Privacy Policy

1. Who We Are

Khema is an AI-based chat app for smoking cessation. The app guides you through structured sessions to help you quit smoking.

Data Controller:

2. Overview

This Privacy Policy explains what personal data we collect, why we process it, and what rights you have. It applies to the Khema mobile app (iOS and Android) and the Khema website.

Khema processes health data — specifically data related to your smoking behavior, nicotine dependence, and cessation progress. Health data is a special category of personal data under Art. 9 GDPR and receives additional protection. We will never process your health data without your explicit consent.

Because Khema is a smoking cessation service, we recognize that even operational data — such as your account existence, session activity, and program progress — reveals health-related information in context. The fact that you have a Khema account inherently indicates that you are seeking support for smoking cessation. All personal data processed within Khema is therefore treated as health data under Art. 9 GDPR.

Consent before account creation: Before you can create a Khema account, we ask for your explicit consent to the processing of your health data under Art. 9(2)(a) GDPR. This consent covers all processing activities described in this policy that involve data linked to your account. Without this consent, we cannot create your account or provide the service, because the service inherently requires the processing of health data — this is not an artificial restriction but reflects the nature of a smoking cessation service.

Unless stated otherwise, all processing activities described below that involve data linked to your account rely on Art. 9(2)(a) GDPR (explicit consent for health data) in conjunction with the applicable Art. 6 basis specified in each section. The only exception is technical data that cannot be linked to your identity (see Section 3.4).

We do not sell your data. We do not share your data with advertisers. All data is stored and processed within the European Union.

3. What Data We Collect

3.1 Account Data

When you create a Khema account, we collect:

• Email address — stored in our self-hosted authentication system
• Password — stored using one-way encryption (hashed and salted); we cannot read your password
• First name — used to personalize your sessions; you may enter any name you choose
• Date of birth — used to verify you meet the minimum age requirement
• Profile picture — optionally provided by you or imported from your social login provider; used to personalize your account

If you sign up using a social login provider (Google, Apple, or Microsoft), we receive limited profile information from that provider through our authentication system (see Section 8).

Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR. As described in Section 2, your account existence in a smoking cessation service constitutes health-related information.

3.2 Health Data

To provide our smoking cessation service, we process health data that you share with the app. This includes:

• Session conversation content — the messages you send and the AI responses you receive during sessions
• Nicotine dependence assessments — your responses to standardized questionnaires used to personalize the program
• Craving tracking data — information you log about your cravings, such as intensity, context, and how you responded
• Smoking cessation progress — your smoke-free status, quit attempts, and related milestones
• AI-generated session summaries — recaps of your sessions, shown to you in the app

We only process the health data you choose to share with the app.

Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR.

3.3 Usage and Behavioral Data

To operate the service and understand how the app is used, we collect:

• Session data — session start and end times, duration, session type (regular or craving-support), completion reason
• Program progress — which stage of the program you are in
• Last active timestamp — when you last used the app
• Account creation time

Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR. This data is necessary to deliver the structured session program and inherently reveals information about your smoking cessation journey.

3.4 Technical Data

When you use the app, our servers automatically collect:

• IP address — used for security and to route requests; not used for location tracking; not linked to your user account
• Application logs — technical telemetry for monitoring system health and diagnosing errors; these logs do not contain user IDs, session content, or any data that can be linked to your account

This is the only category of data we process that is not treated as health data. Because these logs cannot be linked to an identifiable user, they do not reveal whether any specific person uses a smoking cessation service. They are stored on our own EU-based infrastructure.

Legal basis: Legitimate interest, Art. 6(1)(f) GDPR. Our legitimate interest is ensuring the security and stability of the service.

4. How and Why We Process Your Data

4.1 To Provide the Smoking Cessation Service

We process your account data, health data, and session data to deliver the core Khema experience: guided sessions for smoking cessation, craving tracking, and progress monitoring.

