Kenoco Privacy Policy
This English version is a translation of the original Japanese Privacy Policy. The Japanese version is the governing version, except where mandatory law requires otherwise.
Ruth Heath Garden K.K. (the “Company”) establishes this Privacy Policy for the handling of information relating to users, website visitors and persons recorded by users in the Kenoco iOS application and related services (the “Service”), and on the Company website at kenoco.app (the “Website”; collectively, the “Services”).
The Service generally stores photos and health-related records on the user’s device. If Family Sharing is enabled, records are shared with people selected by the user through Apple CloudKit. In the European Economic Area (“EEA”), the Service does not offer external AI image analysis, AI-credit products or feature contribution and does not create a Firebase anonymous account. EEA Kenoco Plus purchases and restorations are verified locally through StoreKit; only a minimal Plus status is shared through CloudKit when Family Sharing is enabled. Outside the EEA, information required for external AI image analysis is sent to the Company’s servers and Google’s AI service only when the user has enabled the feature and manually requests an analysis. Separately, only users of the Japan App Store storefront may voluntarily contribute image features and confirmed labels without the original image or persistent user identifiers.
The Website processes access logs, uses web fonts for delivery, security and operation, and uses Google Analytics 4 to understand aggregated usage and improve navigation and display quality. Cookie-based analytics runs only if a visitor accepts in the consent banner. Photos, health-related records, profiles and notes stored in the Service are not sent to Website analytics.
1. Information handled and how it is obtained
1.1 Information entered or stored by users
- Profile information about the recorded person, including name, date of birth, sex, weight and display settings
- Records, including dates, categories, photos, temperature, mood, complexion, diaper, vomit, skin and injury observations, symptom tags, body regions and notes
- Results generated by on-device analysis or optional external AI analysis
- App settings, consent status and Family Sharing metadata, including minimal Plus entitlement status, verification time, schema version and revocation time; CloudKit does not receive transaction identifiers, signed transactions or Apple account information as a Plus family entitlement
- Outside the EEA, App Store transaction, purchase, refund, entitlement and AI-credit ledger information
- Information submitted in support inquiries
1.2 Device and third-party service information
The Service may handle camera or photo-library images selected by the user, device-authentication results (but not biometric templates), Apple ID/iCloud/CloudKit status and StoreKit data. Outside the EEA, it may also handle App Store Server API data, Firebase anonymous authentication used for external AI and AI credits, and Firebase App Check attestation information. App Check may also be used for the Japan-only contribution endpoint.
1.3 Automatically collected information
When the Service communicates with Company or service-provider systems, the Company or its providers may process IP address, OS and app version, network information, request identifiers, processing results, errors, access times and App Check verification results. The Company does not add Firebase UID or another persistent user identifier to contributed feature records. Infrastructure providers may nevertheless temporarily process network metadata for delivery and security.
1.4 External AI image analysis
External AI image analysis is available only outside the EEA and only when enabled and manually requested. The Service may send a compressed image copy with unnecessary EXIF metadata removed, the record category, age in months, subtype, body-region candidate, capture time, optional user note, display language, a Firebase anonymous-authentication token and an App Check token. The Company handles the image in memory during processing and does not save it to persistent Company storage. Google handles data under the applicable Gemini API agreement and settings.
1.5 Optional contribution of image features and labels
The Service generates numerical representations of visual image features (“image features”) on the device and uses them for classification suggestions and on-device improvements. Local samples may include image features, confirmed category, body region, stool-color card, accepted or rejected visual tags, correction status, a local photo filename and creation time. Local samples are retained up to an application-defined limit, and older samples are removed when that limit is exceeded. They are not placed in CloudKit, Family Sharing or Company servers.
Only in the Japan App Store storefront, and only after separate, freely given opt-in consent, the Service may contribute new samples created after consent. It does not backfill earlier records. Contributed data may include the feature vector, confirmed or corrected category, body region, stool-color card and accepted or rejected visual tags.
Contributed data does not include the original image, photo filename, name, birth date, sex, weight, note, capture time, location, Firebase anonymous UID, device ID, household ID, photo ID, record ID or another identifier intended to search for the user or device over time. The contribution endpoint does not use Firebase Authentication, and the Company does not create a contributor lookup table. App Check and network information may be temporarily processed by infrastructure providers for security and delivery.
Contribution is optional and does not affect core features. Turning it off stops future contribution and deletes unsent queued data from the device. Because no contributor mapping is retained, the Company cannot locate, disclose or individually delete samples already received. Raw contributed samples are deleted within 12 months after receipt. Statistics, reference data or trained models that cannot be linked back to a contributor may remain after raw samples are deleted. Contributed feature data is not provided to external AI providers or other third parties.
