Privacy Policy

Effective May 2, 2026

Effective: May 2, 2026
Operator: MyKernl Inc. / 25CollectiveCo Inc., Montréal, Quebec, Canada
Jurisdictions served: Canada, United States, France, United Kingdom, Spain, and the European Union

Who we are

Kernl ("we", "us", "our") is a personal voice-first news and knowledge briefing service operated by MyKernl Inc. (subsidiary of 25CollectiveCo Inc.) at mykernl.com. This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have over it. By using Kernl you agree to this Policy. For users in the European Union, the United Kingdom, California, and Quebec, additional rights apply as detailed below.

This Policy applies regardless of where you reside. We are the data controller (under GDPR / UK GDPR / Quebec Law 25 terminology) for the personal data we collect about you.

Information we collect

Information you provide

  • Your phone number (required, your phone is your account on Kernl).
  • Your email address (optional, for the daily or weekly digest).
  • Your name (optional, for personalized greetings).
  • Your preferences: categories, news sources, podcasts, YouTube channels, language (EN, FR, or ES), schedule, voice tone.

Information collected automatically

  • Call logs: timestamps, duration, articles delivered, language detected.
  • Call interactions: structured records of what you do during a briefing: which stories you skip, which you ask to go deeper on, which you ask for additional perspectives on, and the text of follow-up questions you ask out loud. We do not retain the audio of your call; only the speech-to-text output that the phone network already produces is stored, alongside the cluster ID and category. Used to tailor future briefings to your interests (more of what you engage with, less of what you skip).
  • SMS logs: inbound and outbound messages, parsed commands (HELP, SETUP, STOP, DELETE, etc.).
  • OTP codes: 6-digit verification codes generated for signup or login. Transient, expire within 10 minutes, deleted after verification.
  • Web analytics on mykernl.com: minimal Cloudflare network logs (IP address, user-agent, request path) for security and abuse prevention. We do not use Google Analytics, Facebook Pixel, Amplitude, Hotjar, Intercom, or any third-party marketing tracker.
  • Billing metadata (paid tiers only): Stripe customer ID, subscription ID, subscription status, billing period (monthly/yearly), and renewal date. Card numbers are never stored on our side. Stripe handles them directly.

We do not collect: government IDs, payment card numbers (handled by Stripe directly), location data beyond your country phone code, contact lists, microphone access through the website, or audio recordings of your calls. Voice is transcribed in real time by Twilio's standard speech recognition and the audio itself is never written to our storage. We do retain the text output of that transcription for the questions you ask and the actions you take during a call (see "Call interactions" above), so we can adjust future briefings to your preferences.

Lawful basis for processing (EU / UK GDPR)

If you are in the European Union, the United Kingdom, or another jurisdiction where the GDPR or UK GDPR applies, we rely on the following legal bases under Article 6:

  • Contractual necessity (Art 6(1)(b)): to deliver the briefing service you signed up for, including OTP authentication, voice calls, SMS, and (when active) Stripe payment processing.
  • Consent (Art 6(1)(a)): for the optional email digest. You can withdraw consent at any time by texting EMAIL OFF or unsubscribing.
  • Legitimate interest (Art 6(1)(f)): for fraud prevention, abuse investigation, security monitoring, and service improvement (aggregate metrics only). Where we rely on legitimate interest, we have weighed our interest against your privacy and will adjust if you object.
  • Legal obligation (Art 6(1)(c)): for record-keeping, tax, and regulatory compliance.

We do not process special-category data (health, biometric, political, religious, etc.) unless you voluntarily include it in a free-text preference, in which case we treat it under Art 9(2)(a) explicit consent.

How we use your information

  • Deliver the news, podcast, and YouTube briefing service you signed up for.
  • Personalize briefings based on (a) the preferences you set explicitly in /setup, and (b) your call interactions: which stories you skip vs. ask to deepen, which categories you engage with, and the topics of your follow-up questions. The personalization is editorial only (story selection and ordering); it does not affect price, availability, eligibility, or any decision with legal or similarly significant effects.
  • Authenticate you via OTP for signup and account management.
  • Send the daily or weekly email digest if you opted in.
  • Respond to your SMS commands.
  • Comply with legal obligations and investigate fraud or abuse.
  • Improve service quality through aggregate metrics, never tied to your identity once aggregated.

We do not: train AI models on your data beyond what is needed to serve your briefing, sell or rent your data to third parties for marketing, or build advertising profiles.

We do not engage in automated decision-making that produces legal or similarly significant effects on you (Art 22 GDPR). The editorial personalization described above is a non-significant automated process; you can disable it at any time by texting RESET to your Kernl number, which clears your call-interaction history.

Service providers

We use these third-party processors to operate Kernl. Each receives only the minimum data needed for their function, under data processing agreements where required:

  • Twilio (United States): voice calls, SMS delivery, OTP verification. Receives your phone number, message bodies, and call audio in transit.
  • Supabase (United States and EU regions): database hosting. Stores your account data, encrypted at rest with row-level security policies.
  • Anthropic (United States): AI summarization via the Claude API. Receives article URLs, headlines, and body text from public news sources. Does not receive your personal data (phone, email, name).
  • Google Cloud (United States and EU regions): text-to-speech (Chirp3-HD voices). Receives the briefing script text only. Never your raw inputs.
  • SendGrid (United States): email digest delivery. Receives your email address and the digest content.
  • Stripe (United States and EU): handles payment processing for paid tiers (Standard, Enhanced, Pro). Stripe receives your name, email, and payment card; we receive only a customer ID, subscription ID, status, billing period, and renewal date. Never card data. Stripe is PCI-DSS Level 1 certified.
  • Hetzner (Germany): future Phase 2 TTS. Will run dedicated GPU voice synthesis. Receives only the briefing script text.
  • Cloudflare (global edge, including EU): DNS, DDoS protection, basic security analytics. Receives IP address, user-agent, request path.

Each processor has its own privacy policy. We pick processors with strong data protection standards and binding data processing agreements (DPAs).

AI processing disclosure

Kernl is AI-powered. We use Anthropic's Claude to summarize publicly-available news articles into your briefing. We use Google Cloud Text-to-Speech (Chirp3-HD voices) to synthesize the audio.

What this means in practice: Anthropic processes article URLs and content from public news sources. Google Cloud processes the briefing script text. We do not send your personal data (phone, email, name, preferences) to either provider. Both are bound by their enterprise privacy commitments; we use enterprise-grade API endpoints, not consumer-facing ones, and our agreements prohibit them from using your data to train their general-purpose models.

Sharing and disclosure

We do not sell, rent, trade, or otherwise distribute your personal data to third parties for advertising. Under California's CCPA / CPRA, we confirm: we have not sold or shared personal information for cross-context behavioral advertising in the past 12 months and we do not intend to. Narrow exceptions:

  • Service providers listed above, acting on our behalf under DPAs.
  • Legal obligation: if required to comply with a valid subpoena, court order, or other legal process; to investigate fraud; or to protect our users.
  • Business transfer: if Kernl is acquired or merged, your data may transfer to the new entity, who will be bound by this same Policy (or a substantially similar one).

International data transfers

Your data may be processed in the United States, the European Union, the United Kingdom, and Canada by the service providers listed above. Specifically:

  • Transfers from the EU/UK to the United States rely on the EU-US Data Privacy Framework where the recipient is certified, supplemented by Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO Addendum.
  • Transfers to Canada rely on the European Commission's adequacy decision for Canada (commercial organizations).
  • Where neither a Framework nor adequacy applies, we use SCCs and conduct transfer impact assessments to ensure equivalent protection.

You may request a copy of the safeguards in place by emailing [email protected].

Data retention

We retain your data while your account is active. After account deletion (text DELETE to your Kernl number), we permanently delete your account record within 30 days. Some metadata (call logs, SMS logs) may be retained for up to 90 days for fraud and abuse investigation, then permanently deleted. Backups follow a 7-day rolling deletion cycle. Where we are required by law to retain certain records (e.g., billing records for tax purposes), we retain them only for the period required.

Your rights and controls

The following rights apply to all users; some are derived from CCPA/CPRA (California), GDPR / UK GDPR (EU/UK), or Quebec Law 25:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data. Text SETUP or email us.
  • Erasure ("right to be forgotten"): text DELETE to your Kernl number, or email us. We will delete your account within 30 days.
  • Restriction: ask us to limit processing in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format and (where technically feasible) have it transmitted to another controller.
  • Object: object to processing based on legitimate interest.
  • Withdraw consent: where processing is based on consent (e.g., email digest), you may withdraw at any time without affecting the lawfulness of prior processing.
  • Pause the service without deleting. Text PAUSE (resume with RESUME).
  • Stop SMS: text STOP (industry standard).
  • Opt out of the email digest: text EMAIL OFF or click unsubscribe in any digest email.
  • Non-discrimination (CCPA): we will not deny service, charge different prices, or provide a different quality of service for exercising your rights.
  • Designate an authorized agent (CCPA): you may use a verified agent to exercise your rights on your behalf.

