Legal
Privacy Policy
Last updated: April 28, 2026
At Kaiho, we take the privacy of your data very seriously. This policy explains, in clear and transparent language, what information we collect, why, and how you can exercise your rights.
1. Preamble
Kaiho is a coaching and quit-smoking companion application. It is not a medical app, a medical device, nor a therapeutic service. The content and features provided are part of a wellness/lifestyle coaching offering.
This privacy policy (the "Policy") describes how Kaiho processes your personal data in connection with:
- the website kaiho.fr;
- the Kaiho mobile application (iOS and Android);
- any communication with our team (email, support).
This Policy complies with the General Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016 — "GDPR") and the amended French law n°78-17 of 6 January 1978 ("Data Protection Act").
2. Data controller
The data controller is:
- Kaiho SAS, a société par actions simplifiée with share capital of €1,000
- SIREN 104 211 768, registered with the Clermont-Ferrand Trade and Companies Register
- Registered office: Les Paccauds, 1 impasse de la Lauche, 63290 Paslières, France
- Email: kaiho@coach-tabac.com
Kaiho is not legally required to appoint a Data Protection Officer (DPO) but has set up a dedicated email address for any privacy-related question: kaiho@coach-tabac.com.
3. Data we collect
3.1 Data provided when creating an account
- Email (required): to create your account and contact you
- First name (optional): to personalize the application
- If you use Apple Sign-In or Google Sign-In: an ephemeral identifier (idToken) sent to our authentication provider, plus the profile information you agree to share (email, first name, last name)
3.2 Data provided when using the application
- Your tobacco consumption habits: cigarettes per day, pack price, currency, smoking duration
- Your quit date
- Your motivations and reasons for quitting
- Your quiz answers (dependency, motivation) and scores
- Your previous quit attempts and their duration
- Your activities in the application: exercises completed, craving help requests, lessons viewed, achievements unlocked
3.3 Connected health data (optional)
If you give explicit permission, the application can read the following data from Apple HealthKit (iOS) or Android Health Connect:
- Daily step count
- Active calories burned
This data remains stored on your device and is only synchronized if you have explicitly authorized it. You may revoke this authorization at any time from your phone's settings.
3.4 Technical data
- Device model and operating system
- Pseudonymous user identifier (UUID, generated by Kaiho)
- IP address (collected by the servers on each request, retained temporarily for security purposes)
- Language and timezone
- Push notification token (anonymous, provided by Apple or Google)
3.5 Subscription data
- Status of your subscription (free / paid)
- Apple or Google transaction identifier
- Renewal date
We never collect your bank or card details. Payments are handled exclusively by Apple App Store or Google Play, who only share with us the status of your subscription.
3.6 What we do NOT collect
- Your last name (unless provided via Apple or Google Sign-In)
- Your date of birth
- Your gender
- Your profile picture
- Your GPS location
- Your contacts or calendar
- Your photos, personal videos, files
4. Purposes and legal bases
We process your data for the following purposes, each based on a specific legal basis:
| Purpose | Legal basis (GDPR) | Data concerned |
|---|---|---|
| Account creation and management | Performance of contract (art. 6.1.b) | Email, first name, identifier |
| Providing personalized coaching (program, tracking, exercises) | Performance of contract (art. 6.1.b) | Tobacco habits, motivations, dates, activities, achievements |
| Managing your paid subscription | Performance of contract (art. 6.1.b) | Subscription status, transaction |
| Reading connected health data (steps, calories) | Explicit consent (art. 6.1.a, HealthKit / Health Connect authorization) | Steps, active calories |
| Product improvement (anonymized analytics) | Legitimate interest (art. 6.1.f) | Pseudonymous usage events (no email) |
| Bug detection and crash reporting | Legitimate interest (art. 6.1.f) | Stack traces, application state, device model |
| Push notifications (reminders, encouragement) | Legitimate interest + system consent (iOS/Android authorization) | Anonymous push token |
| Account security and fraud prevention | Legitimate interest (art. 6.1.f) | IP address, login logs |
| Compliance with our accounting and tax obligations | Legal obligation (art. 6.1.c) | Invoices and transaction data |
5. Who we share your data with
To run the application, we rely on a limited number of technical service providers (processors under the GDPR). Each is bound to Kaiho by a Data Processing Agreement (DPA) ensuring GDPR compliance.
