Skip to content
Sign up
LegalPrivacy Policy

Privacy Policy.

What Kneady People holds about you, who we share it with, and how to request that we let go of it. Written in plain English — what you see here is how it actually works.

Effective June 11, 2026

In this document

  1. 1. Who we are
  2. 2. What we collect
  3. 3. How we use it
  4. 4. Lawful bases (EU/UK)
  5. 5. Who we share it with
  6. 6. Cookies & similar tech
  7. 7. How long we keep it
  8. 8. Your rights
  9. 9. Automated decision-making
  10. 10. Data breach notification
  11. 11. International transfers
  12. 12. Notice to California residents
  13. 13. Children
  14. 14. Security
  15. 15. Changes to this policy
  16. 16. Contact

1. Who we are

Kneady People is a platform for massage therapists and bodyworkers — content tools, free utilities, a directory, and a private community. The service is operated by Kneady People LLC, 325 NW 21st Ave Ste 103, Portland, OR 97209, United States. For purposes of GDPR and comparable privacy laws, Kneady People LLC is the data controller for the personal data described in this policy.

2. What we collect

We try to collect the minimum we need to run the service. Specifically:

You give it to us

  • Email address — when you join the waitlist, subscribe to Kneady News, sign up for an account, or contact us.
  • Account profile — name, profile photo, and any other field you fill in (modality, city, practice name, bio, specialties). Optional unless noted.
  • Generated content— when you use the Content Studio, the text you provide and the text we generate for you, including any images you generate. We may store these in your account library so you can come back to them. Image prompts are sent to our image provider (see “Who we share it with”) to create the image; the resulting image is stored in our own storage.
  • Community content — when the community is available to you, the posts, comments, reactions, direct messages, and profile details you create. If you join a live event with your camera or microphone on, your audio and video are captured in the event recording (see our Terms).
  • Affiliate referrals— if you arrive through an affiliate's referral link, our affiliate platform records the referral code so the affiliate can be credited. See “Cookies” below.
  • Tool inputs — what you type into Haiku Generator, SOAP Notes, Rate Raiser, Testimonial Request, Review Cards. We specifically do not log or storewhat you type into the unauthenticated free tools; the request goes to the AI provider and the response comes back, and that's it.
  • Payment info — when you subscribe to a paid plan, Stripe collects your payment-card details directly. We never receive or store your full card number; we store a Stripe customer ID and basic subscription status (plan, status, renewal date).

We collect automatically

  • Server logs — IP address, user agent, requested URL, timestamp. Used for rate-limiting (to keep the AI tools from being abused) and for security investigation if something looks wrong.
  • Cookies — Clerk sets a session cookie when you sign in. If you arrive through an affiliate referral link, our affiliate platform (Rewardful) sets a first-party cookie to attribute the referral. See section 6 for the full cookie list.

We don't collect

  • Health records or protected health information (PHI). Kneady People is not an electronic health record (EHR) system, practice-management platform, or HIPAA-compliant records service. The Content Studio, SOAP Notes, and related tools are designed as drafting aids only — they are not intended for the storage or transmission of identifiable patient records and should not be used for regulated clinical recordkeeping. The SOAP Notes tool is explicitly designed to not require client identifiers, and we ask you not to paste any. If you input PHI despite our request, you do so at your own risk — Kneady People is not a HIPAA-covered entity or business associate, no Business Associate Agreement (BAA) is offered, and entering PHI through our tools may constitute a HIPAA violation on your part as the covered practitioner.
  • Location beyond what you voluntarily put on a directory listing.
  • Behavioral advertising data. We don't use ad networks.

3. How we use it

  • To operate the service — sign you in, render your account, process tool requests, deliver newsletter issues, send transactional emails (password resets, receipts, etc.).
  • To keep the service safe — rate-limiting, abuse detection, security investigation, fraud prevention.
  • To improve the service — aggregated analytics about which tools are being used, where errors happen, what's slow. We do not use behavioral profiling for advertising or automated eligibility decisions.
  • To communicate with you about Kneady People — newsletter issues (only if you subscribed), product updates, occasional announcements. You can opt out at any time.

4. Lawful bases (EU/UK)

For users in the EU, UK, or other jurisdictions whose data protection law requires us to identify a lawful basis under Article 6 of the GDPR (or its UK equivalent), we rely on:

  • Contract (Art. 6(1)(b)) — to provide the account, tools, and paid features you signed up for: storing your profile, processing tool inputs, delivering Studio outputs, handling subscription billing.
  • Legitimate interests (Art. 6(1)(f))— to keep the service secure, prevent abuse, rate-limit public endpoints, investigate incidents, and improve the product through aggregated, non-profiling analytics. We've weighed these interests against your privacy and consider them proportionate; you may object under section 8 below.
  • Consent (Art. 6(1)(a)) — for the newsletter and any other optional marketing communication. You can withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)) — to comply with applicable laws and respond to lawful requests from competent authorities.

