Privacy Policy

We built KENI around a simple promise: we can't read your 1:1 message text — not "we won't," but architecturally can't. The boundaries below (media you send, group chats) are spelled out plainly — no word games.

What we collect

• Account: phone number (for SMS login), display name, optional avatar. Stored hashed where applicable.
• 1:1 chat text: end-to-end encrypted, ciphertext only — the server never sees plaintext and keeps no decryptable copy. Keys are X25519 ECDH derived per-room; only your devices hold the private key. (Media you send and quoted-message previews are not yet E2E — see boundaries below.)
• Moments: ciphertext + metadata (timestamp, friends list visibility) only.
• Compliance archive (group chats): for group messages, a copy encrypted with our platform public key, stored only for the legal retention window. Used exclusively for law-enforcement production orders and CSAM audit. We can decrypt this copy only with a documented legal request; we do not scan it for content, advertising, or any other purpose. 1:1 chats have no such copy. See "Compliance archive (be aware)" below.
• Telemetry: app version, OS, crash traces via Firebase Crashlytics. No content, no precise location, no advertising IDs.

Compliance archive (be aware)

Honesty over slogans: your 1:1 message text is end-to-end encrypted, and we keep no copy we can decrypt — not even us. Group messages are different: we keep a compliance copy (encrypted with KENI's platform public key) so we can respond to lawfully served subpoenas / law-enforcement requests, and PhotoDNA hashes uploaded images for CSAM detection. Media you send in 1:1 chats (photos, files, voice) and quoted previews are not yet end-to-end encrypted — we're closing that gap.

The platform private key is held in HSM-grade storage and access requires multi-party authorization documented in our internal incident log. We do not mine the archive for ads, summaries, or product analytics. If this trade-off is unacceptable to your threat model, KENI is not the right tool — Signal makes a different choice and we won't argue with it.

AI features (what leaves your device)

AI features (KENI assistant, intent routing, summarization, moment-caption suggestions) are different from peer-to-peer chat: to answer, the cloud LLM must "see" your prompt. By default we route through our ai-service which:

• Auto-scrubs obvious PII before the prompt leaves our server: phone numbers, email addresses, credit card numbers, national IDs, IP addresses are replaced with placeholders, then restored in the response.
• Asks first: the first time you open an AI surface, KENI shows a consent dialog. You can revoke the consent any time in Settings → Privacy; revoking disables all AI features.
• Offers local-only mode: you can download Qwen2.5-0.5B (~280MB) to run a small LLM entirely on-device, and switch speech-to-text to Whisper for fully offline transcription. Neither path sends audio or prompts to anyone.
• Real-time web search: when you ask a time-sensitive question and turn on web search, your query — after the same PII scrubbing — is sent to our search provider (Serper) to fetch current results. It is opt-in per query and disclosed before first use; we do not fetch the result pages on your behalf.

Names, addresses, personal events and other non-pattern PII cannot be detected by rules — please be mindful of what you ask AI to summarize or generate.

Third-party AI providers (subprocessors)

When you use a cloud AI feature, your prompt — after the PII scrubbing above — plus relevant memory snippets are sent to the model provider you are routed to. Each acts as our data processor under a GDPR Art.28 DPA + CCPA service-provider terms; cross-border transfers rely on Standard Contractual Clauses (SCC). Sharing happens only on the basis of your consent, only for the AI surfaces you use, and never for advertising or profiling.

• OpenAI, L.L.C. (US) — inference & embeddings. API inputs are not used to train their models by default; Zero-Data-Retention available.
• Anthropic PBC (US) — Claude model inference. API inputs not used for training by default.
• Google LLC (Gemini) (US) — model inference.
• DeepSeek (servers in China) — model inference.
• Serper (serper.dev, US) — real-time web search for time-sensitive queries you opt into.

Which provider handles a given request depends on your settings and our routing. In the China build, AI routes only to domestically-hosted providers and your data does not leave the country. If you bring your own API key (BYOK), data flows to the provider you choose under their policy. Our full subprocessor list (content moderation, SMS, hosting) is in the in-app privacy policy.

What we do NOT collect

• Message plaintext
• Contact lists from your phone
• Precise GPS unless you opt into a live-location share
• Advertising IDs / cross-app tracking

Content moderation

Images uploaded to public-facing surfaces (Moments) are hashed with Microsoft PhotoDNA against known CSAM datasets. Image plaintext is ephemeral on our servers for the duration of the hash computation. See Safety for details.

Data retention

• Chat ciphertext: until you or your peer deletes it
• Account info: until account deletion + 30 days backup retention
• CSAM evidence (when matched): per 18 U.S.C. § 2258A — 90 days minimum, with NCMEC report ID retained indefinitely
• Telemetry: 30 days

Identity keys & cloud sync

The private keys that decrypt your E2EE messages are generated on your device and kept device-local. On iOS we store them in Keychain with kSecAttrAccessibleAfterFirstUnlock and the iCloud sync attribute disabled; on Android in EncryptedSharedPreferences with allowBackup excluded. Your identity private key is never replicated to iCloud or Google cloud backup — without Apple Advanced Data Protection, Apple (or Google) would otherwise hold the ability to decrypt that copy, so we deliberately keep it off the cloud, the same choice Signal makes. The only way to carry your keys to a new device is the optional passphrase backup below.

Separately, KENI offers an optional passphrase-based backup (Settings → Privacy → Backup identity key). Your private key is encrypted on your device with a passphrase-derived KEK (PBKDF2-SHA256, 100k iterations, AES-256-GCM) and uploaded to our server. We never see the passphrase; the upload is opaque to us. Lose the passphrase = lose decryption ability for old chats.

Your rights (GDPR / PIPL)

Three rights are wired directly into the app, no email needed:

• Right to erasure (GDPR Art. 17): Settings → Privacy → My data → Delete account. Immediate and irreversible. Legal-hold records (CSAM reports, compliance archive) retained per statute.
• Right to data portability (GDPR Art. 20): Settings → Privacy → My data → Export. Returns a JSON dump of your profile, messages (ciphertext + timestamps), friends, reminders, AI memories.
• Right to access / rectify (GDPR Art. 15, 16): edit your profile in-app, or email hello@hikeni.com if you need help.

For any request our team can't process via in-app tooling, we respond within 30 days of receiving your email.

Children

KENI is not intended for users under 13 (COPPA) / 16 (GDPR member states). If we learn we hold data on such a user, we delete it. To report a minor's account, email safety@hikeni.com.