| Provider | Role | Server location |
|---|---|---|
| Supabase Inc. | Database and authentication hosting | Frankfurt, Germany (EU) |
| PostHog | Product analytics (pseudonymous events, no email) | European Union |
| Sentry | Bug and crash reporting | United States |
| RevenueCat | Subscription management and Apple/Google sync | United States |
| Apple Inc. | Apple Sign-In, In-App Purchases, iOS push notifications | United States |
| Google LLC | Google Sign-In, In-App Purchases, Android push notifications | United States |
| Bunny.net | Coach video delivery (CDN) | Global network |
| Cloudflare, Inc. | kaiho.fr website hosting | Global network |
We never sell your personal data. We never share it with third parties for advertising purposes.
6. Transfers outside the European Union
Some of our providers (Sentry, RevenueCat, Apple, Google) are based in the United States. When your data is transferred to them, we rely on the following GDPR safeguards:
- adherence to the EU-U.S. Data Privacy Framework (DPF), when the provider is registered;
- Standard Contractual Clauses (SCCs) adopted by the European Commission;
- additional technical measures (encryption in transit and at rest).
You may obtain a copy of these safeguards by writing to kaiho@coach-tabac.com.
7. Retention period
| Type of data | Duration |
|---|---|
| Active account (you use the application) | As long as your account exists |
| Inactive account (no login for 3 years) | Automatic deletion after 3 years, with email notice |
| After account deletion | Permanent deletion within 30 days (reversible "soft delete" for 30 days, then "hard delete") |
| Security logs (logins, IP) | 12 months |
| Invoices and accounting data | 10 years (legal obligation under article L.123-22 of the French Commercial Code) |
| Product analytics (pseudonymous events) | 13 months |
8. Data security
We implement appropriate technical and organizational measures to protect your data:
- Encryption of data in transit (HTTPS/TLS 1.2+) on all communications
- Encryption of data at rest on Supabase servers (AES-256 encryption)
- Strong authentication for access to internal systems
- Strict access partitioning: only authorized Kaiho personnel can access user data, and only when necessary
- Regular and tested backups
- Security incident management in compliance with article 33 of the GDPR (notification to CNIL and data subjects within 72h in case of serious breach)
9. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access: obtain a copy of the data we hold about you
- Right to rectification: correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten"): request the deletion of your data
- Right to data portability: receive your data in a structured, machine-readable format
- Right to object to data processing for legitimate reasons
- Right to restriction of processing
- Right to withdraw consent at any time, where processing is based on consent
- Right to provide directives regarding the fate of your data after your death
To exercise any of these rights, write to kaiho@coach-tabac.com. We will respond within one month at most.
Direct deletion from the application: you may delete your account at any time from the application settings. Deletion becomes permanent after 30 days (during which you can still change your mind by logging back in).
10. Minors
The Kaiho application is reserved for people who are of legal age (18+), in line with the legal age for tobacco consumption in France and most European Union countries.
We do not knowingly collect data from minors. If we discover that data concerning a minor has been collected, we will delete it without delay. If you are a parent or guardian and believe your child has provided us with data, contact us at kaiho@coach-tabac.com.
12. Changes to this Policy
We may update this Policy to reflect legal, technical or business changes. The last update date is shown at the top of this document.
In the event of a substantial change (new purposes, new recipients, significant changes to your rights), we will notify you by email or by an in-app notification before the change takes effect.
13. Contact and complaints
For any question regarding this Policy or your personal data:
- Email: kaiho@coach-tabac.com
- Mail: Kaiho SAS, Les Paccauds, 1 impasse de la Lauche, 63290 Paslières, France
If, after contacting us, you believe your rights are not being respected, you may lodge a complaint with the French data protection authority (CNIL):
- www.cnil.fr/en/plaintes
- 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
- Phone: +33 1 53 73 22 22
You may also contact your national data protection authority in any other EU/EEA country where you reside.