Your health data stays yours.

Security isn't a feature we added — it's how Kelda was built from day one.

Encrypted at Rest & In Transit

All health data is encrypted using AES-256 at rest and TLS 1.3 in transit. Server-side access is controlled by role-based security policies and limited to AI analysis operations.

Row-Level Isolation

Every user's data is isolated at the database level using row-level security policies. You can only see your own data. Admin access is audit-logged and restricted to operational necessity.

No Data Selling. Ever.

We do not sell, share, license, or monetize your personal health data. Your data exists to serve you — that's it. Our business model is subscriptions, not data brokering.

Full Data Export & Deletion

You can export all of your data at any time. You can delete your entire account and all associated data at any time. Deletion is permanent and irreversible.

SOC 2 Compliant Infrastructure

Kelda runs on infrastructure that maintains SOC 2 Type II compliance. Authentication is handled via industry-standard OAuth 2.0 with PKCE.

Minimal Data Collection

We collect only what's needed to provide the service: your email, health data you choose to upload, and chat conversations. No tracking pixels, no ad networks, no third-party analytics on your health data.

How We Protect Your Data

Authentication Security

Sign-in is protected by Supabase Auth with built-in rate limiting (30 sign-ups/hour, 30 sign-ins/5 minutes). Email verification is required before account activation. All sessions use secure, httpOnly cookies with PKCE-based OAuth 2.0.

AI Processing

Health data sent to our AI is processed via Anthropic's commercial API. Anthropic does not train on API data. Data is encrypted in transit and not retained beyond the request window. See our Privacy Policy for full details.

Abuse Monitoring

We maintain audit logs of chat interactions (message previews only, not full content) to detect and prevent misuse. Concerning content is automatically flagged for review. All audit data is access-restricted and not visible to other users.

Incident Response

In the event of a data breach, we will notify affected users within 72 hours, report to relevant authorities, and provide full transparency about what happened and what we're doing about it. Contact security@kelda.ai for security concerns.

Backups & Recovery

Your data is backed up daily via Supabase's managed backup system. Point-in-time recovery is available. In the event of data corruption, we can restore to the most recent backup within hours.

Have a security concern?

If you've found a vulnerability or have questions about how we handle your data, please reach out.

Report a Security Issue