Last updated: February 2026
Khema is an AI-based chat app for smoking cessation. The app guides you through structured sessions to help you quit smoking.
Data Controller:
Gabriel Zerbe, trading as khema
c/o Online-Impressum.de #4533
Europaring 90
53757 Sankt Augustin
Germany
Contact for privacy matters: datenschutz@khema.ai
This Privacy Policy explains what personal data we collect, why we process it, and what rights you have. It applies to the Khema mobile app (iOS and Android) and the Khema website.
Khema processes health data — specifically data related to your smoking behavior, nicotine dependence, and cessation progress. Health data is a special category of personal data under Art. 9 GDPR and receives additional protection. We will never process your health data without your explicit consent.
Because Khema is a smoking cessation service, we recognize that even operational data — such as your account existence, session activity, and program progress — reveals health-related information in context. The fact that you have a Khema account inherently indicates that you are seeking support for smoking cessation. All personal data processed within Khema is therefore treated as health data under Art. 9 GDPR.
Consent before account creation: Before you can create a Khema account, we ask for your explicit consent to the processing of your health data under Art. 9(2)(a) GDPR. This consent covers all processing activities described in this policy that involve data linked to your account. Without this consent, we cannot create your account or provide the service, because the service inherently requires the processing of health data — this is not an artificial restriction but reflects the nature of a smoking cessation service.
Unless stated otherwise, all processing activities described below that involve data linked to your account rely on Art. 9(2)(a) GDPR (explicit consent for health data) in conjunction with the applicable Art. 6 basis specified in each section. The only exception is technical data that cannot be linked to your identity (see Section 3.4).
We do not sell your data. We do not share your data with advertisers. All data is stored and processed within the European Union.
When you create a Khema account, we collect:
If you sign up using a social login provider (Google, Apple, or Microsoft), we receive limited profile information from that provider through our authentication system (see Section 8).
Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR. As described in Section 2, your account existence in a smoking cessation service constitutes health-related information.
To provide our smoking cessation service, we process health data that you share with the app. This includes:
We only process the health data you choose to share with the app.
Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR.
To operate the service and understand how the app is used, we collect:
Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR. This data is necessary to deliver the structured session program and inherently reveals information about your smoking cessation journey.
When you use the app, our servers automatically collect:
This is the only category of data we process that is not treated as health data. Because these logs cannot be linked to an identifiable user, they do not reveal whether any specific person uses a smoking cessation service. They are stored on our own EU-based infrastructure.
Legal basis: Legitimate interest, Art. 6(1)(f) GDPR. Our legitimate interest is ensuring the security and stability of the service.
We process your account data, health data, and session data to deliver the core Khema experience: guided sessions for smoking cessation, craving tracking, and progress monitoring.
Legal basis: Contract performance, Art. 6(1)(b) GDPR; explicit consent, Art. 9(2)(a) GDPR, for health data.
We use Google Workspace to send essential emails such as password reset requests and account verification. Only your email address is shared with Google for this purpose — no health data or session content is included in these transmissions.
Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR. Although the email content itself does not contain health data, your email address is processed in the context of a smoking cessation service.
If you opt in during registration by checking the box reading "Yes, I'd like to receive occasional emails from Khema, such as tips to help me quit and feedback requests. Optional", we will send you:
These emails are sent via Google Workspace. You can unsubscribe at any time by clicking the unsubscribe link at the bottom of any such email or by contacting us at datenschutz@khema.ai. Unsubscribing from newsletters does not affect your health data consent or your ability to use the service.
Legal basis: Consent, Art. 6(1)(a) GDPR. The decision to receive newsletters is separate from your health data consent. You can unsubscribe from newsletters without affecting your account or health data processing.
We share anonymized, aggregated usage statistics with selected research partners to support scientific research into smoking cessation. This data is fully anonymized and can no longer be linked to individual users. It includes only aggregate figures such as overall quit rates, average session counts, or usage patterns across the user base — never individual conversation content or personal details.
Because this data is anonymized in accordance with Recital 26 GDPR, it is no longer considered personal data and GDPR does not apply to its use.
Khema uses a large language model (LLM) to deliver its sessions. This section explains what data is sent to the AI, what the AI produces, and how we monitor AI quality.
During a session, the following categories of data are included in the prompt sent to the LLM:
This data is necessary for the AI to provide personalized, contextually appropriate responses.
LLM provider: Amazon Web Services (AWS), operating in the EU. AWS processes this data solely for inference — generating a response to the prompt. AWS does not use your data to train its models.
Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR.
Based on your sessions, the AI may generate additional outputs, including:
You can always review and correct any AI-derived data shown in the app. If you believe any information is incorrect, you have the right to rectification under Art. 16 GDPR.
Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR. Internal summaries are additionally covered by the consent described in Section 6.