1.6 Purchases and refund review
Kenoco Plus entitlement is verified on the device in every region. If the user enables Family Sharing, only the minimum information necessary to share the Plus entitlement is stored in the shared CloudKit group. CloudKit does not receive transaction identifiers, signed transaction data or Apple account information for this purpose.
Outside the EEA, the Company processes App Store transaction identifiers, product, environment, refund and entitlement status, AI-credit balance, anonymous Firebase UID and household purchase-ledger identifiers as necessary to deliver AI credits, prevent abuse and respond to refunds. The Company does not create or query a Firebase anonymous account, Company purchase ledger or AI-credit balance for EEA Plus purchases or restorations. If Apple requests consumption information for an outside-EEA AI-credit refund review, the Company may provide transaction and consumption status, delivery status, platform, refund preference, free-use information and consent status. No photo, feature vector, health record, note or AI observation is included.
1.7 Information not collected by the Company
The Company does not receive local-only records, photos or feature vectors unless the user uses external AI analysis or the Japan-only contribution feature. In-app camera photos are not added to the iOS Photos library or iCloud Photos unless the user separately exports them. The Service does not request location, contacts or microphone audio and does not receive Face ID biometric templates.
1.8 Website information
When a visitor uses the Website, the Company or its delivery, security and analytics providers may process IP address, access time, page URL and title, referrer, browser, operating system, device type, display language, screen information, network and error information, and information needed for content delivery, DDoS protection and abuse prevention.
Google Analytics 4 additionally processes page views, scrolling, link interactions and other configured events, consent state, and approximate location derived from the IP address. If a visitor accepts analytics, it also processes a client identifier stored in cookies such as _ga and session data. Google Analytics may process the IP address at collection time for communications and approximate geolocation. The Company does not send names, email addresses, Service photos, health records, profiles, notes or a Company-assigned user ID to Website analytics.
The Company uses Google consent mode. Cookie-based analytics runs only if a visitor accepts in the Website’s consent banner. If a visitor has not accepted or has declined, a minimal cookieless transmission — page URL, referrer, IP address, device and browser information and consent state — is still sent to Google Analytics 4. Ways to block that transmission as well, change the stored choice and delete cookies are described on the External Transmission of User Information page.
The Company does not use Google Signals, Google Ads links or ad personalization, and advertising-related consent types default to denied. If the Company uses analytics for advertising, it will separately disclose that use and obtain any consent required by law.
2. Purposes of use
The Company uses information to provide, save, display, edit and delete records; operate optional iCloud and Family Sharing; provide user-requested external AI analysis; validate the app through authentication and App Check; maintain security and quality; answer inquiries and legal requests; notify users; produce non-identifying statistics; improve on-device classification from separately consented Japan-only contributions; manage App Store purchases, credits and refunds; deliver and protect the Website; investigate Website failures and abuse; and, through Google Analytics 4, understand aggregated Website usage and improve its content, navigation and display quality.
External AI input and output are not used to train a Company model without separate express consent. Contributed features are used only for classification evaluation, bias and error analysis, threshold adjustment, reference-data/model development and safety improvement, and not for advertising or medical decisions about an individual.
3. Service providers and external transfers
The Services use external providers for feature delivery, Website delivery, security, purchase processing and optional features selected by the user. The providers, transmitted information, Company and provider purposes, transmission conditions and stopping methods are published on the separate External Transmission of User Information page.
Information sent to an external provider is handled under the provider’s privacy materials and terms, the Company’s agreement and settings, and other applicable conditions. Where an external transmission also involves disclosure of personal data to a third party or processing by a foreign recipient, Sections 4 and 5 of this Policy also apply.
4. Disclosure to third parties
The Company does not disclose personal data without consent except for user-directed Family Sharing, Apple refund review, processing by vendors necessary for the purposes above, business succession, legal obligations, or protection of life, body or property where permitted by law.
5. Foreign recipients and international processing
The Services use services provided by Apple Inc., Google LLC and Cloudflare, Inc., whose principal country of establishment is the United States. Even where the Company selects a Tokyo or other Japan-based server region, a foreign provider may process information outside Japan for maintenance, security, support or subprocessors.
These providers use globally distributed infrastructure and may change routing, redundancy locations, support locations or subprocessors. It may therefore be impossible to identify in advance every country in which a particular communication or processing operation will occur. The reason is that the relevant infrastructure, route or subprocessor may change based on availability, security and operational conditions. Available country, subprocessor and safeguard information is provided through the provider materials linked from the External Transmission of User Information page and through the information-request process below.
