Home » Privacy Policy

Privacy Policy

Protecting your privacy is one of the key commitments of Kaski.ai. Kaski.ai Oy, a company registered in Finland, operates the Kaski.ai platform and application, which analyze personality and sports data to provide personalized insights for users. This Privacy Policy explains how we collect, use, share, and protect your personal data, including for AI-driven analysis, in compliance with the EU General Data Protection Regulation (GDPR), U.S. State Privacy Laws and other applicable data protection laws and regulations.

This policy applies to all users of our website, platform, mobile applications, and related services (“Services”). It complements our Terms of Service (https://kaski.ai/terms). If you are a United States resident, you may have additional data privacy rights under your state laws as described in Section 14 of this Privacy Policy.

What Data We Collect and Why

We collect and process personal data to provide, improve, and personalize our Services, as well as to comply with legal obligations. Below are the categories of data we collect, the purposes, and our legal basis for processing:

a. Account and Profile Data

What we collect: When you create a Kaski.ai account, we collect your name, email address, password, payment/billing information, country of residence, age, and any optional profile details you choose to provide.
Why we collect it: To set up and manage your account, provide customer support, and personalize your experience.
Legal basis: Performance of a contract (to provide the Services).

b. Personality Data

What we collect: Responses to and analysis of personality assessments or surveys you complete on our platform or otherwise submit, such as preferences, behavioral traits, or self-reported psychological data.
Why we collect it: To generate personalized insights about your personality, well-being and sports performance, and to enhance your user experience.
Legal basis: Your explicit consent (for information revealing details concerning your health) and performance of a contract (to deliver the Services).

c. Sports Data

What we collect: Data related to your physical fitness and sports activities, such as physical performance metrics, training plans, event (practices, workouts, matches, etc.) details, and self-reported fitness goals.
Why we collect it: To provide tailored sports performance insights, track progress, and offer recommendations.
Legal basis: Your explicit consent (for health-related data you provide or authorize) and performance of a contract (to deliver the Services).

d. Chat Data

What we collect: Any information you submit in the AI chat function and the answers and other outputs generated by the AI. The generated answers depend on the information you submit. Information that is submitted to the chat is up to you and we encourage you to always carefully consider before submitting anything sensitive.
Why we collect it: To provide the AI chat functionality of the Services (i.e., personalized sports, well-being and training insights in the format of chat messages).
Legal basis: Your explicit consent (for any health-related or otherwise sensitive data you may choose to submit to the chat) and performance of a contract (to deliver the Services).

e. Usage Data

What we collect: Information about how you interact with our Services, including your IP address, browser type, device information, pages visited, and timestamps.
Why we collect it: To monitor and improve platform performance, ensure security, and analyze usage trends.
Legal basis: Legitimate interest (to maintain and enhance our Services) and your consent (for cookies – see our Cookie Notice for more information).

f. Marketing and Communication Data

What we collect: Your contact details and preferences for receiving service and marketing communications.
Why we collect it: To send you updates, promotions, or newsletters about Kaski.ai.
Legal basis: Your consent or performance of a contract (communications related to delivery of the Services).

g. Third-Party Integration Data

What we collect: If you connect Kaski.ai with third-party services (e.g., fitness trackers, wearables or health apps, we collect the data you authorize, such as, and depending on the particular third-party service, your activity, sleep, readiness, stress and recovery scores, HRV, heart rate, SpO2, cardiovascular metrics, and workout data.
Why we collect it: To integrate with these services in order provide better insights and easier user experience for you.
Legal basis: Your consent (for health-related data) and performance of a contract (to deliver the Services).

We use OpenAI’s artificial intelligence models to process your personal data in order to provide the personalized sports and personality analysis and insights. We only process your sensitive data (e.g., data relating to or revealing aspects of your physical and mental health) using AI with your explicit consent and to the extent it is necessary to provide the Services to you.

How We Use Your Data

We use your personal data for the following purposes:

To Provide Services: Deliver personalized personality and sports insights, manage your account, and enable platform functionality.
To Improve Services: Analyze aggregated and de-identified data to enhance the Services, develop new features, and conduct research on personality and sports performance.
To Communicate: Respond to your inquiries, provide customer support, and send service-related notifications.
For Marketing: Share updates or promotions (with your consent; you can always opt out via email or account settings).
To Ensure Security: For example, protect against fraud, unauthorized access, unavailability or misuse of our Services.
To Comply with Legal Obligations: Meet requirements under applicable laws, such as relating to accounting obligations and any possible legal proceedings.