Legal basis: Contract performance, Art. 6(1)(b) GDPR; explicit consent, Art. 9(2)(a) GDPR, for health data.

4.2 To Send You Transactional Emails

We use Google Workspace to send essential emails such as password reset requests and account verification. Only your email address is shared with Google for this purpose — no health data or session content is included in these transmissions.

Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR. Although the email content itself does not contain health data, your email address is processed in the context of a smoking cessation service.

4.3 To Send You Newsletters and Request Feedback

If you opt in during registration by checking the box reading "Yes, I'd like to receive occasional emails from Khema, such as tips to help me quit and feedback requests. Optional", we will send you:

• Tips and information to support your quit journey (approximately every two weeks)
• Occasional requests for feedback about the app

These emails are sent via Google Workspace. You can unsubscribe at any time by clicking the unsubscribe link at the bottom of any such email or by contacting us at datenschutz@khema.ai. Unsubscribing from newsletters does not affect your health data consent or your ability to use the service.

Legal basis: Consent, Art. 6(1)(a) GDPR. The decision to receive newsletters is separate from your health data consent. You can unsubscribe from newsletters without affecting your account or health data processing.

4.4 To Conduct Research

We share anonymized, aggregated usage statistics with selected research partners to support scientific research into smoking cessation. This data is fully anonymized and can no longer be linked to individual users. It includes only aggregate figures such as overall quit rates, average session counts, or usage patterns across the user base — never individual conversation content or personal details.

Because this data is anonymized in accordance with Recital 26 GDPR, it is no longer considered personal data and GDPR does not apply to its use.

5. How We Use AI

Khema uses a large language model (LLM) to deliver its sessions. This section explains what data is sent to the AI, what the AI produces, and how we monitor AI quality.

5.1 Data Sent to the AI

During a session, the following categories of data are included in the prompt sent to the LLM:

• Your profile information (such as your name)
• Your smoking cessation progress and history
• The current session's conversation history
• Summaries and context from previous sessions

This data is necessary for the AI to provide personalized, contextually appropriate responses.

LLM provider: Amazon Web Services (AWS), operating in the EU. AWS processes this data solely for inference — generating a response to the prompt. AWS does not use your data to train its models.

Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR.

5.2 Data Produced by the AI

Based on your sessions, the AI may generate additional outputs, including:

• Session summaries — recaps of your sessions, shown to you in the app
• Internal summaries — structured summaries used primarily by the AI to maintain context across sessions, and by our quality assurance team for quality review (not visible to you)
• Personalization data — key themes, milestones, or motivational insights extracted from your conversations, used to improve future sessions

You can always review and correct any AI-derived data shown in the app. If you believe any information is incorrect, you have the right to rectification under Art. 16 GDPR.

Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR. Internal summaries are additionally covered by the consent described in Section 6.

5.3 Automated Decision-Making

Khema uses automated decision-making as defined by Art. 22 GDPR in limited cases. The AI may evaluate session conversations to detect whether certain milestones or status changes occurred — for example, whether you relapsed and agreed to start a new quit attempt. This can trigger automated updates to your progress tracking (such as resetting your smoke-free timer) without human review.

• Significance and consequences: Automated decisions may update your cessation progress data. Your previous progress is recorded in your history.
• Your rights: You have the right to contest any automated decision. If your progress was updated incorrectly, contact us at datenschutz@khema.ai and we will manually review and correct it.

Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with contract performance, Art. 6(1)(b) GDPR. Transparency disclosure provided under Art. 13(2)(f) GDPR; substantive rights under Art. 22 GDPR.

