Kiero Labs
Privacy Policy
Effective 2 July 2026 · Last updated 2 July 2026 · The English version of this page is authoritative.
1. Who we are & what this covers
Kiero Ltd(“Kiero”, “we”, “us”) is a company registered in England and Wales under company number 17323674, with its registered office at 66 Paul Street, London, EC2A 4NA, United Kingdom. “Kiero” and “Kiero Labs” are names we trade under. We build a training intelligence app that reads data from your sports watch and explains it.
This one policy covers both the kierolabs.com website (the waitlist and founding membership) and the Kiero app (in invite-only beta today; access opens in waves). We are the data controller. We handle personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018; for users in the European Union, the EU GDPR applies equally. Where we serve users in the United States, the additional protections in section 9 apply.
Contact for anything in this policy: hello@kierolabs.com.
2. The short version
We never sell your data. We never use it for third-party advertising. There are no data brokers and no ad networks — ever. Your training data lives in an EU database (AWS London). You can get a copy of everything or have it all deleted, whenever you want. The rest of this page is the detail behind those sentences.
3. What the website collects today
Waitlist: your email address (and first name if you give it), when you joined, your consent to receive Kiero emails, and a one-way salted hash of your IP address. The hash is used only to stop abuse of the signup form (rate limiting); your actual IP address is never stored and the hash cannot be reversed into it.
Founding membership:when checkout opens, payments will be processed by Stripe on Stripe-hosted pages — your card number never touches our servers. We will store your email, what you bought, the amount and currency, the payment status, and Stripe’s reference IDs.
Analytics: privacy-friendly, cookieless page analytics (Vercel Analytics) — no advertising cookies, no cross-site tracking, no individual profiles. The only cookie this site sets is one functional cookie that remembers your currency preference (so prices show in your local currency); there are no advertising or tracking cookies and no third-party trackers. Fonts are served from our own servers.
4. Why we're allowed to use it (lawful bases)
| What we do | Legal basis |
|---|---|
| Email you about Kiero (waitlist, access waves, product updates) via Kit | Consent — the signup line “By joining you agree to receive Kiero emails” is your consent record. Withdraw any time via the unsubscribe link in every email. |
| Rate-limit the signup form using a salted IP hash | Legitimate interests — keeping the form working and abuse-free (UK GDPR Art. 6(1)(f)). |
| Cookieless, aggregate page analytics | Legitimate interests — understanding page performance without profiling anyone. |
| Take payment, deliver founding membership, process refunds | Contract — UK GDPR Art. 6(1)(b). |
| Process your health and fitness data in the app (section 5) | Your explicit consent — UK GDPR Art. 9(2)(a), collected in the app before anything connects. |
5. The app: health & fitness data
When your access opens and you choose to connect a watch, Kiero processes health and fitness data. In legal terms this is special category data, and it gets the strongest protections the law offers. Specifically, the app stores:
- Daily metrics: heart-rate variability (HRV), resting heart rate, sleep duration and score, body battery, weight, steps
- Activities: workouts with distance, duration, pace, heart rate, cadence, elevation, calories — including GPS route traces for outdoor activities
- Your profile: sex, date of birth, height, weight, goals and targets, VO₂max
- Nutrition: food logs you enter and photos of food labels you scan
- Strength training: exercises, sets, weights, gym sessions
- Coaching: the AI briefs and advice generated for you
None of this is collected on the website, and none of it is collected in the app until you give explicit consent — a clear, specific opt-in shown before you connect anything. You can withdraw that consent at any time by disconnecting your watch and/or asking us to delete your data (section 14); withdrawal stops the processing.
6. Your watch connection (Terra)
Kiero connects to watches through Terra (tryterra.co), a wearable-data API. When you connect a device — Garmin first; Apple Health, Google Fit, Strava, Suunto, Fitbit and Coros as they ship — you authorize your device account to share data with Kiero via Terra. Terra processes that data on our behalf as a processor.
Terra’s End User Privacy Policyis incorporated into this policy and applies to Terra’s handling of your data in transit. Your device maker’s own privacy notice (for example Garmin’s) continues to govern your account with them. You can disconnect a device at any time in the app, which stops all new data flowing.
7. AI coaching & automated decisions
Kiero’s coaching is AI-generated. To produce your morning brief, training guidance, and nutrition estimates, relevant health data (and food-label photos you scan) are sent to Anthropic(US), the AI provider, for processing. Under Anthropic’s commercial API terms, this data is not used to train their models.
What the AI does: it analyses your recovery, training load and plan to produce guidance — a recommendation for the day, with its reasoning shown. It does not make binding decisions about you, and you can always override it in the app. You also have the right to ask for a human review of anything the AI has produced about you, to express your point of view, and to contest it — email hello@kierolabs.comand a person will look at it. Kiero’s guidance is not medical advice (see the Terms).
