KAI · HANA

Privacy Policy

Last updated: June 10, 2026.

This policy covers all apps developed by KAI HANA LLC (“Kai Hana,” “we,” “us”). It applies to your use of any of our apps and the supporting backend services we operate. By installing one of our apps, you agree to the practices described below.

Apps covered by this policy

This umbrella policy currently covers:

  • RateGlance — currency rate viewer with alerts and home-screen widgets.
  • Kaia — personal assistant for iOS and Android.
  • ClearCast Weather Now — calm, focused weather for iOS and Android.
  • AutoPilot — Android automation tool.
  • Cadence — task manager with a read-only calendar overlay, for iOS and Android.
  • Murmur — on-device voice-to-text notes, for iOS and Android.
  • Countdown — event countdowns with reminders, widgets, and optional sharing, for iOS and Android.

When we ship new apps, we’ll add them here.

Per-app data practices

Detailed data practices for each app. Where a per-app section says something different from the umbrella sections below, the per-app section takes precedence.

RateGlance

  • Cloudflare Worker backend. RateGlance is the one Kai Hana app that uses a server. The backend runs on Cloudflare Workers + D1 and exists to (a) check ECB rates hourly on your behalf when you have a Pro alert armed, and (b) verify in-app purchase receipts.
  • Device token. On first launch, RateGlance generates a random ID, stores it in iOS Keychain or Android Keystore, and registers it with the backend so we know which install owns which alerts. The token is not tied to any other identifier we hold about you and cannot be linked to a real-world identity.
  • Push notification token. When you grant notification permission, your APNs (iOS) or FCM (Android) push token is stored alongside your device token and used to deliver alert pings via the Expo Push API (exp.host). RateGlance is the only Kai Hana app that uses remote push.
  • Alert configuration (Pro only). When you arm a Pro alert, your chosen currency pair, target rate, and direction are stored on the backend so the hourly cron can check them. Free-tier alerts are checked on-device only and never sent to the server.
  • In-app purchase receipts. Apple StoreKit / Google Play Billing receipts for the pro_unlock purchase are forwarded to the backend, which calls Apple’s verifyReceipt endpoint (production or sandbox) or Google Play Developer API (androidpublisher.googleapis.com) to verify. We store the resulting transaction identifier so the same receipt cannot be re-redeemed on a different device. We never see your payment details.
  • Rate sources. Rates come from Frankfurter (api.frankfurter.dev, ECB-authoritative for about 30 major currencies) and Fawazahmed (latest.currency-api.pages.dev, used for the long-tail currencies). Neither receives any data about you — only currency codes.
  • No ads. RateGlance does not show ads. The app is supported only by the optional one-time RateGlance Pro upgrade.
  • No analytics, no account. Beyond the device token, push token, optional alert configuration, and one-shot IAP receipt above, the backend has no record of you. There is no sign-up, no email, no profile.
  • Local data. Watched pairs, currency history cache, alert preferences, and Pro entitlement are stored in the app’s encrypted SQLite database and deleted on uninstall.