6. AI Quality and Safety Monitoring

6.1 What We Monitor and Why

Khema is an AI-driven smoking cessation app. Unlike traditional apps, we must be able to review what the AI said to users and why. This is essential to:

• Detect harmful, inappropriate, or incorrect AI responses
• Verify that the AI follows the session structure we designed
• Ensure the safety and quality of the user experience
• Improve the AI's instructions and behavior over time

To do this, we use a self-hosted AI monitoring system running on our EU-based infrastructure to log AI interactions. This system records:

• LLM input — the full prompt sent to the AI, including conversation history (contains health data)
• LLM output — the full AI response (contains health data)
• Request metadata — such as user identifiers and timestamps
• Operational metrics — such as response performance and resource usage

This data is used for automated safety evaluations (Section 6.2), human review by our quality assurance team (Section 6.3), and service improvement (Section 6.4).

Retention: AI monitoring logs are retained for 180 days and then deleted. When you delete your account, all AI monitoring logs linked to your account are deleted immediately. If you use the "reset my data" feature (see Section 10.2), AI monitoring logs are not deleted — only a full account deletion removes them.

Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with consent, Art. 6(1)(a) GDPR. This processing is covered by the explicit consent you provide before account creation, which includes consent to AI quality and safety monitoring.

6.2 Automated Safety Evaluations

Using the data logged in Section 6.1, we run automated evaluations to detect potential safety issues and verify AI quality. These evaluations use a separate AI model to assess conversations for:

• Signs that a user may be in distress or at risk of harm
• Inappropriate, harmful, or off-topic AI responses
• Whether the AI followed the intended session structure for each session

These evaluations require processing your session conversations (which contain health data) as input. The evaluation results (e.g., "safety score: pass") are scores and flags — not new conversation content — and do not themselves contain your health data.

Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with consent, Art. 6(1)(a) GDPR. The evaluation process involves processing health data (your session conversations) and is covered by the consent you provide before account creation.

6.3 Human Review by Our Quality Assurance Team

A trained member of our team reviews session conversations (both your messages and the AI's responses) for the following purposes:

• Quality assurance — ensuring the AI provides appropriate guidance
• Safety — identifying conversations where the AI may have responded inappropriately
• Improving the AI — refining the instructions and prompts that guide the AI's behavior

This means that a human will read what you write in your sessions. This team member is bound by confidentiality obligations and a data processing agreement governing access to your health data.

Legal basis: Explicit consent, Art. 9(2)(a) GDPR, in conjunction with consent, Art. 6(1)(a) GDPR.

6.4 Service Improvement

We use anonymized and pseudonymized data from sessions to improve the Khema service. This includes analyzing conversation patterns to refine the AI's approach, testing improvements to the AI system, and developing new features.

Where health data is used for service improvement, it is pseudonymized (identifying details are separated from the content) or fully anonymized. Anonymized data that can no longer be linked to any individual is not subject to GDPR.

Legal basis: For pseudonymized data that remains personal data: explicit consent, Art. 9(2)(a) GDPR, in conjunction with consent, Art. 6(1)(a) GDPR. For fully anonymized data: GDPR does not apply (Recital 26 GDPR). Our interest is continuously improving the quality and effectiveness of the smoking cessation service.

7. Data Sharing and Third-Party Processors

We do not sell your data. We share personal data only with the service providers listed below, who process data on our behalf under data processing agreements in accordance with Art. 28 GDPR.

Service Provider	Purpose	Data Shared	Location
Amazon Web Services (AWS)	Cloud hosting, LLM inference	All data (encrypted at rest and in transit)	EU
Google Workspace	Transactional and newsletter emails	Email address	EU data processing; Google LLC is certified under the EU-US Data Privacy Framework

Self-hosted services (running on our EU-based server cluster, not shared with third parties):

• Authentication system — self-hosted user identity and access management
• AI monitoring system — logging and reviewing AI interactions for safety and quality
• Application logging system — technical monitoring and error diagnosis

Research Partners

We share anonymized, aggregated statistics with selected research partners (see Section 4.4). Because this data is fully anonymized and cannot be linked to individual users, it does not constitute a data transfer of personal data under GDPR.