To exercise any of these rights, email [email protected] or use the SMS commands listed. We will respond within 30 days (extendable to 60 days for complex requests, with notice). There is no fee for standard requests.

Quebec Law 25 specifics: residents of Quebec have additional rights to be informed of automated decisions and to request human review. To date, Kernl does not make automated decisions with legal or similar effects.

California-specific privacy notice (CCPA / CPRA)

This section provides additional disclosures required by the California Consumer Privacy Act and California Privacy Rights Act. It serves as Kernl's Notice at Collection under Cal. Civ. Code §1798.100(a). For California residents, this section governs in the event of a conflict with other parts of this Policy.

Categories of personal information we collect

In the past 12 months we have collected the following categories of personal information, as defined by Cal. Civ. Code §1798.140:

  • Identifiers: name (optional), phone number, email address (optional), unique device identifiers used by Cloudflare for security.
  • Customer records (§1798.80(e)): preferences (categories, sources, language), account creation timestamp, subscription tier.
  • Commercial information: subscription tier and (when Stripe is active) records of purchases.
  • Internet or electronic network activity: IP address, user-agent, request paths logged by Cloudflare for abuse prevention; logs of SMS commands you send.
  • Geolocation: country dial code derived from your phone number (e.g. +1 → North America). We do not collect precise geolocation.
  • Audio / electronic information: text output of in-call speech recognition (Twilio's free SpeechResult). We do not retain raw audio of calls.
  • Inferences: aggregate usage patterns (which categories you skip vs. ask about) to personalize the briefing. Stored as structured action events, never linked to advertising profiles.

We do not collect: biometric information, professional/employment information, education records, financial account numbers (handled by Stripe directly), precise geolocation, racial/ethnic origin, religious or philosophical beliefs, union membership, genetic or health data, sexual orientation, citizenship/immigration status, or contents of mail, email, or text messages where Kernl is not the intended recipient.

Sensitive Personal Information (CPRA §1798.140(ae))

Kernl receives only the following limited categories of sensitive personal information:

  • Account log-in / authentication credentials: 4-digit PIN and OTP codes (transient, expire within 10 minutes).
  • Contents of communications: SMS commands you send to Kernl and questions you ask during a call. Kernl is the intended recipient of these communications, which under §1798.140(ae)(2)(B) means the right to limit use does not apply to this category.

We use sensitive personal information only as reasonably necessary and proportionate to perform the service you requested and for the security purposes listed in §1798.121(d) (preventing security incidents, protecting against fraud, enabling short-term transient use). We do not use it to infer characteristics about you, sell or share it, or use it for any other purpose. Because our use falls within the §1798.121(d) exemption, the "Limit the Use of My Sensitive Personal Information" right and link do not apply.

Sources of personal information

  • Directly from you: name, phone, email, preferences, PIN, SMS commands, voice queries.
  • Automatically from your interaction with the service: call logs, SMS logs, language detection.
  • From service providers acting on our behalf: Twilio (call/SMS metadata), Cloudflare (network telemetry), Stripe (when active, billing status).

Purposes for collection and use

  • Provide and personalize the news briefing service you signed up for (all categories).
  • Authenticate you (Identifiers, Sensitive PI: credentials).
  • Communicate with you about the service via SMS, voice, or email (Identifiers).
  • Detect, prevent, and respond to fraud, abuse, and security incidents (Identifiers, Internet Activity, Sensitive PI).
  • Comply with legal obligations and enforce our Terms (Identifiers, Customer Records, Commercial).
  • Improve the service through aggregate, de-identified metrics (Inferences).

Categories of recipients

We disclose personal information to:

  • Service providers and contractors (CCPA-defined): Twilio, Supabase, Anthropic, Google Cloud, SendGrid, Stripe, Cloudflare, Hetzner. Each is bound by a written contract that prohibits use of your information beyond the contracted services.
  • Government and legal recipients: only when required by valid legal process, to protect rights or safety, or in connection with a corporate transaction (subject to this Policy).

We do not disclose personal information to "third parties" as defined by CCPA, i.e., parties that use the data for their own purposes outside the service-provider relationship.

No sale or sharing

We do not sell or share your personal information, including for cross-context behavioral advertising, as those terms are defined under CCPA §1798.140(ad) to (ah). We have not sold or shared personal information in the preceding 12 months and have no plans to do so. As a result, no "Do Not Sell or Share My Personal Information" link is required on our website, and we do not provide one. We do not knowingly sell or share the personal information of consumers under 16 years old; Kernl is 18+ globally.

