Privacy Policy

1. Overview

Kreev Informatics Inc. ("Kreev", "we", "our", or "us") operates the Kreev mobile application ("App"), available on iOS. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

Kreev is a personal health informatics tool. It is not a medical device and does not provide medical advice, diagnosis, or treatment.

1.1 Beta Program Notice

Kreev is currently distributed as a closed beta through Apple's TestFlight program. The beta is offered exclusively to residents of Alberta, Canada. If you are not a resident of Alberta, you are not eligible to participate in this beta and should not enroll. By participating in the beta, you understand and agree that:

• The App is pre-release software and may contain bugs, incomplete features, or unexpected behavior.
• Recovery Scores, Stress Index values, and AI narratives generated during the beta period may be revised, recomputed, or temporarily unavailable as we tune the underlying algorithms.
• Kreev is not a medical device, does not provide medical advice, and is not a substitute for professional healthcare. This is true at all times, but particularly during the beta period when the App may produce unexpected outputs. You agree to continue following your physician's advice and to not make medical decisions based on Kreev's outputs.
• We may collect additional diagnostic information (crash logs, performance metrics, feature usage) during the beta period to identify and resolve issues. This diagnostic data is described in Section 2.7 below.
• Apple's TestFlight platform automatically collects crash reports and any feedback you submit through the TestFlight app. This information is governed by Apple's privacy policy in addition to ours. See apple.com/legal/privacy/ for details.

The beta program may end, change, or transition to a public release at any time. We will notify you in advance of any such transition.

2. Information We Collect

2.1 Health Data (via Apple HealthKit)

With your explicit permission, Kreev reads the following data types from Apple HealthKit:

• Resting Heart Rate (bpm)
• Heart Rate Variability — RMSSD (ms)
• Sleep Duration, Sleep Quality, and Deep Sleep Percentage
• Step Count and Active Zone Minutes
• Respiratory Rate (breaths per minute)
• VO2 Max (ml/kg/min)

Kreev v1.0-Beta supports Apple HealthKit only. Data must be synced to HealthKit by an Apple Watch or another HealthKit-compatible source. Support for additional wearable platforms (such as Whoop, Oura, or Garmin) may be added in future releases and will be disclosed at that time.

This data is used exclusively to compute your personal Recovery Score and Autonomic Intelligence metrics. We do not use HealthKit data for advertising, marketing, or any purpose unrelated to providing the Kreev service.

2.2 Account Information

When you create an account via Apple Sign-In, we receive:

• A unique Apple User ID (anonymized identifier)
• Display name and email address (only if you choose to share them via Apple Sign-In)

2.3 Profile Data

You may optionally provide:

• Age and biological sex — used solely to compute age- and sex-adjusted VO2 Max percentile rankings per ACSM guidelines

2.4 Usage Data

We collect anonymized app usage analytics (screen views, feature interactions) via Firebase Analytics to improve the app experience. This data does not include your health metrics.

2.5 Device Data

Standard device identifiers used for push notification delivery (Firebase Cloud Messaging token). These are not linked to your health data.

2.6 Payment Information

Subscription payments are processed by Apple via in-app purchase (StoreKit). Kreev does not collect, store, or have access to your credit card number or payment credentials. We receive a transaction receipt and subscription status from RevenueCat (our subscription management provider) to determine your entitlement to Sentinel features. RevenueCat's privacy policy is available at revenuecat.com/privacy.

2.7 Beta Diagnostic Data

During the beta program, we collect additional diagnostic information to identify and resolve issues:

• Crash reports via Apple TestFlight. These are processed by Apple and made available to us in aggregated form.
• Application logs containing non-personal technical details (timestamps, error codes, request/response status). These do not include your health metrics or personally identifiable information.
• Feedback you voluntarily submit through the TestFlight feedback feature or by emailing feedback@kreev.app. If you include screenshots, these may contain UI showing your own metric values; we will treat such submissions as confidential beta feedback.

Beta diagnostic data is retained for the duration of the beta program plus 90 days, after which it is deleted.

3. How We Use Your Information

4. AI-Generated Narratives

Kreev uses Google Gemini (Google LLC) to generate personalized wellness narratives. When generating a narrative, we transmit anonymized metric values only (e.g., "HRV: 62ms, RHR: 47bpm") — no names, email addresses, or account identifiers are included in these requests.