Khema uses automated decision-making as defined by Art. 22 GDPR in limited cases. The AI may evaluate session conversations to detect whether certain milestones or status changes occurred — for example, whether you relapsed and agreed to start a new quit attempt. This can trigger automated updates to your progress tracking (such as resetting your smoke-free timer) without human review.
Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR. Transparency disclosure provided under Art. 13(2)(f) GDPR; substantive rights under Art. 22 GDPR.
Khema is an AI-driven smoking cessation app. Unlike traditional apps, we must be able to review what the AI said to users and why. This is essential to:
To do this, we use a self-hosted AI monitoring system running on our EU-based infrastructure to log AI interactions. This system records:
This data is used for automated safety evaluations (Section 6.2), human review by our quality assurance team (Section 6.3), and service improvement (Section 6.4).
Retention: AI monitoring logs are retained for 180 days and then deleted. When you delete your account, all AI monitoring logs linked to your account are deleted immediately. If you use the "reset my data" feature (see Section 10.2), AI monitoring logs are not deleted — only a full account deletion removes them.
Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with consent, Art. 6(1)(a) GDPR. This processing is covered by the explicit consent you provide before account creation, which includes consent to AI quality and safety monitoring.
Using the data logged in Section 6.1, we run automated evaluations to detect potential safety issues and verify AI quality. These evaluations use a separate AI model to assess conversations for:
These evaluations require processing your session conversations (which contain health data) as input. The evaluation results (e.g., "safety score: pass") are scores and flags — not new conversation content — and do not themselves contain your health data.
Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with consent, Art. 6(1)(a) GDPR. The evaluation process involves processing health data (your session conversations) and is covered by the consent you provide before account creation.
A trained member of our team reviews session conversations (both your messages and the AI's responses) for the following purposes:
This means that a human will read what you write in your sessions. This team member is bound by confidentiality obligations and a data processing agreement governing access to your health data.
Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with consent, Art. 6(1)(a) GDPR.
We use anonymized and pseudonymized data from sessions to improve the Khema service. This includes analyzing conversation patterns to refine the AI's approach, testing improvements to the AI system, and developing new features.
Where health data is used for service improvement, it is pseudonymized (identifying details are separated from the content) or fully anonymized. Anonymized data that can no longer be linked to any individual is not subject to GDPR.
Legal basis: For pseudonymized data that remains personal data: explicit consent, Art. 9(2)(a) GDPR, in conjunction with consent, Art. 6(1)(a) GDPR. For fully anonymized data: GDPR does not apply (Recital 26 GDPR). Our interest is continuously improving the quality and effectiveness of the smoking cessation service.
We do not sell your data. We share personal data only with the service providers listed below, who process data on our behalf under data processing agreements in accordance with Art. 28 GDPR.
| Service Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, LLM inference | All data (encrypted at rest and in transit) | EU |
| Google Workspace | Transactional and newsletter emails | Email address | EU data processing; Google LLC is certified under the EU-US Data Privacy Framework |
Self-hosted services (running on our EU-based server cluster, not shared with third parties):
We share anonymized, aggregated statistics with selected research partners (see Section 4.4). Because this data is fully anonymized and cannot be linked to individual users, it does not constitute a data transfer of personal data under GDPR.
You may create a Khema account using your existing Google, Apple, or Microsoft account. If you choose to do so, the following applies:
All social logins are brokered through our self-hosted authentication system. Khema never communicates directly with Google, Apple, or Microsoft — the authentication system handles the connection.
When you use social login, we receive only standard profile data from the provider — your email address, first name, and profile picture (if available). We do not share any health data, session content, or smoking cessation information with your social login provider. How the provider processes your authentication request is governed by the provider's own privacy policy (see Section 8.5).
We only store three fields from social login: your email address, first name, and profile picture (if available). What we receive depends on the provider:
If a provider shares a profile picture, we store it as your account profile picture. You can change or remove it at any time in your account settings.
It is your choice whether to use social login. You can always sign up with an email address and password instead. You can disconnect your social login at any time by setting a password in your account settings, after which your account will use email and password authentication instead.
The authentication exchange may involve the transfer of profile data (email address, name, profile picture) to servers outside the EU. No health data is transferred during this exchange. Google LLC and Microsoft Corporation are certified under the EU-US Data Privacy Framework, providing an adequate level of data protection as recognized by the European Commission under Art. 45 GDPR. Apple Inc. relies on Standard Contractual Clauses as approved by the European Commission under Art. 46(2)(c) GDPR.
The social login providers process your data according to their own privacy policies:
Legal basis: Contract performance, Art. 6(1)(b) GDPR, for email address and first name, which are necessary to create and manage your account. Consent, Art. 6(1)(a) GDPR, for profile picture, which is optional and not necessary for the service. Once stored in your Khema account, this data is subject to the legal bases described in Section 3.1, including explicit consent under Art. 9(2)(a) GDPR for health data.
