Privacy Policy

Last updated: April 2026

kynikOS (“we,” “us,” or “our”) is a personal concierge service that acts on your behalf — scheduling, booking, coordinating, and managing life logistics. This Privacy Policy explains how we collect, use, store, and protect your information, including health and fitness data from connected devices.

1. Information We Collect

We collect the following categories of information:

Account information

  • Telegram account details (display name, user ID)
  • Contact information you provide (email, phone number)

Messages and instructions

  • Messages you send to kynikOS via Telegram or other channels
  • Preferences, constraints, and goals you express
  • Photos and files you share for processing

Calendar and scheduling data

  • Events from connected calendars (Google Calendar, iCal, etc.)
  • Bookings and appointments created on your behalf
  • Availability and scheduling preferences

Health and fitness data

  • Activity data from Garmin Connect (the only wearable/fitness integration currently supported)
  • Sleep data, heart rate, steps, and training metrics from Garmin Connect
  • Nutrition information you log (meals, photos, macronutrient data)
  • Recovery scores and health metrics synced from Garmin Connect

Action and audit data

  • Records of all actions taken on your behalf (calls made, emails sent, bookings placed)
  • Voice call recordings and transcripts (when kynikOS calls businesses for you)
  • Execution logs and outcomes

2. How We Use Your Information

We use your information solely to provide and improve the kynikOS service:

  • Execute tasks on your behalf — making bookings, phone calls, sending emails, managing your calendar
  • Learn your preferences — understanding your routines, constraints, and priorities to act more effectively over time
  • Health and fitness insights — using data from connected devices to optimize scheduling around your training, recovery, and well-being
  • Coordination — helping you coordinate schedules with family, friends, and other kynikOS users (only with your explicit permission)
  • Audit and transparency — maintaining a complete log of all actions for your review
  • Service improvement — analyzing usage patterns (in aggregate) to improve the service

We do not use your data for advertising, profiling for third parties, or any purpose unrelated to providing you with the kynikOS service.

3. Health and Fitness Data

Health and fitness data from connected devices and services (collectively “Health Data”) is treated under stricter rules than any other category of data described in this Policy. At the date of this Policy, the only wearable/fitness integration supported by kynikOS is Garmin Connect; kynikOS does not integrate with Apple Health, Google Fit, Fitbit, Oura, Whoop, or any other comparable service, and does not receive Health Data from any such source. The commitments in this Section 3 apply in addition to, and where inconsistent override, the provisions of Section 6 (Information Sharing) and Section 11 (International Data Transfers).

What Health Data includes

  • Sleep, heart rate, heart-rate variability (HRV), respiration, SpO2, stress, and Body Battery metrics
  • Activity, workout, and training data (including GPS tracks, power, pace, cadence, and FIT-file derived metrics)
  • Recovery, training readiness, training load, and training status indicators
  • Body composition, weight, and wellness measurements
  • Cycle and women's health data
  • Any insights, summaries, or derived values computed by kynikOS directly from the above

How Health Data is handled

  • No third-party sharing. Health Data is never sold, rented, licensed, disclosed, transferred, or otherwise made available to any third party, including affiliates, advertisers, brokers, analytics providers, insurers, employers, or other data processors, except (i) to infrastructure providers strictly necessary to operate kynikOS's own systems (e.g. encrypted database hosting), bound by written data processing agreements and prohibited from any independent use of the data, or (ii) where required by law.
  • No external AI processing. Health Data is never sent to, processed by, made available to, or used to train any external artificial-intelligence, machine-learning, or large-language-model service or provider, including without limitation OpenAI, Anthropic, Google (Gemini/Vertex AI), Meta, Mistral, Cohere, xAI, or any comparable service. Any AI-assisted features operating on Health Data are executed on kynikOS's own infrastructure using models under kynikOS's direct control.
  • Purpose limitation. Health Data is used exclusively to deliver the user-facing features you have enabled: morning recovery briefings, training program management, activity tracking and attribution, recovery-aware scheduling, and personal health baselines. It is never used for advertising, profiling for third parties, insurance or employment decisions, or any purpose unrelated to your own use of kynikOS.
  • Collection is opt-in. Health Data is only collected after you explicitly connect a device or service and grant the corresponding permissions. You can disconnect any source at any time from your dashboard.
  • Storage. Health Data is stored encrypted at rest in databases controlled by kynikOS and hosted in the EU. Access is restricted to automated systems acting on your behalf and a small number of authorised personnel under confidentiality obligations.
  • Retention and deletion. Health Data is retained only while the corresponding source is connected. On disconnection or on your request, all associated Health Data is deleted within 30 days, subject to any legal retention obligation.
  • No cross-border AI transfer. Because Health Data is never sent to external AI providers, it is not transferred outside the EU for AI processing. Any infrastructure-provider transfers are governed by Standard Contractual Clauses.

