Privacy

Privacy Policy

Effective date: 2026-05-11

We built keni around a simple promise: we can't read your messages. The architecture below makes that a technical fact, not a marketing line.

What we collect

• Account: phone number (for SMS login), display name, optional avatar. Stored hashed where applicable.
• E2EE chat content: ciphertext only. Server never sees plaintext. Keys are X25519 ECDH derived per-room and only your devices hold the private key.
• Moments: ciphertext + metadata (timestamp, friends list visibility) only.
• Compliance archive: a copy of your outgoing message encrypted with our platform public key, stored only for the legal retention window. Used exclusively for law-enforcement production orders and CSAM audit. We can decrypt this copy on a per-message basis only with a documented legal request; we do not scan it for content, advertising, or any other purpose. See "Compliance archive (be aware)" below.
• Telemetry: app version, OS, crash traces via Firebase Crashlytics. No content, no precise location, no advertising IDs.

Compliance archive (be aware)

Honesty over slogans: we encrypt every outgoing message twice. Once with your peer's public key (the E2EE copy your peer alone can read), and once with keni's platform public key (the compliance copy). The compliance copy exists so we can respond to lawfully served subpoenas / law enforcement requests, and so PhotoDNA can hash uploaded images for CSAM detection.

The platform private key is held in HSM-grade storage and access requires multi-party authorization documented in our internal incident log. We do not mine the archive for ads, summaries, or product analytics. If this trade-off is unacceptable to your threat model, keni is not the right tool — Signal makes a different choice and we won't argue with it.

AI features (what leaves your device)

AI features (keni assistant, intent routing, summarization, moment-caption suggestions) are different from peer-to-peer chat: to answer, the cloud LLM must "see" your prompt. By default we route through our ai-service which:

• Auto-scrubs obvious PII before the prompt leaves our server: phone numbers, email addresses, credit card numbers, national IDs, IP addresses are replaced with placeholders, then restored in the response.
• Asks first: the first time you open an AI surface, keni shows a consent dialog. You can revoke the consent any time in Settings → Privacy; revoking disables all AI features.
• Offers local-only mode: you can download Qwen2.5-0.5B (~280MB) to run a small LLM entirely on-device, and switch speech-to-text to Whisper for fully offline transcription. Neither path sends audio or prompts to anyone.

Names, addresses, personal events and other non-pattern PII cannot be detected by rules — please be mindful of what you ask AI to summarize or generate.

What we do NOT collect

• Message plaintext
• Contact lists from your phone
• Precise GPS unless you opt into a live-location share
• Advertising IDs / cross-app tracking

Content moderation

Images uploaded to public-facing surfaces (Moments) are hashed with Microsoft PhotoDNA against known CSAM datasets. Image plaintext is ephemeral on our servers for the duration of the hash computation. See Safety for details.

Data retention

• Chat ciphertext: until you or your peer deletes it
• Account info: until account deletion + 30 days backup retention
• CSAM evidence (when matched): per 18 U.S.C. § 2258A — 90 days minimum, with NCMEC report ID retained indefinitely
• Telemetry: 30 days

Identity keys & cloud sync

The private keys that decrypt your E2EE messages are generated on your device. On iOS we store them in Keychain with default kSecAttrAccessibleAfterFirstUnlock + cloud sync attribute, which means iCloud Keychain will replicate them across devices signed into the same Apple ID. On Android we use EncryptedSharedPreferences with allowBackup excluded by default — no auto-sync.

Separately, keni offers an optional passphrase-based backup (Settings → Privacy → Backup identity key). Your private key is encrypted on your device with a passphrase-derived KEK (PBKDF2-SHA256, 100k iterations, AES-256-GCM) and uploaded to our server. We never see the passphrase; the upload is opaque to us. Lose the passphrase = lose decryption ability for old chats.

Your rights (GDPR / PIPL)

Three rights are wired directly into the app, no email needed:

• Right to erasure (GDPR Art. 17): Settings → Privacy → My data → Delete account. Immediate and irreversible. Legal-hold records (CSAM reports, compliance archive) retained per statute.
• Right to data portability (GDPR Art. 20): Settings → Privacy → My data → Export. Returns a JSON dump of your profile, messages (ciphertext + timestamps), friends, reminders, AI memories.
• Right to access / rectify (GDPR Art. 15, 16): edit your profile in-app, or email hello@hikeni.com if you need help.

For any request our team can't process via in-app tooling, we respond within 30 days of receiving your email.

Children

keni is not intended for users under 13 (COPPA) / 16 (GDPR member states). If we learn we hold data on such a user, we delete it. To report a minor's account, email safety@hikeni.com.