Legal

Privacy Policy

Last updated: June 24, 2026

This Privacy Policy explains how Thesis Labs, LLC(“Thesis Labs,” “we,” “us,” or “our”) collects, uses, shares, and protects information in connection with the Kept mobile application and the related website at kept.do (together, the “Service”). By creating an account or using the Service, you agree to this Policy. If you do not agree, do not use the Service.

1. Who we are

The Service is operated by Thesis Labs, LLC, the data controller responsible for your information. You can reach us about privacy at privacy@thesis.do. Kept is an identity-first productivity app available primarily for iPhone.

2. Scope

This Policy applies to information we process when you use the Kept app and our website. It does not apply to third-party products, services, or websites that we do not control, even if you reach them through the Service. The Service is offered “as is” and “as available” (see Section 14).

3. Information we collect

We collect only what we need to provide the Service. The categories below describe what we may collect depending on the features you use.

3.1 Account and identity information

• Account identifiers. An email address and a unique account ID. You can sign in with an email one-time code, Sign in with Apple, or Sign in with Google. If you use Sign in with Apple, Apple may share a name and a relay email at your choice.
• Profile and identity details you provide. Display name, an optional profile photo (stored in our private cloud storage), your identity statement and goals, life areas, preferences, time zone, and unit settings.
• Optional personal characteristics. Date of birth, biological sex, gender identity, height, body composition, and activity baseline, where you choose to provide them for health and nutrition features.

3.2 Content you create

• Captures and the items they create.Tasks, subtasks, comments, goals, notes (including images you embed), folders, labels, calendar events, habits, focus sessions, mood entries, and saved “memories.” Storing the original text of a capture is optional and off by default; you control it with the “Store my capture text” setting.
• Meal photos and nutrition data. Photos you take for meal logging, the foods we identify, and estimated macros. Photos are processed for analysis and, if you save the meal, stored in our private cloud storage.

3.3 Health and fitness data (Apple Health)

If you connect Apple Health, we read selected categories you authorize, such as workouts, activity, steps, energy, heart rate, sleep, body mass, body composition, height, date of birth, and biological sex. We request read access only. We sync daily summaries needed for your insights, not your raw, continuous health streams. We never use Health data for advertising or share it for advertising purposes. You can disconnect at any time in the app and in iOS Settings.

3.4 Integrations

• Google Calendar (optional). If you connect it, we store OAuth tokens and sync event details (including titles, times, locations, descriptions, and attendee information) so your calendar appears in Kept.
• Apple Calendar (optional). If you grant access, calendar events are read and displayed on your device only and are not uploaded to our servers.
• Push notifications (optional). If you enable them, we store a device push token to deliver reminders and nudges.

3.5 Usage, diagnostics, and device information

• First-party analytics. Product events (for example, opening the app or completing a task) with small, non-sensitive properties. These events do not include the raw text of your captures.
• AI feedback you provide. If you rate an AI result — for example, a thumbs-up or thumbs-down on a suggested classification, an insight, a briefing, or a coaching reply — we record that rating and an optional short reason so we can measure and improve the quality of our AI.
• AI operations telemetry. For each AI request, we record technical metadata about the model call — which model ran, token counts, latency, estimated cost, and whether it succeeded — so we can monitor quality, performance, and cost. This operational telemetry does notinclude the content of your captures, messages, or the model’s responses.
• Aggregated product metrics. We combine the usage and diagnostic signals above into aggregate, de-identified metrics — counts, rates, percentiles, and averages — to understand product health on our internal dashboards. These aggregates do not contain your notes, capture text, or other personal content.
• Performance and crash diagnostics. Aggregated crash and performance metadata such as operating system version, app version, and error type, via Apple MetricKit.
• Website analytics. On our website only, we use analytics and session tools to understand how visitors use the marketing pages.

4. How we use information

• Provide, maintain, secure, and improve the Service.
• Run the features you request, including routing captures and generating insights.
• Personalize plans, coaching, nutrition, and recommendations.
• Send service messages and, if enabled, reminders and nudges.
• Prevent fraud and abuse and enforce our terms.
• Comply with legal obligations.