5. Who we share it with

We use a small number of well-known service providers (called “processors” under GDPR) to run the platform. Each one sees only what it needs to do its job, and each is contractually bound to handle your data confidentially.

ProviderWhat they doWhat they see
ClerkAuthentication, session managementEmail, password (hashed), name, profile photo, sign-in events
SupabaseDatabase, file storage, realtimeYour account row, generation history, directory profile, community posts (when launched)
AnthropicAI text generation (Claude)The text you submit to AI-backed tools, for the duration of the request. According to Anthropic's current API privacy policy, Inputs and Outputs submitted through their API are not used to train their general models. Anthropic may retain Inputs and Outputs for a limited period (currently up to 30 days) for safety, abuse-detection, and policy-enforcement purposes per their policy. See Anthropic's privacy policy for current terms.
BeehiivNewsletter deliveryEmail address only, used to send Kneady News
VercelHosting, deployment, request logsIP address, request metadata; deployment logs
UpstashRate-limit counter storageHashed IP address + bucket name, with a short TTL
CloudflareCAPTCHA (Turnstile) on signup formsA challenge token; no email or personal info
StripePayments, subscription billingEmail, name, billing address, and subscription status. Card details are entered with and held by Stripe, not us. Stripe's privacy practices are described at stripe.com/privacy; review it before entering payment information.
fal.aiAI image generationThe text prompt you submit to generate an image, for the duration of the request. The resulting image is stored in our own storage; fal.ai does not receive your account identity.
ResendTransactional & account emailYour email address and name, used to send account-related email such as a welcome message.
RewardfulAffiliate referral attributionA referral code plus basic signup/subscription events, used to credit the affiliate who referred you. None of the content you create is shared.

We do not sell your data. We do not share it with advertisers. We do not allow our processors to use it for their own marketing.

Data processing agreements (DPAs). We enter into a data processing agreement (DPA) with each processor listed above where one is offered. We do not currently offer a custom controller-to-controller or controller-to-processor DPA for business customers except where required by law; if you operate in the EU/UK and need a written DPA, contact hello@kneadypeople.com and we will work with you in good faith.

We will disclose your data when legally required — a valid subpoena, court order, or comparable lawful request. If permissible, we will notify you first.

6. Cookies & similar tech

  • Session cookies — set by Clerk to keep you signed in. Required for authenticated functionality.
  • Affiliate referral cookie— if you arrive through an affiliate's referral link, our affiliate platform (Rewardful) sets a first-party cookie to attribute that referral so the affiliate can be credited. It is not used for advertising or cross-site tracking. Where consent is required for non-essential cookies (for example in the EU/UK), we obtain it before this cookie is set.
  • Analytics cookies— none today. If we add analytics later, we'll update this policy and offer a way to opt out.
  • Ad cookies — never.

7. How long we keep it

  • Account data — for as long as your account is active. When you delete your account, we delete your row from Supabase within 30 days. Backup retention may extend this by up to 90 days.
  • Generated content — same retention as your account; deleting your account deletes your library, including generated images.
  • Community content & live-event recordings — kept while your account is active and the community remains available. Recordings of live events are retained so members can replay them; you can ask us to remove a recording you appear in. Deleting your account removes your posts, messages, and profile.
  • Newsletter email— until you unsubscribe. Beehiiv keeps an “unsubscribed” record so it doesn't re-email you accidentally.
  • Server logs — Vercel retains request logs for up to 30 days, depending on plan.
  • Rate-limit counters — Upstash records have a TTL measured in minutes.

8. Your rights

You have rights over the data we hold about you. Depending on where you live (EU/UK, California, elsewhere), the specific rights differ — but we honor the same baseline regardless:

  • Access — ask us what we hold about you and receive a copy.
  • Correction— ask us to fix anything that's wrong.
  • Deletion — ask us to delete your account and everything in it. Today, deletion is initiated by emailing us (see below); a self-serve flow inside account settings is on the roadmap.
  • Portability — ask us for a copy of your generated content in a portable format.
  • Withdraw consent — unsubscribe from the newsletter or any other communications at any time.
  • Object / restrict — ask us to stop using your data for a specific purpose, where applicable.
  • Lodge a complaint — with your local data protection authority. EU/UK residents can reach the ICO, CNIL, or comparable body; California residents can contact the California Privacy Protection Agency.

