Your Health Data is Sacred

We built Kelda on a simple principle: your health data belongs to you, not us.

Encrypted in Transit & at Rest

All data is encrypted via TLS 1.3 in transit and AES-256 at rest on Supabase infrastructure. Server-side access is controlled by role-based security policies.

Your Data is Yours

Export everything at any time. Delete everything at any time. No questions asked.

No Selling to Third Parties

We will never sell, rent, or share your health data with advertisers, insurers, or anyone else.

Industry Best Practices

Our infrastructure (Supabase, Vercel) maintains SOC 2 Type II compliance. Row-level security ensures strict data isolation between users.

Data Handling in Plain Language

What We Collect

We collect only what you choose to share: lab results, medications, symptoms, and health device data if you connect wearables. We also collect basic account information (email, password hash) and usage analytics to improve the product.

How We Use It

Your health data is used for one purpose: to generate insights for you. We use aggregated, de-identified data to improve our AI models and optimal range calculations, but never in a way that could identify you.

Who Can See It

Only you. And authorized members of our security team in extraordinary circumstances (e.g., legal requirement, security threat). We log every access.

How Long We Keep It

As long as your account is active, or as long as needed to comply with legal obligations. When you delete your account, we delete your data within 30 days. Permanently.

Your Rights

  • Request a copy of all your data
  • Correct inaccurate data
  • Delete your data and account
  • Export your data in a portable format
  • Opt out of research uses of de-identified data

AI Processing & Third Parties

Kelda uses Anthropic's Claude API to analyze your health data and generate insights. When you send a message in the chat, your message and relevant health context are transmitted to Anthropic's servers for processing.

  • Anthropic does not train their AI models on data sent through their commercial API.
  • Your data is encrypted in transit (TLS 1.3) and is not stored by Anthropic beyond the duration of the request.
  • Anthropic may retain API logs for up to 30 days for safety monitoring, after which they are deleted.
  • For full details, see Anthropic's Privacy Policy.

We do not share your health data with any other third parties. Our infrastructure runs on Vercel (hosting) and Supabase (database), both SOC 2 Type II compliant.

Lab Documents & Uploads

When you upload lab documents (PDFs or images), they are stored securely in encrypted cloud storage. The content is extracted by AI to create structured data in your account. You can delete all uploaded documents at any time via your account settings. When you delete your account, all uploaded documents are permanently removed.

Data Sensitivity Classification

All health data in Kelda is treated as sensitive personal information. We apply the same encryption, access controls, and retention policies regardless of data type — whether it's routine lab results, mental health notes, or medication records. If genetic data features are added in the future, additional protections will be applied in compliance with GINA (US) and equivalent regulations.

Incident Response

In the unlikely event of a data breach affecting your personal health information:

  • We will notify affected users within 72 hours of confirming the breach, as required by GDPR.
  • We will report to relevant data protection authorities where required.
  • We will provide a clear description of what happened, what data was affected, and what steps we're taking.
  • Contact: security@kelda.ai

Cookie Policy

Kelda uses only essential cookies required for authentication (Supabase session tokens). We do not use tracking cookies, advertising cookies, or third-party analytics cookies on your health data. You can manage cookie preferences at any time via the cookie banner.