Privacy Policy

Last Updated: April 16, 2026

This Privacy Policy explains how Lilikoi, Inc. ("Lilikoi," "we," "us," or "our") collects, uses, discloses, and protects information when you use our mobile application, website, and related services (the "Service"). It also explains the rights you have regarding your information.

Lilikoi is a general-wellness, AI-based coaching tool. Lilikoi is not a HIPAA-covered entity and does not provide medical care. We nevertheless treat the information you share with us — which may include sensitive consumer health data — with heightened care.

Quick Summary

What we collect Why How long Shared with
Account info (email, credentials) Authentication, support, service emails Until account deletion + up to 90 days in backups Auth & email vendors
Voice recordings & transcripts To generate AI responses and summaries Recordings: up to 30 days (unless you save). Transcripts: until you delete or account deletion Speech-to-text & LLM providers (as processors)
Conversation summaries & toolkit data Personalization, progress tracking Until you delete or account deletion Cloud storage provider
Technical/usage data (IP, device, app events) Security, diagnostics, product analytics Up to 24 months Analytics, crash-reporting, and hosting vendors

We do not sell your personal information. We do not use your conversations to train third-party AI models. See the full policy below for details.

1. Information We Collect

We collect the following categories of information, from the sources noted, for the purposes noted.

Account & Identifiers: Email address, account credentials, user ID, and, if you provide them, first name or display name. Source: you.

Session & Activity Data (Sensitive): Voice recordings, text transcripts, text chats, AI-generated responses and summaries, saved tools, and activity history. Source: you and the Service.

Inferences & Derived Data (Sensitive): Signals or themes the Service may derive from your interactions to personalize responses (e.g., topics you have explored). Source: the Service.

Technical & Usage Data: IP address, device type and identifiers, operating system, app version, crash logs, feature usage, session timestamps. Source: your device and the Service.

Payment Data: If you purchase a subscription, the app store (Apple/Google) or our payment processor handles payment details; we receive transaction metadata (e.g., confirmation, plan, renewal dates).

Communications: Emails or messages you send us.

Sensitive Personal Information / Special Category Data. Voice recordings, transcripts, and content about your mental, emotional, or physical health may constitute "sensitive personal information" (CCPA/CPRA), "consumer health data" (Washington My Health My Data Act, Nevada, Connecticut), "special category data" (GDPR/UK GDPR Art. 9), and/or "biometric identifiers" (e.g., Illinois BIPA, Texas CUBI). We process this information only with your consent and only for the purposes described below.

2. How We Use Your Information

  • To provide the Service, including generating AI responses, summaries, and personalized coaching content;
  • To authenticate you, maintain account security, and detect fraud or abuse;
  • To communicate with you about the Service (e.g., transactional emails, support replies);
  • To improve the Service, including debugging, analytics, and quality assurance using de-identified or aggregated data;
  • To detect and respond to potential safety risks, including crisis-language signals;
  • To comply with legal obligations, enforce our Terms, and protect rights, property, and safety.

We do not use your conversations to train foundational AI models — ours or those of third parties — and we instruct our AI providers not to train on your data where such controls are available.

3. Legal Bases (EU/UK/EEA Users)

Where the GDPR or UK GDPR applies, we process your personal data on the following legal bases:

  • Your explicit consent for processing special-category (mental-health) data and for voice recordings (you can withdraw consent at any time);
  • Performance of a contract to provide the Service you requested;
  • Our legitimate interests in securing, improving, and operating the Service, where not overridden by your rights;
  • Compliance with legal obligations.

4. Consent to Voice & Biometric Processing

By choosing to speak with Lilikoi, you provide your explicit, informed consent to the recording, transmission, storage, and processing of your voice for the purpose of generating transcripts and AI responses. We do not use your voice to create a voiceprint or to identify you biometrically. You may disable voice features and use text-only mode at any time. You may withdraw consent by deleting your recordings or your account. Any voice data we retain for biometric-like purposes (if any) will be destroyed within the timeframes required by applicable law.

5. How We Share Information

We share information only in these limited circumstances:

Service Providers (Processors): We use vendors to operate the Service, including categories such as: cloud hosting and storage, authentication, speech-to-text, large language model (AI) providers, email delivery, analytics, crash reporting, and customer support. These vendors are contractually restricted to processing data on our behalf and for the purposes we direct. A current list of material sub-processors is available on request at privacy@lilikoi.app.

Legal & Safety: We may disclose information when required by law or when we believe disclosure is necessary to protect the rights, property, or safety of users or the public, including in response to valid legal process.

Business Transfers: If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to commitments that the receiving party will honor this Policy or provide notice of material changes.

With Your Consent: For any other disclosure, we will ask you first.

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under CCPA/CPRA.

6. International Data Transfers

We operate from the United States. If you access the Service from outside the US, your information will be transferred to, stored, and processed in the US. Where required, we rely on appropriate safeguards for international transfers, such as the Standard Contractual Clauses approved by the European Commission (and UK addenda), and we take steps to ensure your information receives protection comparable to that afforded by the laws of your jurisdiction.