All personal data is stored and processed within the European Union. Our infrastructure runs on AWS in the EU and on a self-hosted EU-based server cluster.
Limited data may be processed outside the EU in the following cases:
Google LLC and Microsoft Corporation are certified under the EU-US Data Privacy Framework, providing an adequate level of data protection as recognized by the European Commission under Art. 45 GDPR. Apple Inc. relies on Standard Contractual Clauses as approved by the European Commission under Art. 46(2)(c) GDPR.
We do not transfer health data outside the European Union.
| Data Category | Retention Period |
|---|---|
| Account data (email, name, birth date) | Until you delete your account |
| Health data (conversations, craving data, cessation progress, assessments) | Until you delete your account or reset your data |
| AI-generated outputs (summaries, personalization data) | Until you delete your account or reset your data |
| AI monitoring logs | 180 days, or until you delete your account (whichever is sooner) |
| Usage and behavioral data | Until you delete your account |
| Social login link (provider connection) | Until you delete your account or disconnect social login |
| Technical data (server logs, application logs) | 30 days |
| Newsletter consent record | Until you withdraw consent or delete your account |
Account deletion: You can delete your account in the app settings. This immediately and permanently deletes all your data, including your account information, session conversations, health data, AI-generated outputs, and AI monitoring logs.
Reset my data: You can reset your data in the app settings. This deletes all your session conversations, health data, and AI-generated outputs, but keeps your account active so you can start fresh. Please note that AI monitoring logs are not deleted when you reset your data — they are only deleted when you fully delete your account or when the 180-day retention period expires.
We implement technical and organizational measures to protect your data:
Under the GDPR, you have the following rights regarding your personal data. You can exercise these rights by contacting us at datenschutz@khema.ai or by using the relevant features in the app.
You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with supplementary information about the processing, including the purposes, categories of data, recipients, and retention periods. You can request a data export by emailing datenschutz@khema.ai. We will provide your data in a structured, machine-readable format (JSON).
You have the right to correct inaccurate personal data and to have incomplete personal data completed. For corrections or to provide supplementary information, contact us at datenschutz@khema.ai.
You have the right to request deletion of your personal data. You can delete your account directly in the app (see Section 10.2). We will delete your data without undue delay.
You have the right to request restriction of processing if you contest the accuracy of your data, if the processing is unlawful, if we no longer need the data but you need it for legal claims, or if you have objected to processing pending verification.
Where processing is based on your consent or our contract with you and is carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format (JSON) and to transmit it to another controller. Where technically feasible, you may also request that we transmit the data directly to another controller. Contact us at datenschutz@khema.ai.
You have the right to object to processing based on legitimate interest (Art. 6(1)(f) GDPR) on grounds relating to your particular situation. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for the establishment, exercise, or defence of legal claims.
Where processing is based on your consent (particularly for health data processing), you may withdraw your consent at any time. You can do this by deleting your account in the app or by contacting us at datenschutz@khema.ai. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Please note that withdrawing your consent for health data processing will result in the termination of your account and the deletion of your data, as the smoking cessation service cannot be provided without processing health data. This is not an artificial restriction — it reflects the inherent nature of the service. A smoking cessation app cannot function without processing information related to your smoking behavior and cessation journey.
You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The automated progress updates described in Section 5.3 are the only automated decision-making in Khema. You have the right to obtain human intervention, to express your point of view, and to contest any automated decision by contacting us at datenschutz@khema.ai.
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. The competent authority for Khema is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestr. 2-4
40213 Düsseldorf
Germany
Phone: +49 (0) 211 38424-0
Email: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de
We will respond to your requests within one month. If your request is particularly complex or we receive a large number of requests, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for the delay within the initial one-month period.
Khema is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under the age of 16. If you are located in the EU, you may only use Khema if you are at least 16 years old or have the consent of your parent or legal guardian.
If you are a parent and believe your child is using Khema without your permission, please contact us at datenschutz@khema.ai and we will delete the account.
The Khema website (khema.ai) is a landing page that provides information about the app. The website does not use cookies, does not use analytics tools, and does not collect personal data beyond what is necessary to serve the webpage (see Section 3.4 regarding server logs).
We may update this Privacy Policy from time to time to reflect changes in our practices, our service, or legal requirements. If we make material changes, we will notify you through the app before the changes take effect.
The date of the most recent update is shown at the top of this document. We encourage you to review this policy periodically.
If you have any questions about this Privacy Policy or about how we handle your data, please contact us:
Email: datenschutz@khema.ai
Postal address:
khema - Gabriel Zerbe
c/o Online-Impressum.de #4533
Europaring 90
53757 Sankt Augustin
Germany