Legal
Privacy Policy
Version 2026-04-27 · Effective from 27 April 2026
1. Who we are
knwn. ("we", "us", "our") is the data controller for the personal information described in this policy. We are registered in England and Wales. You can contact our privacy team at team@knwn.uk.
2. What data we collect
- Account data — name, email, password (hashed), profile photo if you upload one.
- Health data — the conditions you select in the quiz (Q2) and any free-text notes you give us in Q10. Treated as "special category" data under UK GDPR Article 9.
- Matching data — your goals, preferences, location, budget and other quiz answers.
- Usage data — pages visited, actions taken in the platform, anonymous device information.
- Communications — messages you send to coaches via our portal.
3. Why we use it (legal bases)
- Health data — your explicit consent, given when you complete the quiz. You can withdraw it at any time.
- Matching and account services — performance of our contract with you.
- Marketing emails — your consent (opt-in only).
- Service improvement & fraud prevention — our legitimate interests.
- Compliance — to meet legal obligations.
4. Who we share data with
- Your matched coach — once you click "Notify" we share your first name, goals and matching preferences. We never share your health conditions in email — coaches see those only after logging into the secure portal.
- Service providers — Supabase (database & auth, EU-hosted), Anthropic (AI explanation generation), Klaviyo (transactional email), Lovable (hosting). All are bound by Data Processing Agreements.
- Authorities — if required by law or to protect someone from harm.
We do not sell your data. Ever.
5. AI processing
We use Anthropic's Claude model to generate the short explanation of why a coach is right for you. This call happens server-side. A human reviewer checks every coach in our roster before they reach you — the AI ranks suggestions, it does not make the final decision unsupervised.
6. How long we keep data
- Health data & quiz answers — 12 months from your last activity, then automatically deleted.
- Messages — 24 months.
- Account record — until you ask us to delete it, then within 30 days.
- Consent records — kept indefinitely as a legal record, but pseudonymised after account deletion.
- Financial records — 6 years (UK tax law).
7. Your rights
Under UK GDPR you have the following rights over your personal data:
- Right of access — receive a copy of the personal data we hold on you.
- Right to rectification — have inaccurate or incomplete data corrected.
- Right to erasure ("right to be forgotten") — have your data deleted.
- Right to restrict processing — pause our use of your data while a query is resolved.
- Right to data portability — receive your data in a structured, machine-readable format (JSON).
- Right to object — object to processing based on legitimate interests, including profiling.
- Right to withdraw consent — for health data or marketing, at any time, without affecting prior lawful processing.
- Right to lodge a complaint — with the Information Commissioner's Office at ico.org.uk or on 0303 123 1113.
8. How to make a Data Subject Request (DSR)
To exercise any of the rights in section 7, sign in to your account and go to Settings and Support. From there, click Download my data or Request deletion. We will provide the information within 2–3 working days.
9. Security
Health data is stored in a separately-protected database table. All API keys are kept server-side. Passwords are hashed. We use TLS encryption in transit. Our roster of providers is reviewed annually. If a data breach affects you, we will notify you within 72 hours of becoming aware.
10. Cookies
See our Cookie Policy for the full list.
11. Changes to this policy
When we materially update this policy we will email you and ask you to re-consent on your next visit. The current version and date are at the top of this page.