8. Social Login (SSO)

You may create a Khema account using your existing Google, Apple, or Microsoft account. If you choose to do so, the following applies:

8.1 How Social Login Works

All social logins are brokered through our self-hosted authentication system. Khema never communicates directly with Google, Apple, or Microsoft — the authentication system handles the connection.

When you use social login, we receive only standard profile data from the provider — your email address, first name, and profile picture (if available). We do not share any health data, session content, or smoking cessation information with your social login provider. How the provider processes your authentication request is governed by the provider's own privacy policy (see Section 8.5).

8.2 What Data We Receive and Store

We only store three fields from social login: your email address, first name, and profile picture (if available). What we receive depends on the provider:

• Google: Email address, first name, and profile picture. All three are stored.
• Apple: Email address and first name. Apple allows you to hide your real email address — if you choose this option, we receive and store an Apple-generated private relay address instead. Apple provides your first name only on your first sign-in. No profile picture is provided.
• Microsoft: Email address, first name, and profile picture (if set in your Microsoft account).

If a provider shares a profile picture, we store it as your account profile picture. You can change or remove it at any time in your account settings.

8.3 Your Choices

It is your choice whether to use social login. You can always sign up with an email address and password instead. You can disconnect your social login at any time by setting a password in your account settings, after which your account will use email and password authentication instead.

8.4 International Data Transfers

The authentication exchange may involve the transfer of profile data (email address, name, profile picture) to servers outside the EU. No health data is transferred during this exchange. Google LLC and Microsoft Corporation are certified under the EU-US Data Privacy Framework, providing an adequate level of data protection as recognized by the European Commission under Art. 45 GDPR. Apple Inc. relies on Standard Contractual Clauses as approved by the European Commission under Art. 46(2)(c) GDPR.

8.5 Provider Privacy Policies

The social login providers process your data according to their own privacy policies:

• Google: https://policies.google.com/privacy
• Apple: https://www.apple.com/legal/privacy/
• Microsoft: https://privacy.microsoft.com/privacystatement

Legal basis: Contract performance, Art. 6(1)(b) GDPR, for email address and first name, which are necessary to create and manage your account. Consent, Art. 6(1)(a) GDPR, for profile picture, which is optional and not necessary for the service. Once stored in your Khema account, this data is subject to the legal bases described in Section 3.1, including explicit consent under Art. 9(2)(a) GDPR for health data.

9. International Data Transfers

All personal data is stored and processed within the European Union. Our infrastructure runs on AWS in the EU and on a self-hosted EU-based server cluster.

Limited data may be processed outside the EU in the following cases:

• Google Workspace (email delivery): Your email address may be processed by Google LLC for sending transactional and newsletter emails.
• Social login providers (authentication exchange): If you use social login, profile data (email, name, profile picture) may be processed by Google LLC, Apple Inc., or Microsoft Corporation during the authentication exchange (see Section 8.4).

Google LLC and Microsoft Corporation are certified under the EU-US Data Privacy Framework, providing an adequate level of data protection as recognized by the European Commission under Art. 45 GDPR. Apple Inc. relies on Standard Contractual Clauses as approved by the European Commission under Art. 46(2)(c) GDPR.

We do not transfer health data outside the European Union.

10. Data Retention and Deletion

10.1 Retention Periods

Data Category	Retention Period
Account data (email, name, birth date)	Until you delete your account
Health data (conversations, craving data, cessation progress, assessments)	Until you delete your account or reset your data
AI-generated outputs (summaries, personalization data)	Until you delete your account or reset your data
AI monitoring logs	180 days, or until you delete your account (whichever is sooner)
Usage and behavioral data	Until you delete your account
Social login link (provider connection)	Until you delete your account or disconnect social login
Technical data (server logs, application logs)	30 days
Newsletter consent record	Until you withdraw consent or delete your account

10.2 Deleting Your Data

Account deletion: You can delete your account in the app settings. This immediately and permanently deletes all your data, including your account information, session conversations, health data, AI-generated outputs, and AI monitoring logs.

