Privacy Policy

Kinly is operated by Kinly Technologies, based in Toronto, Ontario, Canada. Contact: privacy@kinlyhq.com.

• Account info: your email address, given name (optional), and the email of the spouse you invite.
• Financial data you give us: transactions, account names, statement and receipt files, budgets, goals, the contribution- room amounts you enter for sheltered accounts.
• Connected services: if you connect Gmail, we read messages classified as financial transaction confirmations or bills. We do not store the content of non-financial emails.
• Usage data: anonymous metrics on which features you use. No browsing fingerprints, no third-party trackers.

Solely to power the household-finance features you signed up for: track spending, reconcile statements, write your daily brief, answer your questions in chat. We do not sell or share any of your data with advertisers, brokers, or any third party for marketing.

• Primary database: Neon Postgres inca-central-1 (Montreal, Canada).
• Encryption root: AWS KMS Customer Master Key inca-central-1. Your per-household data encryption key is wrapped under this root and never leaves AWS KMS in plaintext.
• File storage: Vercel Blob, encrypted at rest. Receipts, statements, and forwarded emails are stored as ciphertext.
• Application hosting: Vercel. Compute runs in their global edge network; static assets only — your data does not.

If you connect a Google account, Kinly requests the gmail.readonlyscope. Kinly’s use of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.

• We use your Gmail data only to detect transaction-confirmation emails and recurring bills for the household-finance product features.
• We do not transfer Gmail data to third parties unless required for the service (Anthropic for classification — see “Sub-processors” below).
• We do not use Gmail data for advertising.
• We do not allow humans to read Gmail data unless we have your specific consent, it is necessary for security, or we are required to comply with the law.
• Non-financial emails are not stored. Only emails classified as financial confirmations or bills are persisted in our database.

You can disconnect Gmail at any time from Settings → Integrations, which revokes our access via Google’s OAuth revoke endpoint.

We use the following service providers to operate Kinly:

• Vercel (hosting + file storage)
• Neon (Postgres database, Canada region)
• AWS KMS (encryption key management, Canada region)
• Anthropic(Claude API — receipt and email parsing, advisor and chat responses). Anthropic’s standard API does not train models on customer content.
• Resend (transactional email delivery and inbound parsing)
• Inngest (durable background workflows)
• Stripe (payments). Stripe holds card data; Kinly never sees PANs.
• Google (Gmail API — only when you connect it)

• Financial records: 7 years (Canadian record-keeping convention), soft-deleted then purged on rotation.
• Account data: until you delete your account. Then a 30-day grace period, then hard-deleted from the primary database. Encrypted backups roll forward on a 90-day cycle.
• Audit logs: 7 years, retained even after account deletion (for regulatory dispute resolution). Tied only to your former account ID, not personal identifiers.

• Access: download every record we hold on you, machine-readable, from Settings → Privacy.
• Correct: edit or delete any record from the app directly.
• Delete: close your account. Data wiped within 30 days, backups within 90.
• Withdraw consent: disable any integration (Gmail, Resend forwarding) without account closure.
• Complain: contact us first at privacy@kinlyhq.com. You can also contact the Office of the Privacy Commissioner of Canada.

Kinly is not intended for children under 16. We do not knowingly collect data from children.

We may update this policy as we add features. Material changes are announced via in-app notice and email at least 14 days before they take effect.