (RLS) policies in Supabase to restrict data access
• Authentication: Secure user authentication via Supabase Auth
• Password Protection: Passwords hashed using bcrypt

12.2 Organizational Safeguards

• Access Restrictions: Only authorized personnel can access production data
• Data Minimization: We collect only data necessary for the Service
• Regular Security Audits: [TBD — define audit schedule]
• Employee Training: Staff trained on data protection and privacy

12.3 Limitations

No system is 100% secure. Despite our efforts, we cannot guarantee absolute security. You acknowledge that:

• Unauthorized access, breaches, or data loss may occur
• You use the Service at your own risk
• You are responsible for maintaining the security of your account credentials

13. Data Breach Notification

In the event of a data breach that affects your personal information:

13.1 Notification to Authorities

• EU/Spain: We will notify the relevant supervisory authority within 72 hours (GDPR Article 33)
• US (HIPAA, if applicable): Notification to HHS within 60 days for breaches affecting 500+ people
• Mexico: Notification "without delay" if the breach has significant impact (LFPDPPP)

13.2 Notification to Users

• We will notify affected users without undue delay via email or in-app notification
• Notification will include:
  • Nature of the breach
  • Types of data affected
  • Steps we are taking to address the breach
  • Steps you can take to protect yourself

14. Cookies and Tracking Technologies

14.1 Types of Cookies We Use

• Essential Cookies: Required for login, session management, and core functionality (cannot be disabled)
• Preference Cookies: Remember your language, theme, and settings
• Analytics Cookies: Help us understand how the Service is used (PostHog)

14.2 Third-Party Cookies

We may use third-party analytics providers that set their own cookies. See their privacy policies:

• PostHog: https://posthog.com/privacy

14.3 Cookie Consent and Management

• EU/Spain Users: We will obtain your consent before placing non-essential cookies (ePrivacy Directive)
• All Users: You can manage cookie preferences in your browser settings
• Disabling cookies may affect Service functionality

15. Automated Decision-Making and Profiling

15.1 AI-Powered Features

The Service uses AI to:

• Transcribe voice recordings (Google Gemini via Vertex AI)
• Extract text from images (Google Gemini via Vertex AI)
• Categorize and structure medical data

15.2 Human Review

AI outputs are suggestions only and are NOT used for:

• Automated medical decision-making
• Automated decisions that significantly affect you

You always have the opportunity to review, correct, and override AI-generated content.

15.3 Right to Object (GDPR)

EU users have the right to object to automated processing and request human review. Contact our DPO to exercise this right.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For material changes, we will notify you via email or in-app notification at least 30 days in advance
• Continued use of the Service after changes take effect constitutes acceptance of the updated policy

We encourage you to review this policy periodically.

17. Consent Management

17.1 How We Obtain Consent

• Account Creation: You provide consent by accepting this Privacy Policy and our Terms of Service during signup
• Granular Consent: You can control specific consents (e.g., AI processing, analytics) in account settings [TBD: implement consent management UI]

17.2 Withdrawing Consent

You may withdraw consent at any time by:

• Adjusting settings in your account
• Contacting us at hello@tesselabs.com

Effect of Withdrawal: Withdrawing consent may limit Service functionality or require account termination.

18. Health Data and HIPAA

Kinali is designed for families coordinating care for loved ones. Kinali is not a healthcare provider, health plan, or healthcare clearinghouse, and is not a "Covered Entity" or "Business Associate" under the U.S. Health Insurance Portability and Accountability Act (HIPAA).

We recognize that the information you store in Kinali — including medications, medical notes, and health observations — is sensitive. We protect it with industry-standard security measures including encryption in transit and at rest, role-based access controls, and contractual data protection obligations with our service providers.

We have executed a HIPAA Business Associate Addendum (BAA) with Google Cloud Platform, which processes AI-related features (voice transcription, OCR, data structuring) through Vertex AI. We maintain Data Processing Agreements with all other infrastructure providers (Supabase, Cloudflare, Resend, PostHog).

However, Kinali does not represent itself as HIPAA-compliant. Full HIPAA compliance requires organizational policies, workforce training, risk assessments, and audit controls beyond the scope of a BAA. Additionally, not all of our service providers have executed BAAs.

If you are a healthcare professional, do not use Kinali to store or process Protected Health Information (PHI) that you handle in your professional capacity.

Kinali complies with applicable consumer health data protection obligations, including the FTC Health Breach Notification Rule, which applies to consumer health data maintained by non-HIPAA entities.

19. Contact Information and Complaints

19.1 General Privacy Questions

Email: hello@tesselabs.com Registered Office: 1209 Mountain Road PL NE, STE R, Albuquerque, NM 87110, USA

19.2 Data Protection Officer (EU/Spain Users)

Name: Guillermo Pascual Email: dpo@tesselabs.com

19.3 Supervisory Authorities

You have the right to lodge a complaint with your local data protection authority:

• Spain (AEPD): www.aepd.es
• Argentina (AAIP): www.argentina.gob.ar/aaip
• Mexico (INAI): www.inai.org.mx
• EU Member States: See https://edpb.europa.eu/about-edpb/board/members_en

19.4 US State-Specific Contacts

• California Attorney General (CCPA): oag.ca.gov/privacy
• FTC (COPPA): www.ftc.gov

By using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and sharing of your personal information as described herein.