5. Artificial intelligence processing

Kept uses AI to interpret your input and generate helpful output. Depending on the feature and your settings, content such as capture text, meal photos, coaching messages, and the context used to build plans and memories may be sent to our AI providers (currently OpenAI and Anthropic) through our own server to produce a result for you. We do not authorize these providers to use your content to train their general models, and we contract for limited, processing-only use. Some processing happens on your device (using Apple’s on-device models where available), and you can restrict cloud processing with the On-device only setting, which limits certain AI-powered features. We also keep operational records of each AI request — such as the model used, token counts, latency, estimated cost, and the outcome — to monitor quality, reliability, and cost; these records do not include your content. AI output can be inaccurate; you are responsible for reviewing it.

6. How we share information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only as follows:

• Service providers (sub-processors) who process data on our behalf under contract, including:
  • Supabase · database, authentication, and file storage.
  • Vercel · application hosting and our API.
  • OpenAI and Anthropic · AI processing of the content described above.
  • Apple · sign-in and push notification delivery (APNs).
  • Google · sign-in and Google Calendar synchronization, if you connect them.
  • Resend · delivery of sign-in and account emails.
  • USDA FoodData Central and Open Food Facts · food and nutrition lookups (search terms only; no account identifiers).
• Legal and safety. When we believe disclosure is required by law or necessary to protect rights, safety, or the integrity of the Service.
• Business transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
• With your direction. When you choose to share or connect a third-party service.

7. Your choices and controls

• Turn capture-text storage on or off in Settings.
• Enable “On-device only” to limit cloud AI processing.
• Manage or disable push notifications in the app and iOS Settings.
• Connect or disconnect Apple Health and Google Calendar at any time.
• Ask Kept to “forget” saved memories.
• Request access to or deletion of your account and data by emailing privacy@thesis.do.

8. Your privacy rights

8.1 California residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use and disclose it, to request access to and deletion or correction of your personal information, and to not be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising, and we do not knowingly process the personal information of minors for such purposes. To exercise your rights, contact us at privacy@thesis.do. We will verify your request using information associated with your account, and you may use an authorized agent.

8.2 EEA, UK, and Switzerland (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, Thesis Labs, LLC is the controller of your personal data. We process it on the legal bases of performance of our contract with you, your consent (which you may withdraw at any time), our legitimate interests in operating and improving the Service, and compliance with legal obligations. You have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your supervisory authority. Where we transfer data outside your region, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses. To exercise your rights, contact privacy@thesis.do.

9. Data retention

We keep personal information for as long as your account is active or as needed to provide the Service, and afterward only as required to comply with legal obligations, resolve disputes, and enforce our agreements. When you delete your account or request deletion, we delete or de-identify your personal information within a commercially reasonable period, except where retention is required by law. Backups are purged on a rolling schedule.

10. Security

We use technical and organizational measures designed to protect your information, including encryption in transit, encryption at rest, and row-level access controls so users can access only their own data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. International data transfers

We and our service providers may process and store information in the United States and other countries that may have data protection laws different from those in your jurisdiction. Where required, we use appropriate safeguards for these transfers.

12. Children’s privacy

The Service is not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact privacy@thesis.do and we will take appropriate steps to delete it.

13. Third-party links and services

The Service may link to or interoperate with third-party products and services. Their privacy practices are governed by their own policies, and we are not responsible for them.

14. Health and informational disclaimer

Kept’s nutrition, fitness, and coaching content is for informational and general wellness purposes only. It is not medical, nutritional, or professional adviceand is not a substitute for consultation with a qualified professional. Do not rely on the Service for medical decisions. The Service and all content are provided “as is” and “as available” without warranties of any kind, to the maximum extent permitted by law.

15. Limitation of liability and governing law

To the maximum extent permitted by applicable law, Thesis Labs, LLC and its officers, members, employees, and agents will not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of data, profits, or goodwill, arising out of or relating to your use of the Service. This Policy is governed by the laws of the State of California, without regard to its conflict-of-laws rules, and any dispute will be resolved in the state or federal courts located in California, unless applicable law requires otherwise. If any provision of this Policy is found unenforceable, the remaining provisions remain in full effect.

16. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

17. Contact us

Thesis Labs, LLC
Email: privacy@thesis.do
Web: thesis.do