ClearCast Weather Now

  • Cloudflare Worker backend. ClearCast v1.1 and later uses a Kai Hana–operated Cloudflare Worker (with a D1 database) for three things: (a) proxying Apple WeatherKit and OpenWeatherMap so paid API credentials stay off your device, (b) registering for cloud-delivered notifications, and (c) running the server-side cron that dispatches scheduled morning/evening briefings. Locations, forecasts, and settings cached on the worker are keyed to a random per-install user ID, not to a real-world identity.
  • Location (optional). ClearCast can request permission to use your device’s location to fetch local forecasts and severe-weather alerts. Permission is requested at onboarding and can be revoked at any time from your operating system’s settings. You can use ClearCast without granting location permission by saving cities manually.
  • What leaves your device.
    • Approximate latitude/longitude (rounded to ~0.1°) → our Cloudflare Worker → Apple WeatherKit, for forecasts.
    • Approximate latitude/longitude → our Cloudflare Worker → OpenWeatherMap, for air-quality data.
    • Latitude/longitude (four-decimal precision) → US National Weather Service (api.weather.gov), called directly from your device, for active alerts. US users only.
    • City search queries you type → our Cloudflare Worker → OpenWeatherMap’s geocoding endpoint.
    • Reverse geocoding (turning your current coordinates into a place name) is performed on-device by your operating system; coordinates are not sent to a third party for this step.
  • Push notifications and server-side briefings (optional). If you turn on severe-weather alerts, daily/evening briefings, or custom alerts, ClearCast registers with the backend. The registration includes:
    • A random per-install user ID (not tied to a real-world identity).
    • Your APNs (iOS) or FCM (Android) push token, used to deliver the notifications.
    • Your active location (lat/lon) and UTC offset, so the server-side cron knows when “morning” is for you and which forecast to attach.
    • Your notification preferences (briefing times, units, time format, whether custom alerts are on).
    • A boolean indicating whether you have ClearCast Pro. Push messages are delivered via APNs (iOS) and FCM (Android) directly to your device. The data above is stored in the worker’s D1 database and is overwritten on every refresh. Turning notifications off in the app sends an /unregister request and clears the row.
  • In-app purchases. ClearCast Pro receipts are handled by Apple StoreKit or Google Play Billing. ClearCast does not transmit receipts to any Kai Hana server; the Pro entitlement is stored locally.
  • No ads. ClearCast no longer shows ads. The free-tier AdMob banner was removed in v1.1; the app is supported only by the optional one-time ClearCast Pro upgrade.

Kaia

  • No Kai Hana backend. Kaia does not communicate with any server operated by Kai Hana. All chat, settings, and entitlement state stay on your device.
  • No device token, no analytics. The “Information collected automatically” items in the umbrella section below — device token, push notification token — do not apply to Kaia. Kaia generates no device identifier, registers no push token, and contains no analytics, crash-reporting, or advertising SDKs of any kind. Per the precedence rule above, this Kaia section governs.
  • On-device language model. Kaia runs its language model locally using Google’s LiteRT-LM. The text of your prompts and Kaia’s responses is never sent to a remote inference service.
  • Voice input (optional). Kaia can request microphone access for voice input. Speech-to-text is performed on-device by your operating system; audio is not uploaded. Permission can be revoked at any time from your OS settings.
  • Location (optional). On iOS and Android, Kaia can request approximate location to answer questions about nearby places. Coordinates are used in-session only — not stored, not transmitted to Kai Hana.
  • Model downloads. When you choose a model, Kaia downloads the model file from the Hugging Face CDN (huggingface.co). The request includes standard HTTP metadata (IP, user agent). No account or identifier is attached.
  • Web search tool. When you invoke Kaia’s web-search ability, your search query is sent to a third-party search provider — either Brave Search (api.search.brave.com) or Tavily (api.tavily.com), depending on your Kaia settings. These providers receive your query and standard HTTP metadata; their handling is governed by their own privacy policies.
  • Chat history. Stored locally in an encrypted SQLite database (AssistantDatabase). Deleted when you uninstall the app.
  • In-app purchases. Kaia Pro is handled by Apple StoreKit (iOS) or Google Play Billing (Android). Entitlement is stored locally; Kai Hana does not see your purchase data.
  • Inter-app integration. Kaia exposes a signature-protected interface so the AutoPilot app (also from Kai Hana, signed with the same key) can request inference locally. Apps signed with other keys cannot use this interface.

