Data Safety

Last updated: December 12, 2025

At Kroton AI, we prioritize the security and privacy of your personal information. This Data Safety page outlines our practices for collecting, storing, processing, and protecting your data.

1. Data Collection Practices

We collect and process the following types of data:

• Account Information: Email address, name, and authentication credentials (password hashes, OAuth tokens)
• Health and Fitness Data: Workout logs, exercise history, nutrition tracking, body measurements, and progress photos (all optional)
• AI Interaction Data: Conversations with our AI assistant, prompts, and generated workout plans
• Usage Data: App usage patterns, feature interactions, session duration, and device information
• Payment Information: Payment processing is handled by Stripe; we do not store credit card details on our servers

2. Data Storage and Security

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
• Cloud Infrastructure: Data is stored on AWS servers in secure data centers with physical security controls
• Access Controls: Role-based access control (RBAC) ensures only authorized personnel can access user data
• Database Security: PostgreSQL databases with encrypted connections, regular backups, and point-in-time recovery
• Authentication: Passwords are hashed using bcrypt with salt rounds; OAuth2 for third-party authentication
• Regular Audits: Security audits and vulnerability assessments conducted regularly

3. Data Processing and AI

Your fitness and health data may be processed by our AI systems to provide personalized recommendations:

• Local Processing: Where possible, data is processed within our secure infrastructure
• Third-Party AI Models: We use Anthropic's Claude AI for generating workout plans and fitness advice. Data sent to AI providers is processed according to their data processing agreements
• Anonymization: Personal identifiers are removed when data is used for model training or analytics
• Retention Limits: AI conversation data is retained for service improvement but can be deleted upon request

4. User Data Controls

You have full control over your data:

• Access: View all personal data we have collected about you through your account settings
• Export: Download a copy of your data in machine-readable format (JSON)
• Deletion: Request complete deletion of your account and all associated data
• Correction: Update or correct inaccurate personal information at any time
• Opt-Out: Disable specific data collection features (e.g., usage analytics) in settings

5. Data Sharing and Third Parties

We do not sell your personal data. Data is only shared with:

• Service Providers: AWS (hosting), Stripe (payments), Anthropic (AI), Vercel (hosting) - all under strict data processing agreements
• Legal Requirements: When required by law, court order, or government regulation
• Business Transfers: In the event of a merger or acquisition (users will be notified)

We never share your health or fitness data with advertisers or marketing companies.

6. Compliance and Certifications

Our data practices comply with:

• GDPR: General Data Protection Regulation (European Union)
• CCPA: California Consumer Privacy Act
• HIPAA-Awareness: While not a covered entity, we follow HIPAA-style security practices for health data
• SOC 2 Type II: (In progress) Third-party security audit for cloud services

7. Data Breach Procedures

In the unlikely event of a data breach:

• We will notify affected users within 72 hours via email
• Regulatory authorities will be informed as required by law
• We will provide details about the breach, affected data, and mitigation steps
• Free credit monitoring or identity protection services may be offered if warranted

8. Children's Data Safety

Our service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, contact us immediately for removal.

9. International Data Transfers

Data may be transferred and processed in countries outside your jurisdiction. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with all third-party processors
• Adherence to Privacy Shield principles (where applicable)

10. Updates to This Policy

We may update this Data Safety page periodically. Material changes will be communicated via email and in-app notifications. Continued use of the service after changes constitutes acceptance.

11. Contact Us

For questions, concerns, or data requests regarding your data safety:

• Email: privacy@krotonai.com
• Data Protection Officer: dpo@krotonai.com
• Support Portal: Submit a ticket through your account settings

We are committed to addressing data safety concerns within 30 days of receipt.

By using Kroton AI, you acknowledge that you have read and understood this Data Safety policy and consent to our data practices as described.