We process your data in an anonymized, de-identified or aggregated format whenever possible to protect your privacy, especially for research and analytics.

How We Share Your Data

We do not sell your personal data. We share data only to provide the Services and in the following circumstances:

a. For Third-Party Integrations:If you authorize integrations with third-party services like fitness trackers, wearables, or health apps, we do not share any of your Personality, Sports, Usage or Chat data in Kaski.ai platform to these third-party providers. Only the data needed to enable the third-party integrations by their providers is transmitted back to these third-party providers. Some third-party services collect, under their own policies and outside the control of Kaski.ai, information regarding your interactions with their services through the Kaski.ai platform. You can always revoke any integrations via the platform settings.

b. To Your Connected Users: If you choose to share insights with your connected users (e.g., your coaches or teams), only the data you have approved is shared. You can withdraw consent and control the sharing of your data at any time via your account settings.

c. With our Third-Party Service Providers

To deliver our Services, we engage trusted third-party providers who process your personal data on our behalf and under strict data processing agreements.
- OpenAI: Your personal data is shared with OpenAI, the provider of ChatGPT, in the United States to provide analysis and deliver personalized insights as part of the Services. Per our agreement with OpenAI, your data is not used to train OpenAI’s models. OpenAI is bound by a Data Processing Agreement (DPA) and the European Commission’s Standard Contractual Clauses to protect your data in compliance with the GDPR. You can see more regarding OpenAI’s approach to privacy and security at https://openai.com/security-and-privacy/.
- Supabase: Hosts our database and your user data in EU-based servers, processing of personal data is governed by a DPA and the EU Commission’s Standard Contractual Clauses.
- Render: Operates our internal server infrastructure in the EU/EEA to facilitate secure API calls and data routing, processing of personal data is governed by a DPA and the EU Commission’s Standard Contractual Clauses.

d. For Legal Reasons

We may disclose data for legal reasons if required by law, regulation, or legal process (e.g., court orders or government requests) or to protect Kaski.ai’s rights, safety, or property under law.

e. Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to equivalent privacy protections.

Use of Artificial Intelligence (AI); Automated Decision-Making and Profiling

Our Services use AI, powered by OpenAI, to generate personality and sports performance insights based on your inputs. These insights are advisory and are not used for making automated decisions or profiling you in a manner that produce legal or similarly significant effects. The insights are designed to support your well-being and performance goals and it is always up to you what you make of them.

We ensure transparency by only using widely known and recognized AI technology in our Services, clearly indicating to you when you are interacting with an AI or provided with AI-generated insights or recommendations, giving you control over what data you provide to the AI and regularly reviewing our AI systems for fairness and accuracy. If you are interested in the safety of the AI you interact with, we encourage you to familiarize yourself with OpenAI’s approach to safety at: https://openai.com/safety/.

You can request more information on the the use of AI in the Services, including with respect to privacy, safety, transparency and security by contacting dataprotection@kaski.ai.

International Data Transfers

Kaski.ai is based in Finland, and your data is primarily processed within the EU. However, some of our service providers (such as OpenAI) operate outside the EU/EEA, and certain parts of the Services may involve data transfers beyond the EU/EEA. To ensure your data is protected in compliance with the GDPR during such transfers, we use the following safeguards:

EU-US Data Privacy Framework: For transfers to certified U.S. providers, ensuring protections equivalent to EU/EEA standards.
EU Commission’s Adequacy Decisions: For transfers to EU-recognised adequate countries, with safeguards matching EU/EEA levels.
EU Commission’s Standard Contractual Clauses: For other transfers, using contracts with non-EU/EEA providers to uphold your GDPR rights.

Regardless of where your data is processed, we apply the same protections outlined in this Policy.

Your Data Protection Rights

Under the GDPR, you have the following rights regarding your personal data:

Access: Request a copy of the data we hold about you.
Rectification: Correct inaccurate or incomplete data.
Erasure: Request deletion of your data (subject to legal retention obligations).
Restriction: Limit how we process your data in certain cases.
Portability: Receive your data in a structured, machine-readable format.
Objection: Object to processing based on legitimate interests (e.g., marketing).
Withdraw Consent: Revoke consent at any time, without affecting prior processing.