Where a foreign provider handles personal data, the Company will generally provide the data only after confirming, through a contract, terms of service, data-processing terms or another appropriate and reasonable method, that the provider has established a system for continuously implementing measures equivalent to those required under Article 28 of Japan’s Act on the Protection of Personal Information. If the Company cannot confirm such a system, it will, unless a statutory exception applies, provide in advance information about the country, its personal-information protection system and the provider’s safeguards, and obtain the individual’s consent to the foreign transfer.
When relying on an equivalent-measures system, the Company will review the provider’s measures and relevant foreign legal system approximately once per year, or more frequently where warranted by risk. If implementation is impaired, the Company will seek remediation and stop the transfer if continued implementation cannot be secured.
An individual may contact the Company under Section 9 to request information required by applicable law about the method used to establish the provider’s system, the provider’s safeguards, review frequency and method, country, relevant legal system, any impairment and responsive measures. The Company will verify identity and respond without undue delay as required by law.
6. Security measures
Measures include storing photos in the app container with iOS file protection; encrypting communications; removing unnecessary image metadata before external AI transmission; obtaining separate contribution consent; excluding images, profiles and persistent user identifiers from contributed payloads; validating external AI with authentication and App Check; validating feature contribution with App Check without Firebase Authentication; access control, logging review, incident response and processor oversight.
7. Retention, backup and deletion
- On-device records and photos remain until individually deleted, device-app data is deleted, or the app is removed. App data, including photos, is eligible for standard iCloud/Finder device backup. Restoring an earlier backup may restore deleted data.
- CloudKit records and minimal Plus status remain as needed for Family Sharing and are also subject to Apple’s deletion behavior.
- External-AI image copies are not persistently stored by the Company and are discarded from processing memory after completion.
- Local feature samples are retained up to an application-defined limit, and older samples are removed when that limit is exceeded. They are not placed in CloudKit, Family Sharing or Company servers.
- Raw contributed feature samples are deleted within 12 months. Individual lookup or deletion is not possible because no contributor mapping is retained. Non-linkable aggregate outputs or trained models may remain.
- Outside-EEA purchase and AI-credit ledgers, security, support and communication logs are retained only as necessary for service delivery, fraud prevention, incident response and legal compliance. No Company Firebase purchase ledger is created for EEA Plus purchases or restorations.
- Website delivery and security logs are retained under Company or provider settings only as necessary for delivery, incident response, abuse prevention and legal compliance.
- Analytics data is retained for the period configured by the Company in Google Analytics 4 or otherwise necessary for aggregation and analysis. Visitors may decline cookie-based analytics through the consent-management control provided by the Company, and may delete analytics cookies through browser settings.
“Delete app data on this device” deletes local records, photos, local feature samples and unsent contribution data. It does not delete earlier Apple device backups, CloudKit data, copies on another family member’s device or already-received unlinked feature samples.
8. Adults and information about children
The Service is for users aged 18 or older, including parents, guardians and other authorized caregivers. Users recording another person must have consent or other lawful authority to store, share, externally analyze or contribute information relating to that person. The Service is not directed to children as users.
9. Rights and contact
Users may exercise rights available under applicable law regarding personal data held by the Company. The Company verifies identity and responds as required by law. Because contributed feature records have no contributor mapping, the Company cannot identify a particular user’s record for individual access, correction or deletion unless applicable law requires another result.
- Controller: Ruth Heath Garden K.K.
- Address: Osaki Bright Core 4F, 5-5-15 Kitashinagawa, Shinagawa-ku, Tokyo 141-0001, Japan
- Person responsible for personal information: Hiroto Nakai
- Contact: the support form in the Service or on the Company website
10. Changes
The Company may amend this Policy for legal, service or operational reasons and will publish the updated Policy in the Service or on its website. Where applicable law requires consent for a material change, the Company will obtain it.
11. Governing version and regional scope
The Japanese version is the original and this English version is a translation. Mandatory law in a user’s region prevails where applicable. The Company applies Japanese privacy law and other laws applicable in the regions where it offers the Service. External AI analysis, AI-credit products and feature contribution are not offered in the EEA. Firebase Authentication, App Check, Company billing servers and Firestore are not used for EEA Plus purchase or restoration. Plus is verified locally through StoreKit and optional Kenoco Family Sharing uses CloudKit. Feature contribution is offered only through the Japan App Store storefront.
Established: July 12, 2026 Updated: July 14, 2026 Updated: July 15, 2026 Updated: July 17, 2026