Privacy Policy

Last updated: March 2026

1. Who we are

Kyoshi (“we”, “us”, “our”) operates the kyoshi.app platform, a session booking service for independent practitioners and their clients.

2. Data we collect

  • Account data: Name, email address, profile photo, timezone.
  • Authentication data: Google OAuth tokens (encrypted in Supabase Vault), password hashes for email/password accounts.
  • Booking data: Session times, booking messages, cancellation history.
  • Payment data: Processed by Stripe. We store wallet balances and transaction history but never your card details.
  • Calendar data: Google Calendar free/busy information for availability checks (not event content).

3. How we use your data

  • Provide the booking and payment services.
  • Send transactional emails (confirmations, reminders, cancellations).
  • Check calendar availability to prevent double-bookings.
  • Generate Google Meet links for sessions.

4. Legal basis (GDPR)

  • Contract: Processing necessary to provide the booking service.
  • Legitimate interest: Platform security, fraud prevention, service improvements.
  • Legal obligation: Financial record retention (7 years).
  • Consent: Google Calendar access, marketing emails (if any).

5. Data sharing

We share data only with service providers necessary to operate the platform:

  • Supabase: Database and authentication hosting.
  • Stripe: Payment processing.
  • Google: Calendar integration and video conferencing (Meet).
  • Resend: Transactional email delivery.
  • Vercel: Application hosting.

We do not sell your data to third parties.

6. Data retention

  • Active account data: retained while your account is active.
  • Deleted accounts: profile anonymised immediately; anonymised financial records retained for 7 years.
  • Booking messages: deleted on account deletion.

7. Your rights

Under GDPR, you have the right to:

  • Access: View your data (Settings → Export My Data).
  • Portability: Download your data as JSON.
  • Erasure: Delete your account (Settings → Delete Account).
  • Rectification: Update your profile in Settings.
  • Withdraw consent: Disconnect Google Calendar in Settings.

8. Cookies

We use only strictly necessary cookies for authentication and session management. No tracking or advertising cookies are used.

9. Security

We implement industry-standard security measures including encrypted token storage, rate limiting, CSRF protection, and input validation. Payment data is handled entirely by Stripe (PCI DSS compliant).

10. Contact

For privacy inquiries, contact us at hello@kyoshi.app.