To exercise these rights, use the functionalities provided in the application and platform (access, deletion and rectification of your account data), or contact us at dataprotection@kaski.ai. Please specify the scope of your request for efficient processing. We will respond within one month, extendable by two months for complex requests.

How to delete your Kaski.ai account directly in the platform:

Log in to your account at Kaski.ai .
Navigate to Settings > Account > Delete Account.
Follow the prompts to permanently delete your account and data.

Please note:Deleting your account removes all associated data, including access to insights or integrations. Membership cancellation does not automatically delete data; you must explicitly request deletion.

If you have concerns about our data practices, you can file a complaint with the Finnish Data Protection Ombudsman (https://tietosuoja.fi/en/home) or your local supervisory authority.

Data Security

We and our trusted service providers take robust technical and organizational measures to protect your personal data when you use the Services, including:

Encryption: Data is encrypted at rest (AES-256) and in transit (TLS).
Access Controls: Strict authentication and role-based access for employees and systems.
Security Training: Regular training for staff on GDPR compliance and cyber hygiene.
Vulnerability Management: Ongoing scanning, penetration testing, and threat detection.

While we strive to maintain the highest security standards, no system is immune to risks. If you discover a potential vulnerability, please report it to dataprotection@kaski.ai. We welcome input from security researchers and will acknowledge your contribution.

Data Breach Notification
In the unlikely event of a personal data breach, we will notify the applicable Data Protection Authority within 72 hours, as required by GDPR. If the breach poses a high risk to your rights and freedoms, we will inform you promptly, explaining the breach, its likely impact, and steps to protect yourself. To report a suspected breach, contact dataprotection@kaski.ai

Data Retention

We retain your personal data only as long as necessary to fulfill the purposes outlined in this Policy:

Account and Profile, Personality, Sports, Third-Party Integration Data: Kept while your account is active. Subject to your choice, Third-Party Integration Data can be deleted when you revoke an integration. If you delete your account or use your right to request the deletion of your data, we delete your Personality, Sports and Chat Data within 30 days, except for data that is anonymized (i.e., no longer identifying you) or data required by law (e.g., bookkeeping records).
Chat Data: Your chat history is retained for 90 days on OpenAI’s servers. After this, any messages and insights in the chat you have not specifically saved are deleted.
Usage Data: Retained for up to 12 months for security and analytics, then anonymized or deleted. This does not include any of your personality, sports or chat history data.
Marketing Data: Kept until you opt out or delete your account.

We follow a secure deletion process to ensure data is securely removed from our systems, though standard backup practices may cause brief delays to the permanent erasure of data.

Legal Retention Obligations
We retain certain data for the purpose of complying with legal obligations, such as billing records for up to 6 years to comply with the Finnish Accounting Act. Other legal obligations may require shorter or longer retention, and we ensure such data is securely stored and deleted when no longer needed.

Cookies and Tracking

We use cookies and similar technologies to enhance your experience, analyze usage, and deliver relevant ads. For details on the cookies used, see our Cookie Notice (available at https://kaski.ai/cookie-policy). You can manage cookie preferences via your browser or our website settings, though disabling essential cookies may affect platform functionality.

Third-Party Integrations and Links

Our Services can be integrated with third-party services, such as fitness trackers, wearables and health apps (e.g., Oura, Garmin, Polar, Whoop, Suunto, Apple Health or Google Health Kit), to seamlessly synchronize your data for analysis and tracking in the Kaski.ai platform. You must authorize the integrations in the platform and we only process the synchronized data with your consent. You can remove any integrations at any time in Kaski.ai settings. When revoking an integration, previously synchronized data will remain part of your Kaski.ai profile, unless you request your data to be deleted in connection with the revocation.

Any integrated third-party services you authorize process your personal data under their own terms of services and privacy policies when you use the services and when they interact with the Kaski.ai platform. Notably, some third-party services (such as Oura) collect data regarding your use of the integration with the Kaski.ai platform, but none of the data you submit in the Kaski.ai platform is shared to the third-party service. Please review any third-party services’ terms and policies before authorizing any integrations.

Our Services may contain links to third-party websites and services (e.g., fitness apps or payment providers). Kaski.ai not responsible for their privacy practices. Please review their policies before sharing your data.