Google does not use data submitted through the Gemini API to train or improve its models. Prompts and responses are processed transiently and are not retained beyond temporary caching for service delivery. No personal data is included in AI requests — only anonymized metric values without names, identifiers, or demographic data.

Google's use of this data is governed by the Google Cloud Privacy Notice and the Gemini API Additional Terms of Service.

5. Data Storage and Security

Your health metrics and recovery scores are stored on Google Cloud Platform (GCP) Cloud SQL servers located in the us-central1 region (United States). Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

If you access Kreev from outside the United States, your data will be transferred to and processed in the United States. By using Kreev, you consent to this transfer. Google Cloud maintains appropriate safeguards for international data transfers, including Standard Contractual Clauses.

Authentication is managed by Google Firebase Authentication. Kreev does not store your Apple ID credentials.

Access to member health data is restricted to authorized personnel who require it for service operation, debugging, or support. Access events are logged.

Backups

Your data is included in encrypted automated backups of our database, retained for 14 days. Backups are stored within Google Cloud Platform's encrypted backup infrastructure in the same region as the primary database (us-central1). Backups are used solely for disaster recovery and are never used to restore deleted user accounts. If we restore from a backup, any account deletions performed since the backup snapshot are re-applied as part of the restore procedure.

Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users within 72 hours where feasible, and in compliance with applicable breach notification laws.

6. Data Sharing

We do not sell your personal data. We share data only with the following service providers, strictly for the purpose of operating the Kreev service:

No health data is shared with advertisers, data brokers, or any third party beyond the above.

6.1 Law Enforcement Requests

We will not voluntarily disclose your personal data to any government entity. We will only provide data in response to a valid, legally binding request (e.g., court order or subpoena). Where permitted by law, we will notify you before disclosing your data.

7. HealthKit-Specific Commitments

In compliance with Apple's HealthKit guidelines:

• HealthKit data will never be used for advertising or sold to third parties
• HealthKit data will never be shared with third parties except as described in Section 6, solely to provide the Kreev service
• HealthKit data will not be used to build user profiles for purposes unrelated to health and fitness

8. Data Retention

Your data is retained for as long as your account is active. You may request full deletion at any time (see Section 9).

When you delete your account, the following sequence occurs:

1. Within minutes — all live data (health metrics, Recovery Scores, profile, AI narratives, device tokens) is permanently removed from our active database, and your Firebase Authentication identity associated with Kreev is deleted. After this step you can no longer sign in with your previous account, even on the same Apple ID.
2. Within 14 days — all encrypted backup copies containing your data age out of our backup retention window. After this point, your data no longer exists in any Kreev system.
3. We log each deletion request (without retaining the deleted data itself) for compliance audit purposes. The audit log records only an opaque deletion token and the deletion timestamp — not your account identifier.

Beta diagnostic data is retained per Section 2.7.

9. Your Rights

You have the following rights regarding your personal data:

• Right to access — You may request a copy of the health data we store about you by contacting privacy@kreev.app.
• Right to correction — You may request correction of inaccurate profile data (such as age or biological sex) by updating your profile in the App or contacting privacy@kreev.app.
• Right to deletion — You may permanently delete your account and all associated data at any time. In the Kreev app, go to Settings → Delete Account → Purge Vault. This permanently deletes all health metrics, Recovery Score history, account profile and preferences, AI-generated narratives, push notification tokens, and your Firebase Authentication identity linked to Kreev. This action is irreversible — data cannot be recovered after deletion, and you cannot sign back in to your previous account.
• Right to withdraw consent — You may revoke HealthKit access at any time via iPhone Settings → Privacy & Security → Health → Kreev. You may also revoke AI narrative generation by contacting privacy@kreev.app.
• Right to data portability — You may request an export of your stored data by contacting privacy@kreev.app. We will provide your data in a commonly used, machine-readable format within 30 days of your request.

10. Children's Privacy

Kreev is not directed at individuals under 18. We do not knowingly collect personal information from persons under 18. If you believe a minor has provided us with personal information, please contact us immediately.

11. International Privacy Rights

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect about you
• Request deletion of your personal information
• Opt out of the sale of your personal information
• Opt out of automated decision-making technology (ADMT) — see Section 11.1 below

Kreev does not sell personal information. To exercise your rights, use the Purge Vault feature in the App or contact privacy@kreev.app.

11.1 Automated Decision-Making Technology (ADMT) — CPRA 2026

Kreev uses automated decision-making technology to compute your Recovery Score and Stress Index. Under the California Privacy Rights Act (CPRA) regulations effective 2026, you have the right to:

• Opt out of automated profiling — You may request that Kreev stop computing automated scores from your biometric data. To opt out, contact privacy@kreev.app. Note: opting out will disable the Recovery Score, Stress Index, and AI narrative features, as these require automated processing of your health metrics.
• Meaningful information about scoring logic — Kreev's Recovery Score is computed using Z-score methodology: each day's biometric readings (HRV, Resting Heart Rate, Sleep, Steps, Respiratory Rate) are compared to your personal rolling baseline — your own historical average over the preceding 7–60 days. The Z-score measures how far today's value deviates from your normal. These Z-scores are weighted and mapped to a 0–100 Recovery Score. Stress Index is derived as the inverse of recovery. No population-level norms or demographic profiling are used in score computation. Full details of our scoring methodology and fairness approach are available in our Algorithm Transparency section.
• Right to access ADMT outputs — You may request a copy of all automated scores and AI-generated narratives associated with your account by contacting privacy@kreev.app.

Washington Residents (MHMDA)

If you are a Washington state resident, additional protections apply to your consumer health data under the My Health My Data Act (MHMDA). Please refer to our standalone Consumer Health Data Privacy Policy for your full rights, including the right to know, access, delete, and withdraw consent for consumer health data collection.

European Residents (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, our legal basis for processing health data is your explicit consent (Article 9(2)(a) GDPR), provided when you grant HealthKit permissions. You have the right to access, rectify, erase, restrict processing, object to processing, and data portability. To exercise any of these rights, contact privacy@kreev.app.

Canadian Residents (PIPEDA / CPPA)

Kreev complies with the Personal Information Protection and Electronic Documents Act (PIPEDA). When Bill C-27 (Consumer Privacy Protection Act / Artificial Intelligence and Data Act) receives Royal Assent, Kreev will comply with all applicable requirements, including enhanced transparency obligations for automated decision-making systems. Until then, our algorithmic fairness approach is described in Section 13 (Algorithm Transparency) of this policy.

12. Cookies and Tracking Technologies

The Kreev iOS app does not use browser cookies. We use Firebase Analytics to collect anonymized usage data as described in Section 2.4. Firebase Analytics may use device identifiers for analytics purposes. No advertising identifiers are collected.

13. Algorithm Transparency

Kreev uses the following automated processes to generate outputs from your health data:

13.1 Recovery Score

Your daily Recovery Score (0–100) is computed by comparing each biometric metric against your personal rolling baseline using Z-score normalization. This means your score reflects how today compares to your own recent history — not how you compare to a population average. The formula does not use your age, sex, ethnicity, or any demographic attribute.

When a metric is missing (e.g., sensor not worn), the system substitutes your personal baseline average, producing a neutral contribution (50 points). Your score is never penalized for missing data.

13.2 Stress Index

The Stress Index is derived from four weighted components (HRV, Resting Heart Rate, Sleep, and Activity), each normalized against your personal baseline. Higher deviation from your normal patterns in a negative direction produces a higher stress reading.

13.3 AI Wellness Narratives

Narratives are generated by Google Gemini using only anonymized metric values (e.g., "HRV: 62ms, RHR: 47bpm"). No names, identifiers, or demographic data are included in the AI prompt. Narratives use analytical, observational language only — they do not provide medical advice or diagnoses.

13.4 VO2 Max Percentile

This is the only feature that uses population-level data. If you optionally provide your age and biological sex, Kreev displays your VO2 Max percentile based on published ACSM reference tables. This metric is supplementary and is not used in Recovery Score computation.

14. Changes to This Policy

We will notify you of material changes to this Privacy Policy via an in-app notification or email. Continued use of the app after changes constitutes acceptance of the updated policy.

15. Contact

For privacy-related questions or requests:

• Email: privacy@kreev.app
• Website: www.kreev.app