Privacy Policy

Kinpath Family, LLC (“Kinpath,” “we,” “us,” or “our”) operates the Kinpath website and mobile-optimized web application located at kinpath.family (the “Service”). Kinpath provides evidence-based parenting resources, personalized guidance, and family planning tools for parents and parents-to-be from pregnancy through early childhood.

This Privacy Policy applies to all users of the Service. By using Kinpath, you agree to the collection and use of information described in this policy.

We collect information you provide directly, information collected automatically when you use the Service, and information from third-party authentication providers.

If you sign in using Google or Apple, we receive your name and email address from those providers as permitted by your account settings with them. We do not receive your passwords or any other data from these providers beyond what is needed to create or link your Kinpath account.

• Medical records or health records. Kinpath is not a medical provider. We do not collect, store, or process Protected Health Information (PHI) as defined under HIPAA.
• Payment card data. All payment processing is handled by Stripe. We never see or store your full credit card number, CVV, or bank account details.
• Precise geolocation. We do not request access to your device’s GPS location.
• Children’s personal information. We collect only a child’s name/nickname and date of birth for personalization purposes. We do not build profiles on children and we are not directed at children under 13.

We use the information we collect to:

• Provide the Service. Create your account, authenticate you, and operate the features you use: personalized resource recommendations, the checklist and planning tool, the AI chat assistant, and household sharing.
• Personalize your experience. Match resources and content to your child’s age, your parenting preferences, dietary needs, and topics of interest.
• Communicate with you. Send account-related emails (email verification, password reset), transactional notifications (subscription confirmations, household invitations), and, if you opt in, weekly content digests. You can unsubscribe from marketing emails at any time.
• Process payments. Manage your subscription, upgrades, and refunds through Stripe.
• Improve the Service. Analyze aggregated, de-identified usage patterns to understand which features are most useful, fix bugs, and develop new content.
• Ensure security and prevent fraud. Monitor for unauthorized access, abuse, and violations of our Terms of Service.
• Comply with legal obligations. Respond to lawful requests from courts or regulators and enforce our legal rights.

We rely on the following legal bases under applicable data protection law: contract performance (to provide the Service you signed up for), legitimate interests (security, fraud prevention, product improvement), consent (marketing emails, optional preferences), and legal obligation (compliance with law).

We do not sell your personal data. We share your information only in the following limited circumstances:

• Service providers. We work with a small set of vetted vendors who process data on our behalf: Supabase (database and authentication), Stripe (payment processing), Anthropic / OpenAI-compatible providers (AI chat inference; messages are sent to generate a response and are not used to train models under our agreements), and transactional email providers (account and notification emails). Each vendor is contractually bound to use your data only to perform services for us.
• Household members. If you are on the Family plan and invite a partner, they will be able to see shared checklist items, your child profiles, and assigned tasks. They will not see your full account preferences or billing information.
• Professional reviewers. Resources on Kinpath may be reviewed by licensed healthcare professionals. Reviewers see only resource content, never your personal information.
• Legal requirements. We may disclose information if required by law, court order, or government request, or when we believe disclosure is necessary to protect the rights, property, or safety of Kinpath, our users, or the public.
• Business transfers. If Kinpath is acquired, merged, or goes through a similar corporate event, your information may be transferred as part of that transaction. We will notify you via the email address on your account before your information becomes subject to a materially different privacy policy.
• With your consent. We will share your information with third parties when you explicitly direct us to do so.

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account data is retained until you delete your account or request deletion.
• Chat conversations you have saved are retained until you delete them or delete your account. Unsaved chat sessions are not stored beyond the current browser session.
• Aggregated analytics data (de-identified, not linked to you personally) may be retained indefinitely for product improvement purposes.
• Billing records are retained for up to 7 years as required for tax and financial compliance, even after account deletion. These records are held by Stripe and contain no payment card data.
• Server logs containing IP addresses are automatically purged after 90 days.

When you delete your account, we delete or anonymize your personal information within 30 days, except where retention is required by law.

Depending on where you live, you may have the following rights regarding your personal data:

• Access. Request a copy of the personal information we hold about you.
• Correction. Ask us to correct inaccurate or incomplete information. Most account and preference data can be updated directly in your Settings page.
• Deletion. Request that we delete your personal information. You can delete your account at any time from your Settings page. This deletes your profile, child profiles, preferences, chat history, and checklist data.
• Portability. Request an export of your data in a machine-readable format.
• Objection / restriction. Object to certain processing or request that we restrict how we use your data in specific circumstances.
• Withdraw consent. Where we rely on your consent to process data (e.g., marketing emails), you can withdraw consent at any time without affecting the lawfulness of prior processing.
• Opt out of marketing emails. Click “Unsubscribe” in any email, or update your notification preferences in Settings.

To exercise any of these rights, email us at privacy@kinpath.family. We will respond within 30 days. We may ask you to verify your identity before processing your request.

California residents may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.

Residents of the European Economic Area, UK, or Switzerland may have additional rights under the GDPR or equivalent legislation, including the right to lodge a complaint with your local supervisory authority.

Kinpath is intended for use by adults (18 and older). We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@kinpath.family and we will promptly delete that information.

Data about your children (name, date of birth) is collected only for the purpose of personalizing content to their developmental stage. We do not use this data for advertising, share it with third parties for their own purposes, or build independent profiles on minors.

We take the security of your information seriously. Our technical and organizational measures include:

• Encryption in transit. All data exchanged between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Encryption at rest. Your data is stored in Supabase (hosted on AWS) with encryption at rest enabled.
• Password hashing. Passwords are hashed using bcrypt via Supabase Auth and are never stored in plain text. We never have access to your raw password.
• Row-Level Security (RLS). Our database enforces strict access policies at the row level so that users can only access their own data.
• Service role isolation. Administrative database operations use a separate service role key that is never exposed to the client.
• Access controls. Internal access to production systems is limited to team members who require it, protected by strong authentication.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information using commercially reasonable means, we cannot guarantee absolute security. In the event of a data breach that affects your rights and freedoms, we will notify you and applicable regulators as required by law.

We use a minimal set of cookies and similar technologies necessary to operate the Service:

• Authentication cookies. Supabase sets first-party cookies to maintain your login session across page loads. These are essential to the Service and cannot be disabled while using Kinpath.
• Preference cookies. We may store lightweight preferences (e.g., theme choice) in your browser’s local storage. No personal data is included.

We do not use advertising cookies, cross-site tracking pixels, or behavioral advertising networks. We do not share cookie data with advertisers.

Some third-party services we embed (such as Stripe’s payment widget) may set their own cookies subject to their own privacy policies.

Kinpath integrates with the following third-party services. Each has its own privacy policy which governs their data practices:

Links to external resources on Kinpath (e.g., articles from the AAP, CDC, WHO) lead to third-party websites. Once you leave Kinpath, this Privacy Policy no longer applies. We encourage you to review the privacy policies of any external sites you visit.

Kinpath is operated from the United States. If you access the Service from outside the US, your information may be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For users in the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission as the legal mechanism for transferring personal data to the United States.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Send a notification email to the address on your account at least 14 days before the changes take effect.
• Display an in-app banner for logged-in users when you next visit Kinpath.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you may delete your account before the effective date.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out: