Keza, Privacy Policy and Legal Disclosures

Keza is owned and operated by OneInEvery10 Organization, a nonprofit dedicated to publishing peer-reviewed research on conditions that disproportionately affect women. Our contact email is hello@oneinevery10.org. Keza is currently in beta testing.

Keza is a general wellness application. It provides health and wellness information for educational purposes only. Keza is not a medical device. Keza does not diagnose, treat, cure, or prevent any medical condition or disease. Keza does not provide medical advice. Nothing in Keza, including content generated by Roxi, source badges, research summaries, nutrition guidance, herbal recommendations, or pattern insights, constitutes medical advice or should be used as a substitute for professional medical care. Always consult a qualified healthcare provider before making any health decision. In a medical emergency call 911 or your local emergency services immediately.

Keza qualifies as a general wellness product under the FDA's General Wellness Policy for Low Risk Devices guidance updated January 2026. Keza has not sought and does not hold FDA clearance or approval as a medical device.

Keza collects the following categories of information when you use the app.

Account information: your email address is required to create an account. Your first name is optional but recommended for personalisation. We do not require your legal name, phone number, or physical address.

Health and wellness logs: symptom scores, mood scores, energy scores, stress scores, sleep quality scores, pain scores, hot flash frequency, menstrual cycle dates and flow levels, food and nutrition logs, movement logs, and free-text notes you choose to enter. This is your personal health data and it belongs to you.

Condition information: the conditions you select from our conditions list including HS, PCOS, endometriosis, and others. This information is used solely to personalise your Keza experience.

Research profile information: if you choose to participate in OneInEvery10 research, you may optionally provide your zip code, state, race or ethnicity, employment status, education level, and household income range. Every field in the research profile is optional. None of it is required to use Keza. See the Research Participation section below for full details.

Medication and supplement information: any medications, supplements, or herbs you enter into the medications tracker. This information is used solely to check for documented interactions as an educational reference. Keza is not a pharmacist. Always verify interaction information with a licensed pharmacist or physician.

Imported health data: if you choose to import data from Apple Health, Flo, Clue, or another period tracking app, Keza processes that data to populate your cycle history. Raw imported files are not permanently stored. Only the extracted health data is saved to your account.

Usage data: standard technical data including device type, operating system, app version, and session timestamps. We use this to improve Keza's performance. We do not sell this data.

We use your data to: personalise your Keza experience, generate pattern insights after 14 days of logging, power Roxi's contextual responses, generate doctor prep questions, and show you relevant research comparisons from published studies.

We do not sell your personal health data. We do not lease your personal health data. We do not share your personal health data with advertisers. We do not use your personal health data for targeted advertising. Keza products are ad-free.

We do not share your individually identifiable health data with any third party except as required by law or as described in this policy.

The third-party services Keza uses are: Supabase for secure database storage and authentication, Anthropic for AI-powered features including Roxi and data import parsing, and Resend for transactional email delivery. Each of these services processes data only as instructed by Keza and is bound by data processing agreements. Anthropic processes Roxi conversation data and import file content. A data processing agreement with Anthropic is required before Keza exits beta and enters public production. Raw conversation content with Roxi may be processed by Anthropic's systems to generate responses. Do not share information in Roxi that you would not want processed by a third-party AI service.

Roxi is an AI wellness companion powered by Anthropic's Claude language model. Roxi is not a licensed physician, registered dietitian, pharmacist, psychologist, or any other licensed healthcare professional. Roxi's responses are generated by an AI system and are educational in nature. AI systems can make errors. Roxi's responses may occasionally be inaccurate, incomplete, or not applicable to your specific situation. Every substantive Roxi response includes a scope reminder for this reason.

Roxi is designed to cite only studies from Keza's verified research database. However AI-generated content should always be independently verified. Tap any source badge to read the original published study. If Roxi says something that seems inaccurate or misleading, please report it using the beta feedback button or email hello@oneinevery10.org.

Keza uses AI to parse imported health files. This processing is used solely to extract your own health data and populate your Keza history. Processed files are not permanently retained.

OneInEvery10 Organization uses Keza as a research data platform. If you choose to participate in our research program, your anonymised and aggregated health data may be used to publish peer-reviewed research on women's health disparities, inflammatory conditions, and perimenopause.

Research participation is completely optional. You can use every feature of Keza without participating in research. Your research participation consent status does not affect your Keza experience in any way.

If you consent to research participation, here is exactly what that means. Your data is anonymised before any research analysis. Anonymisation means your name, email address, and any other directly identifying information is removed before your data is included in any dataset. Your data is aggregated with data from other consenting participants. Published research will never contain information that could identify you individually. We apply k-anonymity standards meaning we require a minimum of five participants per demographic combination before any statistic is included in research output. We do not sell research data. We publish research findings through OneInEvery10.org and through peer-reviewed academic journals.