Reset my data: You can reset your data in the app settings. This deletes all your session conversations, health data, and AI-generated outputs, but keeps your account active so you can start fresh. Please note that AI monitoring logs are not deleted when you reset your data — they are only deleted when you fully delete your account or when the 180-day retention period expires.

11. Data Security

We implement technical and organizational measures to protect your data:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
• Encryption at rest: All data stored on our servers is encrypted.
• Access control: Access to personal data is restricted to authorized team members with a legitimate need.
• Self-hosted infrastructure: Our authentication system, AI monitoring, and application logging are all hosted on our own EU-based infrastructure — your data is not stored on third-party monitoring platforms.
• Password security: Your password is stored using one-way encryption with hashing and salting. No one at Khema can read your password.

12. Your Rights

Under the GDPR, you have the following rights regarding your personal data. You can exercise these rights by contacting us at datenschutz@khema.ai or by using the relevant features in the app.

12.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with supplementary information about the processing, including the purposes, categories of data, recipients, and retention periods. You can request a data export by emailing datenschutz@khema.ai. We will provide your data in a structured, machine-readable format (JSON).

12.2 Right to Rectification (Art. 16 GDPR)

You have the right to correct inaccurate personal data and to have incomplete personal data completed. For corrections or to provide supplementary information, contact us at datenschutz@khema.ai.

12.3 Right to Erasure (Art. 17 GDPR)

You have the right to request deletion of your personal data. You can delete your account directly in the app (see Section 10.2). We will delete your data without undue delay.

12.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing if you contest the accuracy of your data, if the processing is unlawful, if we no longer need the data but you need it for legal claims, or if you have objected to processing pending verification.

12.5 Right to Data Portability (Art. 20 GDPR)

Where processing is based on your consent or our contract with you and is carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format (JSON) and to transmit it to another controller. Where technically feasible, you may also request that we transmit the data directly to another controller. Contact us at datenschutz@khema.ai.

12.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing based on legitimate interest (Art. 6(1)(f) GDPR) on grounds relating to your particular situation. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for the establishment, exercise, or defence of legal claims.

12.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent (particularly for health data processing), you may withdraw your consent at any time. You can do this by deleting your account in the app or by contacting us at datenschutz@khema.ai. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Please note that withdrawing your consent for health data processing will result in the termination of your account and the deletion of your data, as the smoking cessation service cannot be provided without processing health data. This is not an artificial restriction — it reflects the inherent nature of the service. A smoking cessation app cannot function without processing information related to your smoking behavior and cessation journey.

12.8 Right Regarding Automated Decision-Making (Art. 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The automated progress updates described in Section 5.3 are the only automated decision-making in Khema. You have the right to obtain human intervention, to express your point of view, and to contest any automated decision by contacting us at datenschutz@khema.ai.

12.9 Right to Lodge a Complaint (Art. 77 GDPR)

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. The competent authority for Khema is:

12.10 Response Time (Art. 12(3) GDPR)

We will respond to your requests within one month. If your request is particularly complex or we receive a large number of requests, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for the delay within the initial one-month period.

13. Young Users

Khema is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under the age of 16. If you are located in the EU, you may only use Khema if you are at least 16 years old or have the consent of your parent or legal guardian.

If you are a parent and believe your child is using Khema without your permission, please contact us at datenschutz@khema.ai and we will delete the account.

14. Website

The Khema website (khema.ai) is a landing page that provides information about the app. The website does not use cookies, does not use analytics tools, and does not collect personal data beyond what is necessary to serve the webpage (see Section 3.4 regarding server logs).

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our service, or legal requirements. If we make material changes, we will notify you through the app before the changes take effect.

The date of the most recent update is shown at the top of this document. We encourage you to review this policy periodically.

16. Contact

If you have any questions about this Privacy Policy or about how we handle your data, please contact us: