Authentic Life

Klimt Privacy Policy

Publisher: Authentic Life LLC, an Arkansas limited liability company ("Authentic Life," "we," "us," or "our") Product: Klimt, an AI companion application Effective Date: [to be set on the day of publication] Last Updated: 2026-04-15

1. Introduction

This Privacy Policy describes how Authentic Life LLC collects, uses, shares, and protects information when you use Klimt through our mobile application, our website, or any other service that links to this policy (together, the "Service"). Klimt is an AI companion that engages you in guided conversations, surfaces reflections over time, and can integrate with compatible products in our ecosystem such as NV and nudaLabs. By creating an account or using the Service, you agree to the practices described here.

Klimt is designed for adults. The Service is not directed to individuals under the age of 18. We do not knowingly collect information from anyone under 18. If you believe a minor has provided us information, contact us at the address in Section 15 and we will remove it.

2. Information We Collect

Information you provide directly. When you create an account we collect your email address, your name, and the password you set. When you complete onboarding we collect the answers you give, the preferences you set, and any persona selections you make. When you chat with Klimt we collect the messages you send, the timing of those messages, and any files, images, or recordings you explicitly attach to a session. When you use Klimt's voice features we collect the audio you record and the transcripts derived from it. When you update your profile we collect the additional fields you enter.

Content you import from other products. You may choose to link your Klimt account to a companion product in our ecosystem, such as NV or nudaLabs. When you link, we receive the information necessary to personalize your Klimt experience, such as your NV archetype and persona scores or your nudaLabs health profile. You control whether to link and can unlink at any time from inside the Service.

Information generated by your use of the Service. When you interact with Klimt we generate and store session summaries, session bridges, recognized patterns, pending follow-ups, onboarding gap indicators, and persona-recommendation signals. Klimt uses these records to maintain continuity across your conversations.

Device and log information. When you access the Service we automatically collect device identifiers, operating system and version, application version, approximate language and time zone, IP address, and diagnostic information such as crash logs and performance metrics.

Payment information. If you purchase a subscription, our payment processor or the applicable app store collects billing details necessary to complete the transaction. We do not store full card numbers on our systems. We receive only a confirmation token and subscription status.

We do not collect. We do not collect government identifiers, bank account numbers, credit card numbers (beyond what our payment processor handles), biometric identifiers beyond the voice audio you choose to record, precise geolocation, contacts, photos outside of what you explicitly attach, microphone audio outside of features you explicitly activate, or social graph data.

3. How We Use Information

We use the information we collect to deliver and improve the Service. That includes authenticating your account, producing Klimt's responses, maintaining conversational continuity across sessions, surfacing proactive reflections, delivering voice responses where enabled, processing payments, debugging and securing the platform, measuring aggregate product performance, and complying with legal obligations.

We do not use your conversations, assessment imports, or account profile to train third-party AI models. Our third-party AI providers are contractually prohibited from training their foundation models on our customers' inputs and outputs.

We do not sell personal information, and we do not share personal information with third parties for their own advertising purposes.

4. How We Share Information

Service providers that process data on our behalf. We share information with vendors that operate parts of the Service under written contracts that restrict their use of the information to providing services to us. Our current service providers are:

Supabase Inc. (database, authentication, and storage, hosted in the United States), Anthropic PBC (AI model inference for Klimt), ElevenLabs Inc. (voice synthesis, where you use voice features), HeyGen Labs Inc. (video avatar rendering, where you use avatar features), Vercel Inc. (application hosting and edge functions), Stripe Inc. or the Apple App Store or the Google Play Store (payment processing, depending on purchase channel), RevenueCat Inc. (subscription status management for in-app purchases), PostHog Inc. (product analytics and crash reporting), and Resend or an equivalent transactional email provider (account and service email delivery).

We maintain a current list of processors and will provide it on request for enterprise customers.

Cross-product personalization. If you choose to link your Klimt account to NV, nudaLabs, or another Authentic Life product, we share the minimum personalization signals necessary between those products on your behalf. Those signals are described inside the linking flow at the time you consent.

Legal and safety. We may share information when required by law, when responding to lawful requests from public authorities, to enforce our agreements, to protect our rights or the safety of users, or in connection with a merger, acquisition, or sale of assets, in which case we will post notice before a transfer.

5. Data Retention

We retain your account information, conversation history, and derived continuity records for as long as your account is active. If you delete your account, we remove your personal information from our active production systems within thirty days. Backup copies expire on a rolling basis and are fully purged within one hundred eighty days. Aggregated, de-identified data that cannot reasonably be linked to you may be retained indefinitely for product research.

You can delete specific conversations or specific voice recordings from inside the Service at any time. Deleted items are removed from active systems within thirty days.

6. Your Rights

You have the right to access the personal information we hold about you, the right to correct inaccurate information, the right to request deletion, the right to export your data in a portable format, and the right to withdraw consent where we rely on consent as the basis for processing. To exercise any of these rights, email the address in Section 15 or use the in-app controls described in Section 7. We will respond within thirty days, or sooner where required by law.

7. Account Deletion

You can delete your account and all associated personal data directly inside the Klimt application. From the Settings screen, select "Delete Account." You will be asked to confirm. Once confirmed, your profile, chat history, voice recordings, imported assessment data, subscription records, and authentication credentials are removed from our production systems within thirty days. Backups containing deleted data expire within one hundred eighty days.

You may also request account deletion by emailing nicktogle@me.com. Include the email address associated with your account. We will verify your identity and complete the deletion within thirty days.

Deleting your account ends your subscription. If you purchased through the Apple App Store or Google Play Store, you must also cancel the subscription in that store to stop future billing.

8. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information. These include encryption in transit using TLS 1.2 or higher, encryption at rest using AES 256, row-level access controls, unique user credentials, automatic session timeouts, audit logging, and restricted administrative access.

Klimt is architected to meet SOC 2 Type I criteria and the HIPAA Security Rule. We have not yet completed a SOC 2 Type I attestation and we do not currently hold HIPAA Business Associate Agreements with our downstream processors. If you are an enterprise customer or a health plan sponsor whose contract requires formal attestation or executed Business Associate Agreements, contact us at the address in Section 15 and we will coordinate those documents as part of the contracting process.

No method of transmission or storage is perfectly secure. We cannot guarantee the security of information you transmit to us or that we store, but we work continuously to protect it.

9. Children's Privacy

The Service is not intended for children. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected information from a person under 18 we will delete it. Parents or guardians who believe their child has provided us information should contact us at the address in Section 15.

10. International Users

We operate the Service from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to that transfer. Where required by law, we implement appropriate safeguards, including standard contractual clauses, for international transfers of personal data.

11. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act give you rights with respect to personal information we hold about you. You have the right to know what categories of personal information we have collected, the sources, the business purposes, and the categories of third parties we have shared it with. You have the right to request deletion of your personal information, subject to exceptions allowed by law. You have the right to correct inaccurate personal information. You have the right to limit the use and disclosure of sensitive personal information. You have the right not to be discriminated against for exercising these rights.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We therefore do not provide a "Do Not Sell or Share" link, but if this practice changes we will update this policy and provide the mechanism required by law.

To exercise your rights, email nicktogle@me.com. We will verify your identity using reasonable methods before fulfilling your request.

12. European and United Kingdom Privacy Rights

If you are in the European Economic Area or the United Kingdom, the General Data Protection Regulation and the UK GDPR give you rights similar to those described above. The legal bases on which we rely are your consent (which you may withdraw at any time), the performance of a contract with you (for account functionality and paid services), and our legitimate interests in operating and securing the Service (where those interests are not overridden by your rights).

You have the right to lodge a complaint with your local data protection authority.

13. Health and Sensitive Information

Klimt is a general wellbeing companion and is not a medical device. The Service does not diagnose, treat, cure, or prevent any disease or medical condition. Conversations you have with Klimt may touch on sensitive topics, including physical health, mental health, relationships, and personal history. You control what you share. Do not share information you do not want stored in our systems.

If you use Klimt as part of a health plan, an employer wellness program, or a clinical context, the information you enter may constitute protected health information under United States law. In that case, we will only process the information under a written Business Associate Agreement with the covered entity. Ask your administrator whether such an agreement is in place.

14. Changes to This Policy

We may update this policy from time to time. When we make a material change we will post the updated policy inside the Service and update the Last Updated date at the top of this document. If a change materially reduces your rights, we will provide prominent notice and, where required, request your renewed consent.

15. Contact Us

Authentic Life LLC Attention: Privacy nicktogle@me.com