3.1 Garmin Connect Data

Data obtained through the Garmin Connect Developer Program API (“Garmin Data”) is Health Data and is therefore fully subject to the commitments in Section 3 above. In particular, and in accordance with the Garmin Connect Developer Program requirements:

  • Garmin Data is never shared with, or otherwise made available to, any third party, and is never processed by any third-party data processor, beyond the limited infrastructure-provider exception described in Section 3 above.
  • Garmin Data is never sent to, processed by, or used to train any external AI or LLM provider (including OpenAI, Anthropic, Google, or any comparable service).
  • Garmin Data is processed exclusively within kynikOS's own infrastructure, solely to provide the features described in Section 3 above to the individual user the data belongs to.
  • Garmin Data is attributed to Garmin in accordance with the Garmin Brand Guidelines wherever it is displayed (primary dashboards, detail views, charts, and derived insights).
  • The Garmin Connect connection can be revoked at any time from your dashboard or from Garmin Connect; upon revocation (whether initiated by you, by Garmin, or as a result of termination of kynikOS's access to the Garmin Connect Developer Program), all Garmin Data held by kynikOS will be deleted within 30 days.
  • kynikOS does not aggregate, anonymise, pseudonymise, or otherwise transform Garmin Data for sale, licensing, benchmarking, or the creation of derivative datasets; nor does it use Garmin Data to develop products that compete with Garmin, or to train any general-purpose model, whether internal or external.

3.2 Explicit Consent for Special-Category Data

Health Data qualifies as a special category of personal data under Article 9 of the GDPR. By connecting a health source (currently Garmin Connect) you give your explicit consent under Article 9(2)(a) GDPR to the processing of that data by kynikOS for the purposes described in this Section 3. You may withdraw this consent at any time by disconnecting the source from your dashboard; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

3.3 No Medical Advice; Not a Medical Device

kynikOS is a personal productivity and concierge service. It is not a medical device within the meaning of Regulation (EU) 2017/745 (MDR), the US Food, Drug, and Cosmetic Act, or any equivalent legislation, and is not intended for the diagnosis, prevention, monitoring, prediction, prognosis, treatment, or alleviation of any disease, injury, or disability. Recovery briefings, training suggestions, nudges, summaries, and any other health-related output are informational and lifestyle-oriented only and do not constitute medical advice, diagnosis, or treatment. You should always consult a qualified healthcare professional before making decisions that affect your health, and you should not disregard or delay seeking professional advice because of anything produced by kynikOS.

4. Actions Taken on Your Behalf

kynikOS executes actions on your behalf — making bookings, sending emails, placing voice calls, creating calendar events, and coordinating with businesses and other kynikOS users. The following framework governs those actions:

