Privacy Policy

Kinesia is a clinical reasoning assistant for licensed Physical Therapists, operated at https://kinesia.ai. References to "Kinesia," "we," or "us" mean Kinesia and its operators. References to "you" mean a clinician using Kinesia, an organization purchasing Kinesia for its clinicians, or a visitor to our website.

Account data: name, email, professional title, organization, role, and password (stored hashed).

Usage data: timestamps, the prompts you submit, the answers we return, and the citations referenced — used to operate the service, generate audit logs required by your organization, and improve quality.

Technical data: IP address, user agent, and other request metadata used for security, abuse prevention, and rate limiting.

We do not require, and ask clinicians not to submit, identifiable patient information. Use generic descriptors (age range, sex, presentation) when discussing cases.

To deliver answers to your clinical questions and stream those answers to your client.

To operate per-organization audit logging for compliance reasons.

To secure the service against abuse and unauthorized access.

To communicate with administrators about their account and the service.

We do not sell personal information. We do not use your prompts to train third-party models.

Anthropic: model inference. Prompts and responses are processed by Anthropic under their commercial API terms; Anthropic does not train models on commercial API traffic.

Railway: application hosting and infrastructure.

Cloudflare: DNS and edge networking.

Where required, we maintain Business Associate Agreements with subprocessors before any PHI access. See /compliance for current status.

Conversation history is retained for the lifetime of your account so you can review past answers.

Audit log entries are retained for at least 6 years to support HIPAA compliance.

You may request deletion of your account and associated data by emailing [email protected]. We will fulfill verified requests within 30 days, subject to retention obligations.

TLS 1.3 in transit, AES-256 at rest. Tokens stored in iOS Keychain on mobile clients; HTTP-only cookies on web. Bearer-token sessions, scoped per organization. Tamper-evident audit logging on PHI events.

See /security for the full architecture writeup.

Access, correction, portability, and deletion rights are honored. EU/UK residents may exercise rights under GDPR/UK GDPR; California residents under CCPA/CPRA.

To exercise any right, email [email protected] with the email address on your account. We will respond within 30 days.

Kinesia is intended for licensed clinicians. We do not knowingly collect data from anyone under 18.

We will post material changes to this page and update the effective date. Continued use after a change means you accept the revised policy.

Privacy questions: [email protected]. Security disclosures: [email protected].