Kawsmic ✕ Close

Privacy Policy

Last updated: April 13, 2026

Our Commitment

Kawsmic is a personal growth platform operated by Riffith Street LLC (DBA Kawsmic), built on trust. Your data is deeply personal — your values, goals, journal entries, health metrics, and financial snapshots represent who you are and who you're becoming. We treat that with the highest level of respect and protection.

We will never sell, share, or monetize your personal data. Period.

What We Collect

Account Information

  • Email address (for login and account recovery)
  • Phone number (optional, for SMS reminders if you opt in)
  • Password (stored as a one-way hash using PBKDF2-SHA256 with 100,000 iterations — we cannot see your password)

Content You Create

  • Values & Goals — your core values, value statement, and goal hierarchy
  • Journal Entries — personal, business, and notes entries including text, photos, attachments, voice recordings, emotions, and tags
  • Health Data — weight logs, calorie intake, activity minutes (only if you enable health tracking)
  • Financial Data — account names, snapshot values, net worth history (only if you enable financial tracking)
  • Lists & Checklists — your custom lists and checklist items
  • Career Profile — resume uploads (PDF/DOCX), extracted career data, and career direction goals (only if you use Career Coach). Resume files are encrypted at rest and in transit, stored in your private S3 path, and only processed by AI to provide career coaching.

Automatically Collected

  • Session tokens (for keeping you logged in, expire after 30 days)
  • AI usage metrics (token counts for managing service limits — not the content of your conversations)
  • Streak and activity timestamps
  • Location data (only if you explicitly grant permission for journal entries)

How We Use Your Data

  • To provide the service — displaying your goals, journal, health and financial tracking
  • AI-powered features — your values, goals, and journal entries are sent to Amazon Bedrock (AWS's AI service) to generate coaching insights, weekly reflections, and story narratives. This data is processed in real-time and is not stored by Amazon Bedrock — AWS does not use your data to train models.
  • Voice transcription — voice recordings are sent to OpenAI's Whisper API for transcription, then immediately deleted from our servers. OpenAI does not use API data for training.
  • Monthly emails — if opted in, we send growth recaps to your email via Amazon SES
  • SMS text messages — if you opt in, we send reminder messages to your phone number via Amazon SNS. Messages are only sent for reminders you explicitly create (goal reminders, calendar notifications). We do not send marketing or promotional texts. You can opt out at any time by replying STOP or disabling reminders in Account settings. Message and data rates may apply.

How We Protect Your Data

Encryption

  • In transit — all data is encrypted using TLS 1.2+ (HTTPS). No unencrypted connections are accepted.
  • At rest — all databases (Amazon RDS PostgreSQL) and file storage (Amazon S3) use AES-256 encryption, the same standard used by the U.S. government and financial institutions.
  • Passwords — hashed with PBKDF2-SHA256 using random 16-byte salts and 100,000 iterations. We never store or can recover your actual password.

Infrastructure Security

  • Hosted entirely on Amazon Web Services (AWS), which holds SOC 1/2/3, ISO 27001, FedRAMP, HIPAA, and PCI DSS certifications
  • Application runs in a private VPC (Virtual Private Cloud) — databases are not accessible from the public internet
  • Database credentials managed through AWS Secrets Manager with automatic rotation
  • All S3 data paths are scoped by user ID — users can only access their own files
  • Session tokens use cryptographically random generation with 30-day expiry

What We Never Do

  • ❌ We never sell your data to third parties
  • ❌ We never share your data with advertisers
  • ❌ We never use your data for purposes other than providing the service
  • ❌ We never access your journal entries, health data, or financial data unless required for technical support you explicitly request
  • ❌ We never store your voice recordings after transcription is complete

Data Retention

  • Your data is retained as long as your account is active
  • Completed daily actions are automatically cleaned up after 7 days
  • Voice recordings are deleted immediately after transcription
  • If you delete your account, all associated data (database records, S3 files, session tokens) is permanently removed

Your Rights

  • Access — you can view all your data within the application at any time
  • Export — you can export your data via CSV (available on the Data page)
  • Delete — you can delete individual entries, or request full account deletion
  • Email preferences — you can opt out of monthly emails on your Account page

Cookies

We use a single HttpOnly, Secure, SameSite=Strict session cookie to keep you logged in. We do not use tracking cookies, analytics cookies, or any third-party cookies.

Children's Privacy

Kawsmic is not intended for children under 13. We do not knowingly collect data from children under 13.

Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email to active users. The "last updated" date at the top reflects the most recent revision.

Contact

Questions about your privacy? Contact us at:
Riffith Street LLC (DBA Kawsmic)
118 Dover Dr, Coraopolis, PA 15108
support@kawsmic.com

© Kawsmic. All rights reserved.