Children’s Privacy

Kaski.ai is primarily intended for use by adults and the standard age limit to use the Services is set at 13, or other age required for valid consent for processing of personal data under applicable laws. However, individuals under the age of valid consent for processing of personal data may be given access to the Services in connection with their membership in a sports club, a coaching relationship or otherwise, but always subject to the explicit consent of the parent or other legal guardian. The age and consent limits are enforced through and under the policies of the channels where the Kaski.ai application is made available for download and/or use or via a separate arrangement with a sports club or other corresponding entity making the Services available to their members. Guardian accounts may be made available in the future, which allow verified adult users to monitor and control the sharing and use of their children’s data directly within the platform.

Changes to This Policy

We may update this Policy to reflect changes in our Services, legal requirements, or user feedback. We will notify you of significant changes via email or a notice on our platform at least 14 days before they take effect. Continued use of our Services after changes implies acknowledgement and acceptance of the updated Policy.

Contact Us

a) If you have questions, complaints, or requests regarding this Policy or our data processing practices, please contact:

Kaski.ai Oy
Email: dataprotection@kaski.ai
Address: Hissikatu 2, 33900 Tampere, Finland
Website: www.kaski.ai

For complaints unresolved by us, you may contact the Finnish Data Protection Ombudsman or your local data protection authority.

14. U.S. Residents with Enhanced Privacy Rights

This section supplements the information contained in this Privacy Policy and applies to residents of the United States whose personal information is protected under applicable U.S. state privacy laws, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA/CPRA”), and similar comprehensive privacy laws in other states such as Virginia (Virginia Consumer Data Protection Act), Colorado (Colorado Privacy Act), Connecticut (Connecticut Data Privacy Act), Utah (Utah Consumer Privacy Act), Iowa (Iowa Consumer Data Protection Act), Indiana (Indiana Consumer Data Protection Act), Tennessee (Tennessee Information Protection Act), Montana (Montana Consumer Data Privacy Act), Texas (Texas Data Privacy and Security Act), Oregon (Oregon Consumer Data Privacy Act), Delaware (Delaware Personal Data Privacy Act), New Jersey (New Jersey Data Privacy Act), Minnesota (Minnesota Consumer Data Privacy Act), Maryland (Maryland Online Data Privacy Act), Nebraska (Nebraska Data Privacy Act), Washington (My Health My Data Act) and New Hampshire (New Hampshire Privacy Act) (collectively, “U.S. State Privacy Laws”). Terms used in this section, such as “personal information” or “sensitive personal information,” have the meanings given to them under the applicable U.S. State Privacy Laws, which may differ from terms used elsewhere in this Privacy Policy.

If you are a resident of one of these states, this section provides additional disclosures about our data practices and describes your privacy rights. These rights may vary slightly depending on the specific state law applicable to you (e.g., some states do not provide rights to correct personal information or opt out of profiling, while others require additional disclosures for sensitive data processing). We do not discriminate against you for exercising any of your rights under U.S. State Privacy Laws, including by denying goods or services, charging different prices, or providing a different level or quality of services.

Categories of Personal Information We Collect

In the past 12 months, we have collected the following categories of personal information, as further described in the “What Data We Collect and Why” section of this Privacy Policy. Note that not all categories may apply to every user, and we only collect what is necessary to provide our Services.

Category	Examples	Collected
A. Identifiers	Name, email address, IP address, account credentials (e.g., password), device information	YES
B. Personal information categories listed in the California Customer Records statute	Name, payment and billing information	YES
C. Protected classification characteristics under state or federal law	Age, gender (if voluntarily provided)	YES
D. Commercial information	Payment history, subscription details	YES
E. Biometric information	None (we do not collect fingerprints, voiceprints, or similar)	NO
F. Internet or other similar network activity	Usage data, such as pages visited, timestamps, browser type	YES
G. Geolocation data	Approximate location derived from IP address (not precise geolocation)	YES
H. Sensory data (audio, electronic, visual, etc.)	None	NO
I. Professional or employment-related information	Current profession information (i.e., sports coach), job role (at a an organizational customer)	YES
J. Non-public education information	None	NO
K. Inferences drawn from other personal information	Personality insights or behavioral traits derived from assessments or surveys	YES
L. Sensitive personal information	Health data (e.g., heart rate or fitness metrics from sports data, if provided or integrated), precise geolocation (if any from third-party integrations)	YES (limited to sports-related metrics with consent)

We obtain this personal information from the following sources, as referenced in the “What Data We Collect and Why” and “Third-Party Integration Data” sections:

Directly from you (e.g., when you create an account, complete surveys, or input data into the chat).
Automatically from your interactions with our Services (e.g., usage data).
From third-party integrations you authorize (e.g., fitness trackers for sports data).