8. Maps, weather & sign-in
Maps:GPS routes are rendered with Mapbox; route coordinates are sent to Mapbox’s servers to draw the map tiles. Weather: an approximate location is sent to a weather provider to show conditions for your training. Sign-in: you sign in with Google, Apple, or an email link; we receive your email address (and name, if the provider shares it) — never your password.
9. Consumer health data (Washington, Nevada & US states)
This section is Kiero’s consumer health data privacy policy for the purposes of the Washington My Health My Data Act, Nevada SB 370, and similar US state laws.
What we collect and why: the categories in section 5, used solely to provide your training coaching. Consent: we collect consumer health data only with your opt-in consent, given before you connect a device. We do not share consumer health data with third parties except the processors in section 10, who act on our instructions to deliver the service. No sale: we do not sell consumer health data, and no authorization to sell it exists or will be sought.
Your rights: you may access your consumer health data, withdraw consent, and have it deleted — email hello@kierolabs.com. If we decline a request, you may appeal by replying to our decision; we respond to appeals within 45 days. Kiero is not a covered entity under HIPAA and makes no HIPAA claims — your protections come from the laws named here and the GDPR commitments in the rest of this policy.
10. Who we share data with
Only service providers (processors) that Kiero needs to run, each bound by a data processing agreement. No data brokers, no ad networks, ever.
| Provider | What they handle | Where |
|---|---|---|
| Supabase | Database and sign-in for all Kiero data, including health data | EU (AWS London, eu-west-2) |
| Kit | Sending our emails (waitlist and product updates) | US |
| Stripe | Payments and refunds (when checkout opens) | US |
| Vercel | Website hosting and cookieless analytics | US / global edge |
| Anthropic | AI processing of health data and food-label photos for coaching | US |
| Mapbox | Rendering GPS route maps | US |
| Terra | Wearable data transfer from your device account to Kiero | UK / EU |
| Weather provider | Approximate location for training-day conditions | varies |
11. International transfers
Your health data is stored at rest in the EU (AWS London). Some processors above are US companies, so data crosses borders for processing. Where a US provider is certified under the UK Extension to the EU-US Data Privacy Framework, we rely on that certification; otherwise we use the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, as applicable. Copies of the relevant safeguards are available on request via hello@kierolabs.com.
12. How long we keep data
| Data | Kept for |
|---|---|
| Waitlist email + name | Until you unsubscribe or ask us to delete it |
| Signup IP hash | Only as long as needed for rate limiting |
| Purchase and refund records | 6 years (UK tax and accounting law) |
| Health and fitness data | The life of your account, deleted within 30 days of account deletion |
| AI coaching briefs | Same as health data |
| Backups | Rolling window; deleted data ages out of backups automatically |
13. Security & breach notification
Data is encrypted in transit and at rest, held in an EU-region database with strict access controls; payment card data is handled entirely by Stripe. No system is perfectly secure, so here is what we commit to if something goes wrong: where a breach risks your rights, we notify the UK Information Commissioner’s Office within 72 hours; where the risk to you is high, we notify you directly without undue delay. For US users, health data breaches are additionally notified to affected users and the FTC within 60 days, as the FTC Health Breach Notification Rule requires of wellness apps.
14. Your rights
You have the right to:
- Be informed — this policy
- Access — get a copy of everything we hold about you
- Rectification — correct anything wrong
- Erasure — have it all deleted (“right to be forgotten”)
- Portability — receive your data in a machine-readable format you can take elsewhere
- Restriction — pause our use of your data while something is contested
- Objection — object to processing based on legitimate interests
- Rights around automated decisions — human review, as described in section 7
- Withdraw consent at any time — unsubscribe (emails) or disconnect and delete (health data)
How to use them: email hello@kierolabs.com and we action your request within 30 days, free of charge. Self-serve export and account deletion are being built into the app; until they ship, the email route is just as binding. Whatever US state you live in, we honor access, correction, and deletion requests the same way.
Complaints: you can complain directly to us (we acknowledge within 30 days and tell you the outcome), to the ICO at ico.org.uk, or to your local EU data protection authority. We’d appreciate the chance to fix it first.
15. Age requirement
Kiero is for adults — you must be 18 or older to join the waitlist, buy a founding membership, or use the app. We do not knowingly collect data from anyone under 18; if we learn we have, we delete it.
16. Changes & contact
If we make material changes to this policy, we email you before they take effect, and the dates at the top are updated. Questions, requests, complaints: hello@kierolabs.com. See also our Terms of Service.