AutoPilot

  • No Kai Hana backend, no analytics. AutoPilot has no user accounts, no cloud sync, and no telemetry — there are no analytics or crash-reporting SDKs of any kind. Your automations and their data stay on your device. The only times AutoPilot touches the network are Google Play Billing (for the Pro upgrade) and any HTTP-request action you build yourself (see below).
  • Why it requests permissions. AutoPilot is a general-purpose automation tool: it fires user-authored actions in response to user-selected triggers. Each permission backs a specific trigger or action that you opt into when you build an automation. Permissions are not used unless an automation you created requires them. Many triggers (screen on/off, battery, charging, Wi-Fi, Bluetooth, headset, shake, time) rely on ordinary system signals and sensors that need no sensitive permission.
  • Notification Listener. Required for the “notification received” trigger. Notification metadata (app, title, text) is matched against your conditions in memory and is not stored or transmitted.
  • Location (foreground only). Required for geofence enter/exit triggers and sunrise/sunset timing. AutoPilot does not request background location or activity recognition. Coordinates are handled on-device by Android’s geofencing service and are never sent to Kai Hana.
  • Calendar. Required for the “calendar event” trigger. Event data is matched against your conditions on-device.
  • Bluetooth. Required for Bluetooth connect/disconnect triggers.
  • NFC. Required for the “NFC tag” trigger.
  • Camera. Required only for the flashlight/torch and take-photo actions, and used only while such an action runs.
  • System-control actions. Do-Not-Disturb, ringer, and volume changes (notification-policy access); screen brightness (WRITE_SETTINGS); and force-stopping an app (KILL_BACKGROUND_PROCESSES) back the corresponding actions you can add. Time triggers use exact-alarm scheduling, and the always-on engine runs as a foreground service that re-arms your automations after a reboot.
  • HTTP-request action (optional). AutoPilot includes an action that sends an HTTP request to a URL you configure (for example, a webhook), with a method and body you define. This is the one outbound network path AutoPilot itself can make, and it runs only when an automation you built triggers it. The destination receives whatever you put in the request; nothing is routed through Kai Hana, and requests to private or loopback addresses are blocked.
  • WRITE_SECURE_SETTINGS. Used only if you grant it via ADB; enables the optional “wireless debugging auto-reconnect” feature, which communicates solely with your device’s own local ADB endpoint (127.0.0.1). Not requested at runtime.
  • Automation data. Your automation definitions, run history (if enabled), and settings are stored locally and deleted on uninstall. There is no cloud sync, and your automation definitions, run history, and Pro entitlement are excluded from Android’s cloud backup and device-transfer.
  • Inter-app integration. AutoPilot’s optional “Ask Kaia” action calls the sibling Kaia app via a signature-protected interface; the prompt is passed to Kaia on-device. If you enable web search for that action, Kaia may use its own web tools as described in Kaia’s section above.
  • In-app purchases. AutoPilot Pro is handled by Google Play Billing. Entitlement is cached locally (encrypted preferences). Kai Hana does not see your purchase data.

Cadence

  • On-device by default. Your tasks, lists, settings, activity history, and a local cache of your device-calendar events are stored only on your device. There are no user accounts and no sign-up. Lists you don’t share never touch the network.
  • Calendar (optional, read-only). With your permission, Cadence reads your existing device calendar so it can show your events alongside your tasks. It never creates, edits, or deletes calendar events, and the event details it displays are cached locally and never sent to Kai Hana. (On Android, the calendar library requires the write-calendar permission in order to read; Cadence does not use it to write.)
  • Voice capture (optional). Cadence can request microphone access to turn speech into a task. Speech-to-text is performed on-device by your operating system; audio is not uploaded. Permission can be revoked at any time from your OS settings.
  • Notifications (local only). Task reminders and daily/weekly/monthly briefings are scheduled and composed entirely on your device. Cadence uses no push notifications and no server to deliver them.
  • Shared lists (optional). If you choose to share a list, Cadence syncs that one list through a Kai Hana–operated Cloudflare Worker so the people you share with stay in sync. What leaves your device for a shared list: the shared tasks’ titles, dates, times, and completion state; the display name you enter; and a random per-device ID. Only those fields sync — your tasks’ notes, priority, subtasks, and reminders stay on your device. Authentication uses a token kept in your device Keychain (iOS) or Keystore (Android). On Android, your shared-list membership (that random device ID and token — not your tasks) is also backed up via Google Block Store so it can be restored if you reinstall or change devices; that backup is encrypted by Google and tied to your Google account, and we can’t read it. No email or account is involved. You can leave or delete a shared list at any time, which removes its data from the server and clears the Block Store backup.
  • No analytics, no ads, no tracking. Cadence contains no analytics, crash-reporting, or advertising SDKs. Apart from the optional shared-list sync above, it makes no network requests.
  • In-app purchases. Cadence Pro — a one-time lifetime unlock or an annual subscription — is handled by Apple StoreKit (iOS) or Google Play Billing (Android). Entitlement is cached locally; the store is the source of truth. Kai Hana does not see your payment details.