Purposes for Collecting and Using Personal Information

We collect and use personal information for the business or commercial purposes described in the “How We Use Your Data” section, including to provide and personalize the Services, manage accounts, improve platform functionality, ensure security, communicate with you, and comply with legal obligations. For sensitive personal information, we use it only as necessary to provide the Services (e.g., sports insights) and with your consent, as noted in the “Legal Basis” subsections.

We do not “sell” or “share” your personal information as those terms are defined under the CCPA/CPRA and most other U.S. State Privacy Laws (e.g., we do not exchange personal information for monetary or other valuable consideration, nor do we share it for cross-context behavioral advertising). In the past 12 months, we have not sold or shared any categories of personal information.

We may disclose personal information for business purposes to our third-party service providers as described in the “How We Share Your Data” section. These disclosures are governed by contracts that require the recipients to use the information only for the intended purpose and protect it appropriately. Categories disclosed in the past 12 months include Identifiers, Personal information (Category B), Internet activity, Inferences, and Sensitive personal information (limited to service providers for processing).

For other disclosures (e.g., for legal reasons or business transfers), refer to the “How We Share Your Data” section.

Data Retention

We retain each category of personal information only as long as necessary for the purposes described in this Privacy Policy, as detailed in the “Data Retention” section. For example:

Categories A, B, C, D, F, G, K, L: Retained while your account is active or as needed to provide Services, typically deleted within 30 days (up to 90 days for data in chat history) of account deletion (subject to legal obligations, e.g., up to 6 years for billing records).
We determine retention periods based on the nature of the data, legal requirements, and business needs.

Your Rights Under U.S. State Privacy Laws

Depending on the applicable law, you may have the following rights regarding your personal information (in addition to those described in the “Your Data Protection Rights” section):

Right to Know/Access: Request details about the categories of personal information we collect, use, disclose, or sell/share, including specific pieces of information we hold about you.
Right to Delete: Request deletion of your personal information, subject to exceptions (e.g., to complete transactions, comply with law, or detect fraud).
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of your personal information (though we do not engage in these activities).
Right to Limit Use of Sensitive Personal Information: Limit our use and disclosure of sensitive personal information to what is necessary to provide the Services or as otherwise permitted by law.
Right to Opt-Out of Targeted Advertising or Profiling: Opt out of the use of your personal information for targeted advertising or automated profiling that produces legal or similarly significant effects (note: our AI insights are advisory only and do not produce such effects, as described in the “Use of Artificial Intelligence” section).
Right to Data Portability: Receive your personal information in a portable, machine-readable format.
Right to Non-Discrimination: We will not discriminate against you for exercising these rights.
Right to Appeal: If we deny your request, you may appeal the decision.

We honor opt-out preference signals, such as Global Privacy Control (GPC), sent from your browser or device as a valid opt-out request for sale/sharing or targeted advertising.

Your Rights Under Washington My Health My Data Act

If you are a resident of Washington State, the Washington My Health My Data Act (RCW 19.373) provides you with additional rights regarding health data we collect, including physiological measurements obtained through third-party wearable and fitness app integrations (such as heart rate, heart rate variability, blood oxygen levels, sleep data, and activity metrics). We collect this data only with your opt-in consent, which you provide when you authorize a third-party integration within the app. You may withdraw consent at any time by disconnecting the integration in your account settings. You have the right to request deletion of your consumer health data, and we will not sell your consumer health data or share it for purposes beyond those disclosed in this policy without obtaining your separate, signed authorization.

How to Exercise Your Rights

To exercise these rights, submit a verifiable request by emailing us at dataprotection@kaski.ai with the subject line “U.S. Privacy Rights Request” and include details about your request (e.g., access, deletion) and proof of residency if needed. You may also designate an authorized agent to make a request on your behalf with proper authorization.

We will verify your identity (e.g., by matching provided information to our records) to protect your privacy. We respond to requests within 45 days (extendable by 45 days if needed), free of charge up to twice per 12 months. If we cannot verify or fulfill your request, we will explain why. For appeals, contact us at the same email within the timeframe required by your state’s law (e.g., 60 days under CPRA).