You can withdraw your research participation consent at any time in Settings under Research Profile. Withdrawing consent means your data will no longer be included in future research analyses. Data already incorporated into published research cannot be retroactively removed because it has been anonymised and aggregated.

The demographic information collected for research purposes, zip code, state, race or ethnicity, employment status, education level, household income, is used only for research analysis. It is never used for marketing, advertising, or sold to any third party.

You have the right to access your data. You can request a copy of all personal data Keza holds about you by emailing hello@oneinevery10.org. We will respond within 45 days.

You have the right to delete your data. You can delete your Keza account at any time in Settings. Account deletion permanently deletes your health logs, profile, and research profile data from our systems within 30 days. Note that anonymised data already incorporated into research analyses cannot be identified and removed because it has been irreversibly anonymised.

You have the right to correct your data. You can edit your profile and health data within the app at any time.

You have the right to withdraw research consent. See the Research Participation section above.

You have the right to data portability. You can request an export of your health data in a standard format by emailing hello@oneinevery10.org.

Washington state residents have additional rights under the Washington My Health My Data Act 2023. You may submit requests to access, delete, or withdraw consent for your consumer health data. We will respond within 45 days with one possible 45-day extension. Submit requests to hello@oneinevery10.org.

California residents have rights under the California Consumer Privacy Act. You may request disclosure of personal information collected, request deletion, and opt out of sale. Keza does not sell personal information. Submit requests to hello@oneinevery10.org.

Keza collects information about menstrual cycles, reproductive health symptoms, and conditions including endometriosis and PCOS. This is sensitive health information and we treat it with the highest level of protection.

Keza will never voluntarily share your reproductive health data with law enforcement without a valid court order. If we receive a subpoena, search warrant, or other legal process requesting your health data, we will notify you within 72 hours of receipt unless prohibited by law from doing so. We will evaluate any such request and use all available legal means to challenge requests we believe are overbroad or unlawful.

We do not share your reproductive health data with insurance companies, employers, or government agencies except as required by a valid court order.

Your health data is stored in Supabase, a secure cloud database provider. Data is encrypted in transit using TLS and encrypted at rest. Access to your data is controlled by row-level security policies meaning each user can only access their own data. Keza staff access to user data is restricted to what is necessary for technical support and research functions.

We are not a HIPAA covered entity. Keza is not operated by a healthcare provider, health insurance company, or healthcare clearinghouse. Keza's legal obligations for health data privacy derive from the FTC Health Breach Notification Rule, the Washington My Health My Data Act, applicable state privacy laws, and our own commitments in this policy.

In the event of a breach of unsecured personally identifiable health data, Keza will notify affected users, the Federal Trade Commission, and where required by law the media, within 60 days of discovering the breach. This is required under the FTC Health Breach Notification Rule as amended July 2024. We will notify you directly via the email address associated with your account.

Keza is not intended for users under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created a Keza account, please contact us at hello@oneinevery10.org and we will delete the account and associated data promptly.

Keza is currently in beta testing. This means the app is under active development. Features may change, break, or be removed without notice. Data collected during beta will be retained through the public launch of Keza unless you request deletion. We are committed to the same privacy standards during beta as we will apply in production.

If you encounter information in Keza that appears inaccurate, misleading, or potentially harmful, please report it immediately. You can use the beta feedback button in the app or email hello@oneinevery10.org. We take accuracy reports seriously and will investigate and correct confirmed inaccuracies promptly.

OneInEvery10 Organization and Keza have no commercial affiliations with pharmaceutical companies, supplement manufacturers, medical device companies, or any other commercial health entity. Keza does not accept advertising. Keza does not accept paid placement of products or studies. Every recommendation in Keza is based solely on published peer-reviewed research. We have no financial interest in any product, treatment, or service mentioned in Keza.

Roxi is an AI wellness companion with a persona based on the expertise of a holistic nutritionist and clinical herbalist. Roxi is not a licensed healthcare provider. The guidance Roxi provides is educational and based on published research. Roxi does not diagnose conditions, prescribe treatments, or replace the advice of your healthcare team. This statement appears in four locations in the app: this Privacy and Legal screen, the Roxi information popup, any downloadable PDF reports, and the Doctor tab.

We may update this privacy policy as Keza develops. We will notify you of material changes via email and via an in-app notification at least 14 days before changes take effect. Continued use of Keza after changes take effect constitutes acceptance of the updated policy.

OneInEvery10 Organization

hello@oneinevery10.org

keza.oneinevery10.org

For data requests, corrections, or privacy concerns email hello@oneinevery10.org with the subject line Privacy Request.