  • Agency. When kynikOS contacts a third party in your name, it acts as your authorised agent, with you as the principal. You are responsible for the instructions you give and for reviewing the actions taken. You may revoke this authority, in whole or for a specific action, at any time.
  • Human oversight (GDPR Art. 22). Actions executed by kynikOS do not constitute solely-automated decisions producing legal or similarly significant effects on you. You remain in the loop through (i) the instructions you issue, (ii) approval requests surfaced before high-impact actions, (iii) a complete audit log available in your dashboard, and (iv) the ability to cancel, reverse, or contest any action.
  • AI limitations. kynikOS's agent is powered by large language models and other AI components, which can produce incorrect, incomplete, or unexpected outputs. You should review the actions proposed or executed, in particular those involving bookings, purchases, external communications, and anything with financial, legal, or health implications.
  • No use of your data to train models. Your personal data, messages, Health Data, and the content of actions taken on your behalf are not used to train any AI model, whether operated by kynikOS or by a third party.
  • Voice calls to third parties. When kynikOS calls a business on your behalf, the agent identifies itself as an AI assistant calling on your behalf where legally required. Calls may be recorded and transcribed for audit, quality, and dispute-resolution purposes, on the legal basis of legitimate interest (yours and ours). Recordings are retained for up to 90 days and then deleted. The called party may request deletion of the recording of their call at any time via the contact address in Section 14 below.
  • Liability. Subject to mandatory law, kynikOS is not liable for the outcomes of actions you instructed or authorised kynikOS to take, including actions you had the opportunity to review, reject, or cancel. Further allocation of responsibility between you and kynikOS is set out in our Terms of Service.

5. Connected Third-Party Services

kynikOS integrates with third-party services to act on your behalf. These include:

  • Telegram — for messaging and authentication
  • Calendar providers (Google Calendar, Apple Calendar) — for scheduling
  • Fitness trackers (Garmin Connect only) — for health and activity data
  • Communication services (Twilio for voice calls, Resend for email) — for acting on your behalf

We only access data from these services that you explicitly authorize. Your use of these services is also governed by their respective privacy policies. We request the minimum permissions necessary and you can revoke access at any time.

6. Information Sharing

We do not sell your personal information. We may share information only in these cases:

  • At your direction — when you ask kynikOS to contact a business, share your availability, or coordinate with others
  • Service providers — infrastructure providers who help us operate (e.g. cloud hosting, and, for non-Health Data only, AI processing). These providers are bound by data processing agreements and act only on our documented instructions
  • Legal requirements — when required by law or to protect rights and safety

The sharing described in this Section 6 does not apply to Health Data, which is governed exclusively by the stricter rules set out in Section 3 (including the prohibition on any external-AI processing).

7. Data Storage and Security

  • Data is stored in encrypted databases hosted in the EU
  • All data in transit is encrypted using TLS 1.2+
  • Access to production systems is restricted and audited
  • Health and fitness data receives additional encryption at rest
  • Voice call recordings are stored encrypted and can be deleted at your request
  • We conduct regular security reviews of our infrastructure

8. Data Retention

We retain your data for as long as your account is active and as needed to provide the service. Specifically:

  • Account data — retained while your account is active
  • Messages and preferences — retained to maintain your learned preferences; deletable on request
  • Health and fitness data — retained while the data source is connected; deleted within 30 days of disconnection or upon request
  • Audit logs — retained for 12 months for your review, then archived
  • Voice recordings — retained for 90 days, then automatically deleted unless you request earlier deletion

You can request deletion of all your data at any time. Upon account deletion, all personal data is removed within 30 days, except where retention is required by law.

9. Your Rights

Under the GDPR and applicable data protection laws, you have the right to:

  • Access — request a copy of all personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data (“right to be forgotten”)
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — request that we limit processing of your data
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — withdraw any consent you have given, at any time
  • Revoke permissions — disconnect any connected service or revoke any permission granted to kynikOS

Every action performed by kynikOS on your behalf is logged and available for your review through your dashboard. This audit trail is part of our commitment to transparency.

10. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract — processing necessary to provide the kynikOS service you have subscribed to
  • Consent — for health and fitness data, and for connecting third-party services. You can withdraw consent at any time
  • Legitimate interest — for service improvement and security, balanced against your privacy rights

11. International Data Transfers

Your data is primarily stored and processed in the EU. Where non-Health Data is transferred outside the EU (for example, to an AI processing provider used for general assistant features that do not involve Health Data), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission. Health Data (as defined in Section 3) is never transferred to external AI providers, whether inside or outside the EU.

12. Children's Privacy

kynikOS is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes via the service or email. Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact

For privacy-related questions, to exercise your rights, or to file a complaint:

You also have the right to lodge a complaint with your local data protection authority.

← Back to homeTerms of Service