Murmur

  • No Kai Hana backend. Murmur does not communicate with any server operated by Kai Hana. Recordings, transcripts, and settings stay on your device. The “Information collected automatically” items in the umbrella section below do not apply to Murmur; per the precedence rule above, this section governs.
  • Microphone and speech recognition. Murmur requests microphone access to record, and (on iOS) the speech-recognition permission for Apple’s on-device engine. Audio is captured to the app’s private storage on your device and is never uploaded. A setting lets you delete the audio file automatically once it has been transcribed; either way, everything is deleted when you uninstall the app.
  • On-device transcription and polishing. Speech-to-text runs locally — Apple’s on-device speech engine where available, the Whisper model otherwise — and the optional “polish” step that reshapes a transcript runs on a local language model. The text of your recordings is never sent to a remote inference service.
  • Model downloads. The one network request Murmur makes is downloading a model file (Whisper, and optionally a small polish model) from the Hugging Face CDN (huggingface.co) on first use. The request carries standard HTTP metadata (IP, user agent); no account or identifier is attached, and none of your audio or text is sent.
  • Local storage. Transcripts, polished text, and entry metadata are stored in a local SQLite database in the app sandbox and deleted on uninstall.
  • No analytics, no ads, no accounts. Murmur contains no analytics, crash-reporting, or advertising SDKs, and has no sign-up.

Countdown

  • On-device by default. Your events, reminder rules, settings, and widget data are stored only on your device. There are no user accounts and no sign-up. Events you don’t share never touch the network.
  • Notifications (local only). Event reminders are scheduled and delivered entirely on your device as local notifications. Countdown uses no push notifications and no server to deliver them.
  • Shared events (optional). If you choose to share an event, Countdown syncs that one event through a Kai Hana–operated Cloudflare Worker so everyone with the invite code sees edits live. What leaves your device for a shared event: the event’s fields (title, date, and appearance settings), its background photo if you set one, and a random per-device key that marks edits as yours. Sharing uses an 8-character invite code; you can rotate the code at any time, which immediately revokes the old one. Join attempts are rate-limited to deter guessing.
  • Shared-event retention. A shared event’s data (including its photo) remains on the sync server so that other participants keep working even when you’re offline. Rotating the invite code cuts off new access but does not erase the data; to have a shared event removed from the server, email [email protected].
  • No analytics, no ads, no tracking. Countdown contains no analytics, crash-reporting, or advertising SDKs. Apart from the optional shared-event sync above, it makes no network requests.

What we collect

Information you provide

We don’t ask for your name, email address, phone number, or financial details. There are no user accounts and no sign-up step. Some apps request access to specific device capabilities (such as location, microphone, calendar, SMS, or notifications) to provide their core function — these are detailed per app under Per-app data practices and are only used when you opt in.

Information collected automatically

When you use our apps, the following data may be collected:

  • Device token — a random ID we generate on first launch. It’s stored only on your device (in iOS Keychain or Android Keystore) and sent to our backend so we can route alerts and IAP entitlements to your install. It cannot be tied to any other identifier we hold about you.
  • Push notification token — issued by Apple or Google when you grant notification permission. We store it alongside your device token so we can deliver alerts.
  • In-app purchase receipts — when you buy a paid feature (e.g. RateGlance Pro), the App Store or Google Play sends us a signed receipt. We forward it to Apple or Google for verification and store the resulting transaction identifier so the same receipt cannot be redeemed by a different device.
  • Alert configuration (Pro tier only) — pair, target rate, and direction. Stored on our server so we can check the rate hourly even when the app is closed.