7. Data Retention

  • Voice recordings: retained for up to 30 days for quality and safety review, unless you explicitly save them; then deleted.
  • Transcripts, summaries, and toolkit data: retained until you delete them or your account.
  • Account data: retained while your account is active. Upon deletion, removed from active systems within 30 days and from backups within 90 days, except where a longer retention is required by law (e.g., tax records).
  • Technical/usage logs: retained for up to 24 months for security and diagnostics.
  • De-identified/aggregated data may be retained indefinitely, as it no longer identifies you.

8. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect your information, including:

  • Encryption in transit using TLS 1.2 or higher;
  • Encryption at rest using industry-standard algorithms (e.g., AES-256);
  • Role-based access controls and audit logging;
  • Vendor security reviews and written data processing agreements;
  • Periodic review of our security controls.

No system is completely secure. We cannot guarantee absolute security, and you provide information to us at your own risk.

9. Breach Notification

If we learn of a data breach that affects your personal information, we will notify you and regulators as required by applicable law, including the FTC Health Breach Notification Rule, state breach-notification laws, and the GDPR.

10. Your Rights & Choices

Subject to applicable law, you have the following rights. To exercise them, email privacy@lilikoi.app or use in-app controls where available. We will not discriminate against you for exercising these rights.

All Users: Access your data, correct inaccuracies, delete your account and associated data, export your data, and opt out of non-essential communications.

California (CCPA/CPRA): Right to know categories and specific pieces of personal information collected; right to delete; right to correct; right to limit use of Sensitive Personal Information; right to opt out of "sale" or "sharing" (we do neither); and right to non-discrimination. You may designate an authorized agent to make requests on your behalf.

Washington, Nevada, Connecticut & similar consumer-health laws: You have rights to access, delete, and withdraw consent for our processing of your consumer health data. See our Consumer Health Data Privacy Notice below.

EU/UK/EEA (GDPR): Rights of access, rectification, erasure, restriction of processing, data portability, objection, withdrawal of consent (without affecting prior processing), and the right to lodge a complaint with your local supervisory authority.

Other US states (VA, CO, TX, UT, and others): Where applicable, you have analogous rights under your state's privacy law.

Do Not Sell or Share / Limit SPI: We do not sell or share personal information for cross-context behavioral advertising, and we limit the use of sensitive personal information to what is reasonably necessary to provide the Service. If this changes, we will provide an opt-out mechanism.

Verification: We may need to verify your identity before fulfilling a rights request.

11. Consumer Health Data Privacy Notice (WA MHMD & similar)

This section supplements the rest of this Policy and applies to residents of Washington State (under the My Health My Data Act) and residents of states with similar consumer-health-data laws (e.g., Nevada, Connecticut).

  • Categories of consumer health data we collect: mental and emotional-wellness content you share (voice and text), topics you discuss, tools you use, and inferences derived from them.
  • Sources: directly from you and from your use of the Service.
  • Purposes: to provide the Service to you, personalize coaching content, support security and quality, and respond to safety risks. We do not use consumer health data for advertising.
  • Categories of recipients: service providers (cloud hosting, AI providers, speech-to-text, analytics, email) acting as processors on our behalf. We do not sell consumer health data.
  • Your rights: access, deletion, and withdrawal of consent. To exercise, email privacy@lilikoi.app.
  • Appeals: If we decline a rights request, you may appeal by replying to our response; if still unsatisfied, you may contact your state Attorney General.

12. Children's Privacy

Lilikoi is intended for adults only. We do not knowingly collect or solicit personal information from anyone under the age of 18. We verify age through self-attestation at signup. If you are under 18, do not register or send any personal information. If we learn we have collected personal information from a person under 18, we will delete it promptly. If you believe a child under 18 has provided us with personal information, please contact us at privacy@lilikoi.app.

13. Cookies & Similar Technologies

Our website uses only essential cookies and limited analytics to understand usage. Our mobile app does not use browser cookies but may use similar local storage and device identifiers for essential functionality, analytics, and crash reporting. Where required by law, we will present a cookie/consent banner to obtain your consent.

14. Third-Party Links

The Service may link to third-party websites or services that we do not control. This Policy does not apply to their practices, and we encourage you to read their privacy notices.

15. HIPAA Status

Lilikoi is a direct-to-consumer general-wellness service. We are not a "covered entity" or "business associate" under HIPAA, and the information we process about you is not "protected health information" under HIPAA. If we ever partner with providers or payers in a capacity that makes HIPAA applicable, we will enter into Business Associate Agreements and disclose that change.

16. Account Inactivity & Account Holder Incapacity

If your account is inactive for an extended period, we may delete it after providing notice. If you would like to designate a person who can request deletion of your data in the event of your incapacity or death, email privacy@lilikoi.app.

17. Changes to This Policy

We may update this Policy from time to time. For material changes, we will provide reasonable notice (for example, by email or an in-app notice). The "Last Updated" date at the top reflects the most recent revision. Previous versions are available on request.

18. Contact Us

Privacy questions or requests: privacy@lilikoi.app
General support: support@lilikoi.app
Legal notices: legal@lilikoi.app
Mailing address: Lilikoi, Inc., [street address], [city, state, ZIP], USA.

EU/UK users: if you need an EU or UK representative for GDPR purposes, contact us and we will provide current representative details.