To exercise any of these, email hello@kneadypeople.com. We respond without undue delay and within one month of receiving your request. For unusually complex requests, we may extend by up to two additional months and will tell you why within the first month, consistent with GDPR Article 12(3).

9. Automated decision-making

We do not use automated decision-making, including profiling, to make decisions about you that produce legal effects or similarly significant effects (such as denying you access, adjusting your pricing based on a behavioral score, or anything comparable). Our AI tools generate content at your request — they do not make decisions about you. This addresses your rights under GDPR Article 22 and equivalent provisions elsewhere.

10. Data breach notification

If we become aware of a personal data breach that affects your data and is likely to result in risk to your rights or freedoms, we will notify you and applicable supervisory authorities without undue delay, and where feasible within 72 hours of becoming aware of the breach, consistent with GDPR Article 33 and applicable US state breach-notification laws, including Oregon's Consumer Information Protection Act (ORS 646A.600 et seq.).

Notifications will describe the nature of the breach, the categories and approximate number of affected records, likely consequences, and steps we've taken or recommend you take to reduce harm.

11. International transfers

Kneady People is operated from the United States and is primarily targeted at US-based massage therapists and bodyworkers. The processors listed above are primarily US-based. If you're using the service from outside the US, your data will be transferred to and processed in the United States and other countries where our processors operate. We rely on Standard Contractual Clauses (or equivalent transfer mechanisms) for any transfers from the EU/UK that require them.

We are based in the United States and our infrastructure is US-based. Where residents of the EU, UK, or other regions sign up for or purchase the service, we honor the data-protection rights described in this policy and rely on Standard Contractual Clauses (or equivalent mechanisms) for the resulting transfers. If you are an EU/UK resident and prefer not to have your data transferred to the United States, please do not create an account. We are working to formalize EU/UK representation as our presence in those markets grows.

12. Notice to California residents

This section provides the specific disclosures required by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. We have not sold or shared personal information in the preceding 12 months and have no plans to do so.

Categories of personal information we collect (as defined by Cal. Civ. Code § 1798.140):

  • Identifiers (email address, account name, IP address).
  • Customer records (profile information, billing details).
  • Commercial information (subscription status, transaction history).
  • Internet activity (server logs limited to security and rate-limiting purposes).
  • Geolocation data (only what you voluntarily provide on a directory listing — coarse, city-level).
  • Inferences (none — we don't build behavioral profiles).

Sources, purposes, and retention are described in sections 2, 3, and 6 above and apply equally to California residents.

Sensitive personal information. We do not collect sensitive personal information as defined by the CPRA. If you voluntarily submit such information (for example, by pasting it into a tool input despite our request not to), we do not use it beyond what is necessary to provide the requested service.

Your California-specific rightsinclude the right to know what we collect, the right to delete, the right to correct, the right to opt out of sale or sharing (not applicable since we don't sell or share), and the right to limit use of sensitive personal information (also not applicable since we don't collect it for secondary purposes). To exercise any of these, follow the process in section 7 above.

Non-discrimination. We will not discriminate against you for exercising any of these rights — your access, pricing, and service quality remain the same.

Your privacy choices. Because we do not sell or share your personal information, there is nothing to opt out of — but you can still exercise any of the rights above (access, correction, deletion, portability) by emailing hello@kneadypeople.com with the subject “Privacy request.”

Questions or complaints can also be directed to the California Privacy Protection Agency at cppa.ca.gov.

13. Children

Kneady People is intended for working adults. We do not knowingly collect personal data from anyone under 16. If we learn we've collected data from a child, we will delete it.

14. Security

We follow industry-standard practices to protect your data: HTTPS-only with HSTS, Row-Level Security on every Supabase table, server-side-only API keys, rate-limited public endpoints, regular dependency updates. No system is perfectly secure, but we treat your data the way we'd want ours treated.

15. Changes to this policy

If we make material changes — new processors, new categories of data, new purposes — we'll update the effective date at the top and notify active accounts by email. Continued use of the service after the effective date means you accept the updated policy.

16. Contact

Questions about this policy, or about how we handle your data? Write to hello@kneadypeople.com and we'll get back to you.

Privacy requests

Email hello@kneadypeople.com with the subject “Privacy request” and we'll get back within 30 days. Specify what you want — access, correction, deletion, export — and we'll walk you through it.