Privacy PolicyKept

Kept
Effective Date: June 30, 2026

Important: This Privacy Policy should be read together with our Terms of Service, which contains our End User License Agreement (EULA) and is intended to comply with App Store and Google Play requirements.

Summary (before you read the long version)

Kept is designed with privacy as a core principle, not as a feature.

  • Your medications, doses, family members, notes, and all health-related information are stored only on your device.
  • We do not send this health data to our servers. You have no account, and we hold no profile about you.
  • We never sell, rent, or share your data for advertising purposes.
  • You do not need to provide a name, email, phone number, or any identity information to use the app.
  • The only data that leaves your device is non-personal, non-health product/diagnostic statistics and (if you subscribe) your purchase information, each explained below.
  • Your data is never automatically backed up anywhere; if you want a backup, only you create it manually (export).
  • You can delete your data at any time with a single action, and uninstalling the app removes all of your data from the device.

This summary does not limit the binding nature of the detailed sections below; in case of conflict, the detailed sections prevail.

1. What this policy covers

This policy explains how the Kept mobile application (iOS and Android) processes, or, in most cases, does not process, your personal data. Under applicable data protection law, the data controller for the limited data that leaves your device is Emre Balli (AssetBox).

We want to be clear that the data you keep locally on your device is not, in technical terms, under a data controller's control. It is entirely under your control, and we have no access to it.

2. Data that stays on your device (data we cannot access)

All of the following data is stored only on your device. It is not sent to the internet, is not transmitted to us, and is not automatically backed up to any cloud. A backup is created only if you choose to, through a manual export you initiate (see Section 3.3):

  • Medication and supplement details: name, form, dose and unit, frequency, scheduled times, start/end/expiry dates, stock, intake instructions, color, urgency flag, and notes.
  • Dose records: taken / skipped / snoozed / missed states, timestamps, snooze information, and notes.
  • Family member profiles: name, relationship type (parent, child, partner, other), and the medication and dose records belonging to these people.
  • Barcode scans: codes you scan from medication packaging and the product information derived from them (such as batch/lot number, manufacturing date).
  • Preferences and statistics: theme, language, notification settings, profile name, adherence statistics, streak records, usage counters, and subscription tier.

The medication catalog is a fully offline information source bundled with the app. When you search the catalog or scan a barcode, no request is sent to the internet; everything happens on your device.

We cannot see, collect, or retrieve this data. If you lose your device or delete your data and you have not made a manual backup, we cannot recover it on your behalf.

3. Data that leaves your device (third-party services)

For transparency, below is the complete list of the only data categories that leave your device. None of them include your medications, doses, family members, notes, or health condition.

3.1 Product statistics and crash reports (Google Firebase)

To improve the app and detect crashes, we use Firebase Analytics and Firebase Crashlytics. These services may process the following non-health, not-directly-identifying data:

  • Device type, operating system version, app version, and language/region setting
  • A random app-instance identifier assigned by Firebase
  • General usage events (for example, opening a screen) and session information
  • IP address (used by Google only to infer an approximate geographic region and not stored for long)
  • When a crash occurs, technical crash logs and diagnostic data such as device state

We describe this as not directly identifying (pseudonymous) rather than fully anonymous, because device/session identifiers can technically be linked to a device. Your medication names, doses, health information, family information, and free-text notes are not included in this telemetry. Advertising ID collection is disabled, and we do not use advertising tracking.

This data is processed on Google's servers. For details, see Google's Privacy Policy and Firebase's privacy documentation.

3.2 Subscriptions and purchases (RevenueCat + Apple App Store / Google Play)

If you buy a Kept premium subscription, the purchase is made through the Apple App Store or Google Play, which process your payment information under their own policies. Your payment and card details never reach us.

We use RevenueCat to manage your subscriptions (purchase status, restore, tier tracking). RevenueCat may process:

  • A random app user identifier assigned to you that does not explicitly identify you
  • Purchase and subscription status (which product; trial, renewal, or cancellation state; platform)
  • Basic device and platform information

RevenueCat does not have access to your health data. For details, refer to the privacy policies of Apple, Google, and RevenueCat.

3.3 Sharing that you initiate

The following actions happen only when you initiate them, and you decide entirely where the data goes:

  • Creating a PDF adherence report and sharing it through your device's share sheet (for example, sending it to your doctor)
  • Exporting a JSON backup and emailing it or transferring it to another app
  • Sending a feedback email (to [email protected] through your device's mail app)

When you share a file (PDF or JSON) or an email out of your device, what happens to that data depends on the app or recipient you choose and is no longer under our control. JSON backups are not encrypted and contain readable health data; we recommend storing them somewhere secure.

3.4 Notifications

All reminders are local notifications only, scheduled on your device. No remote (push) notification server is used, so notification content (including medication names) is not sent to any server.

4. What we do not collect and do not do

As the concrete expression of our protective stance, we expressly commit that:

  • We do not ask you to create an account; we do not collect your name, email, or password.
  • We do not upload your health data to our servers.
  • We do not sell, rent, or share your data with third parties for marketing or advertising.
  • We do not show ads in the app and do not use advertising tracking (advertising ID, cross-app tracking).
  • We do not use your data for profiling, credit scoring, insurance, or similar decisions.
  • We do not perform automated decision-making or profiling; all in-app analysis (adherence, streaks, and so on) is computed locally on your device and never leaves it.

5. Permissions

Kept requests only the permissions needed for functionality:

  • Notification permission: to show medication reminders and tracking alerts. Declining it does not prevent you from using the app's core functions; only reminders will not work.
  • Camera permission: only when you use the barcode/QR scanner. The camera image is processed on your device; no photo or video is saved, and nothing is sent anywhere.

You can revoke permissions at any time from your device settings.

About notification delivery: Reminders are shown by your device's operating system, and their delivery depends on factors outside our control (the device being off, in airplane mode, or in low-power mode; battery and background restrictions; operating system scheduling behavior; or notifications being disabled). For this reason, we do not guarantee that notifications will always arrive, on time, or in full. Kept is a supportive reminder tool; we recommend that you do not rely solely on app notifications to take your medications on time.

6. Children's and family members' data

Kept includes family member profiles that let a caregiver or parent manage other people's medications (including children). Information you enter into these profiles, like all other health data, stays only on your device and is not transmitted to us.

When you enter data on behalf of someone else (especially a child), you represent that you have the necessary authority or guardianship to enter and store that data. Because the app does not collect personal data directly from the person using it, it does not knowingly collect data from children. Kept is not designed for direct use by young children.

7. Data retention and deletion

  • Data on your device remains there until you delete it or uninstall the app. When you uninstall the app, the app data protected by the operating system is also removed.
  • Using the "Delete all data" option in the app, you can permanently delete all medication, dose, and family data on your device.
  • Firebase telemetry and crash data is kept under Google's default retention periods (generally a limited time) and is not intended to identify you.
  • Subscription records in RevenueCat are retained by that service for legal and accounting obligations and to manage subscription history.

About data loss and integrity: Because your data is kept only on your device, we do not keep a backup of it on a server. Data loss or data corruption can occur if your device is lost, stolen, damaged, or reset, if the app is deleted, as a result of operating system updates, due to conditions or restrictions imposed on devices by your country or by competent authorities, or for other technical reasons beyond our control. We do not guarantee the persistence, integrity, accuracy, or recoverability of your data, and you acknowledge that such events may also affect the accuracy of the information or notifications displayed. Protecting your data is entirely your responsibility; we strongly recommend that you take regular backups (export) and store them somewhere secure.

8. Data security

  • All data on your device is subject to your device's operating-system-level security and encryption protections. To protect your data best, we strongly recommend using a screen lock (passcode or biometric) on your device.
  • Apart from operating-system protection, the data on your device is not separately encrypted by the app, so your device security is decisive for the security of your data.
  • The limited data that leaves your device (Firebase, RevenueCat) is transmitted to the relevant providers over encrypted connections (HTTPS/TLS).
  • While no system can be 100% secure, the core security advantage of our architecture is that the sensitive health data that needs protecting is never on our servers. There is no central pool of health data that could be breached.

9. International data transfers

The limited data that leaves your device (Firebase, RevenueCat) may be processed on servers in the countries where those providers are located (which may include the United States). These providers rely on transfer mechanisms such as standard contractual clauses under applicable data protection law. Because your health data does not leave your device, it is not subject to international transfer.

10. Legal basis and your rights

Where applicable, our legal bases for processing the limited data that leaves your device are: our legitimate interest in providing and maintaining the service (basic product statistics and crash diagnostics), the performance of a contract (subscription management), and, where required, your explicit consent.

Depending on your jurisdiction (for example, GDPR in the EU, KVKK in Türkiye, CCPA/CPRA in California), you may have the following rights: access, rectification, erasure, restriction of processing, data portability, and the right to object to processing.

An important note: because almost all of your health data is only on your device, you can exercise these rights largely directly from within the app. You can view, edit, export as JSON (portability), and delete your data. For requests regarding the limited data that leaves your device, contact us at [email protected]; we will respond within the period required by applicable law. You also have the right to lodge a complaint with the relevant data protection authority.

11. Health-related disclaimer

Kept is a reminder and tracking tool; it is not a medical device or a medical or clinical advisory service. The information in the app is for general informational purposes, is not a comprehensive clinical reference, and does not replace professional medical advice. Always consult a healthcare professional for decisions about your medications (doses, timing, medication changes, and so on).

12. Changes to this policy

We may update this Privacy Policy from time to time. For minor or clarifying changes, we will update the effective date at the top of this page. For material changes, such as collecting new categories of data, using a new third-party service, or processing your data for a new purpose, we will provide a prominent notice (for example, an in-app message) before the change takes effect, and where the change requires your consent under applicable law, we will ask for it. The current version is always available at https://asset-box.com/privacy/kept. We encourage you to review this page periodically; your continued use of the app after a change takes effect indicates your acknowledgment of the updated policy, except where applicable law requires your explicit consent.

13. Contact

For privacy questions or requests, contact us by email at [email protected]. Data controller: Emre Balli (AssetBox).