Information processed by third-party services

  • Apple StoreKit / Google Play Billing — handle purchase and refund flows. We never see your payment details.
  • Apple Push Notification service / Firebase Cloud Messaging — deliver notifications for apps that use remote push (RateGlance and ClearCast).
  • Frankfurter (api.frankfurter.dev) — provides European Central Bank reference rates for RateGlance’s major-currency coverage. We do not send any personal information to this service — only currency codes.
  • Fawazahmed currency-api (latest.currency-api.pages.dev) — provides exchange rates for the long-tail currencies that ECB doesn’t cover (used by RateGlance). Free, open-data feed. We do not send any personal information — only currency codes.
  • Apple WeatherKit (weatherkit.apple.com) — primary forecast source for ClearCast. The request is signed by our Cloudflare Worker (so the Apple Developer key never ships in the app) and includes the approximate coordinates we need to fetch a forecast. Apple’s WeatherKit data handling is governed by Apple’s WeatherKit terms and the Apple Privacy Policy.
  • OpenWeatherMap (api.openweathermap.org) — provides air-quality data and city-name geocoding for ClearCast (proxied through our Cloudflare Worker). Receives approximate coordinates or the city search query you typed. See OpenWeatherMap’s privacy policy.
  • US National Weather Service (api.weather.gov) — provides severe-weather alerts for ClearCast users in the United States. Called directly from your device. Receives latitude/longitude and a User-Agent header containing our support email per NWS policy.
  • Search providers used by Kaia’s web-search tool — Brave Search (api.search.brave.com) and Tavily (api.tavily.com). The provider used depends on your Kaia settings. Each receives only the search query you typed and standard HTTP metadata.
  • Hugging Face (huggingface.co) — hosts the model files Kaia (Gemma) and Murmur (Whisper and the optional polish model) download on demand. Standard HTTP metadata only; no account is attached.
  • Webhook destinations you configure — AutoPilot’s optional HTTP-request action sends data to a URL you choose. The destination is entirely under your control; Kai Hana operates no part of it and never sees the request.
  • Cloudflare — hosts our backend workers for RateGlance (alert checks + IAP verification), ClearCast (WeatherKit/OWM proxy + push notification dispatch), Cadence (shared-list sync, only when you share a list), and Countdown (shared-event sync, only when you share an event). Standard request logs (IP, user agent, request path) may be retained briefly per Cloudflare’s policies for abuse prevention and operational monitoring. Kaia, AutoPilot, and Murmur do not use a Kai Hana backend.
  • Expo — used by RateGlance for push notification delivery infrastructure. ClearCast delivers its push notifications directly via APNs/FCM and does not route them through Expo. Kaia and AutoPilot do not use remote push.

What we do with the data

  • Authenticate your device against our backend so we know which install owns which alerts or notification preferences.
  • Verify in-app purchases and grant the corresponding entitlement (RateGlance).
  • Fetch and deliver rate-target alerts and weather briefings through APNs / FCM push.
  • Diagnose crashes and improve the app.

We do not:

  • Sell your data.
  • Share your data with third parties for their own marketing.
  • Build a profile of your behavior across apps or devices.
  • Track you across other apps or websites.
  • Show ads. As of v1.1, no Kai Hana app displays ads — the previous AdMob banner in ClearCast’s free tier was removed.

Data retention

  • On your device: data is stored in the app’s SQLite database and Keychain/Keystore. It is deleted when you uninstall the app.
  • On our server: for RateGlance Pro alerts, your device token, push token, alert configuration, and IAP transaction identifiers persist until you uninstall and the entry is pruned by inactivity, or until you contact us asking for deletion. For ClearCast’s notification features, your user ID, push token, location, and briefing settings persist on the same basis; turning notifications off in the app sends an immediate /unregister that clears the row. For Cadence shared lists, the shared tasks and member display names persist on the sync server until you leave or delete the list, which removes them. For Countdown shared events, the event fields and background photo persist on the sync server until you ask us to remove them (email [email protected]); rotating the invite code revokes access but does not erase the data.

Data deletion

You can remove all data we hold about your device at any time by:

  1. Uninstalling the app, or
  2. Emailing [email protected] from any address with your device token (you can find it under Settings → Diagnostics in a future update; for now, simply describe the device and we’ll handle it manually).

Children

Our apps are not directed at children under 13. We do not knowingly collect data from children. If you believe a child has used one of our apps, contact us and we’ll delete any associated data.

International users

Our backend runs on Cloudflare’s global edge network. Data may be processed in any region where Cloudflare operates. We rely on standard contractual clauses for international transfers where applicable.

If you are in the EEA, UK, Switzerland, or California, you have the right to access, correct, or delete data we hold about you, and to lodge a complaint with your local supervisory authority. Contact us at the address below.

Changes

We’ll update this policy when our apps change in ways that affect data practices. The “Last updated” date at the top reflects the most recent change. Material changes will be announced in the affected app’s release notes.

Contact

Email: [email protected]

This policy is provided for transparency and is not legal advice. It describes practices accurately to the best of our knowledge as of the date above.