Retention by category

  • Account data (phone, name, email, preferences, PIN): for the life of the account; deleted within 30 days of account deletion.
  • OTP codes: under 10 minutes (transient).
  • Call logs / SMS logs: up to 90 days, then deleted.
  • Call interactions (skip / deep / perspectives / question events, text only, no audio): up to 12 months for personalization, then aggregated and per-user records deleted.
  • Cloudflare access logs: 7 days rolling.
  • Backups: 7-day rolling deletion cycle.
  • Billing records (Stripe, when active): retained for the duration required by tax law (typically 6 to 7 years).

Your California rights (consolidated)

  • Right to know: what personal information we collect, use, disclose, and (if applicable) sell or share.
  • Right to delete: personal information we have collected from you.
  • Right to correct: inaccurate personal information.
  • Right to opt out of sale or sharing: not applicable. We do not sell or share.
  • Right to limit use of sensitive personal information: not applicable. Our SPI use falls within the §1798.121(d) exemption.
  • Right to portability: receive your data in a structured, commonly used format.
  • Right to non-discrimination: we will not deny service, charge a different price, or provide a different quality of service for exercising these rights.
  • Right to designate an authorized agent: you may use a verified agent to exercise your rights on your behalf. We may verify both the agent's authority and your identity.

To exercise these rights, email [email protected] from the address on your account, or use the SMS commands SETUP / DELETE / PAUSE from your registered phone. We respond to verifiable requests within 45 days, extendable once for 45 additional days with notice. For deletion requests, we may need to verify your identity by sending an OTP to your registered phone. There is no charge for standard requests.

Children's personal information

Kernl is 18+ globally. We do not have actual knowledge of selling or sharing the personal information of consumers under 16 years old (CCPA §1798.120(c)).

Notice of financial incentives

We do not offer financial incentives or price/service differences in exchange for the collection, sale, or retention of personal information.

Metric disclosures

We do not currently meet the threshold (4M+ California consumer records or alternative tests under §999.317(g)) that would require us to publish CCPA request metrics. If we cross the threshold, we will publish the metrics here.

Supervisory authorities

If you believe we have violated your data protection rights, you may lodge a complaint with the supervisory authority of your jurisdiction. We would appreciate the chance to address your concern first by emailing [email protected].

  • Canada (federal): Office of the Privacy Commissioner of Canada: priv.gc.ca
  • Quebec: Commission d'accès à l'information du Québec (CAI): cai.gouv.qc.ca
  • United States (federal): Federal Trade Commission: ftc.gov
  • California: California Privacy Protection Agency (CPPA): cppa.ca.gov
  • France: Commission Nationale de l'Informatique et des Libertés (CNIL): cnil.fr
  • Spain: Agencia Española de Protección de Datos (AEPD): aepd.es
  • United Kingdom: Information Commissioner's Office (ICO): ico.org.uk
  • Other EU member states: a list of national data protection authorities is maintained by the European Data Protection Board at edpb.europa.eu.

Cookies and similar technologies

mykernl.com uses only essential cookies and similar technologies required to operate the site (e.g., a session token to keep you logged in to /manage, CSRF protection, Cloudflare's bot-detection cookie). We do not use marketing, advertising, or cross-site tracking cookies. Because we use only essential cookies, no consent banner is required under the EU ePrivacy Directive.

Your browser may also store local data unrelated to us (e.g., for the dark-mode toggle on the site). You can clear all site data via your browser settings at any time.

Security

We use industry-standard security: encryption in transit (TLS 1.3), encryption at rest, row-level security policies on the database, principle-of-least-privilege access, and short-lived OTP codes. Payment card data is handled exclusively by Stripe. We never store it. We rotate API keys regularly and audit access.

If we discover a personal data breach affecting your information, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of it, as required by GDPR Art 33-34, UK GDPR, and Quebec Law 25 (Article 3.5).

Children's privacy

Kernl is not intended for users under 18 years old. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us and we will delete the account. (We apply 18+ globally, even where local law permits a lower age.)

Changes to this Policy

We may update this Policy. For material changes, we will notify you via SMS and (if you have provided an email) via email at least 14 days before the changes take effect. The "Effective" date at the top of this page reflects the latest version. Material changes will not apply retroactively to data processed before they take effect.

Language

This Privacy Policy is provided in English. French and Spanish translations may be made available for convenience; in the event of any conflict, the English version prevails. Quebec residents may request a French version, and we will provide one free of charge.

Contact

  • Email (general + privacy inquiries): [email protected]
  • Postal: 25CollectiveCo Inc., Montréal, Quebec, Canada

This Privacy Policy is governed by the laws of the Province of Quebec, Canada. Where a mandatory consumer-protection law of your country grants you additional rights, those laws prevail to the extent required.