Privacy
Privacy
This notice explains what the marketing site, the briefing form, the email contact path, and the interactive demo collect, and what we do with it.
Marketing site notice
Last updated: June 29, 2026
Who we are. This site is operated by Kenshiki, Inc., based in Tacoma, Washington, United States. You can reach us through the briefing form or by email at hello@kenshikilabs.com.
What we collect. The briefing form asks for your name, organization, role, email, consent to be contacted, and any optional message. We deliver that message to Kenshiki via email. If you use the email fallback, your email client sends the message instead.
Why we collect it. To respond to your request, understand whether Kenshiki is a fit, and follow up about the briefing. We do not use the marketing site to make credit decisions.
How we handle it. We do not sell your information. We do not share it except with people at Kenshiki who need it to reply to you, and the sub-processors listed below who help us operate the site.
Sub-processors. We use a small number of vendors to operate the site:
- Resend (United States) — delivers briefing-form messages to our inbox. Resend processes only the contents of the message and your email address.
- Supabase (United States) — hosts the synthetic database, demo authentication, and serverless functions behind the interactive demo. The demo does not include any real customer data.
- Vercel (United States) — hosts the site itself. Vercel’s standard request logs are subject to its own policies.
- Google (United States) — Google Analytics 4 processes aggregate usage events (pages viewed, referrer, approximate region) and Google Ads measures conversions from our campaigns, on the production site, only after you consent.
- Microsoft (United States) — Clarity processes anonymized interaction signals (scrolling, clicks, session replays with text masked) on the production site, only after you consent.
Interactive demo. The interactive demo (opened from /demo, running under /app) and the API reference at /api-docs expose a same-origin API consumed by the demo UI. All applications, evaluations, ledger entries, and comments shown are synthetic. The four demo roles (admin, underwriter, manager, compliance) are pre-provisioned shared accounts; anyone visiting the demo can sign in as any role. Tokens minted by the demo are demo-grade only and not credentials.
How long we keep it. Briefing-form messages: only as long as needed to follow up on your inquiry, unless a longer retention period is required for business, security, or legal reasons. Demo session cookies expire automatically (24 hours by default) and are not associated with any real identity.
Your choices. Analytics and advertising cookies are off until you choose Accept in the cookie banner; choose Reject non-essential to keep them off. To change your mind later, clear this site’s cookies and site data and the banner returns. To ask what we hold or to request deletion, contact us by email. To clear demo cookies, sign out from the demo or clear cookies for this site.
Important separation. This site is a marketing surface plus a synthetic-data demo. It is not connected to any credit-decision production system, and no lending, scoring, or consumer-report data is collected, stored, or processed here.
Kenshiki Pulse app
Privacy in the iOS app
Last updated: July 14, 2026
What Pulse is. Kenshiki Pulse is an iOS app that proves, on your device, that your phone is still being carried and used by you. This section describes the app’s data practices, which are separate from the marketing site and demo above.
Continuity signals stay on device. Pulse reads your phone’s signals — motion and activity, location, barometer, magnetometer, battery and thermal state, and cellular/SIM presence — and processes them on your device. Raw motion readings, location trails, sensor readings, AI prompts, and AI output text are not transmitted to us or anyone else, are not sold, and are not used to track you across apps or websites. Only a derived, minimized summary leaves your device, and only when you choose to bond to a partner website — see “Connecting to a website” below.
Location. Pulse uses coarse location and visit/significant-change monitoring, including in the background, only to keep your on-device continuity status current. It does not build or store a history of where you go off the device. One exception, always user-initiated: during a verified call you start, the call’s liveness heartbeats include your location — shown to you on the call screen before you share it — so the institution on the call can confirm a live, present caller for that call only. Outside that flow, no location leaves the device.
Face ID. Pulse uses Face ID — or your device passcode — to unlock the app. Biometric data is handled entirely by iOS and the Secure Enclave; the app never sees, stores, or transmits it.
On-device intelligence. When your device supports it, Pulse uses Apple’s on-device foundation models to write plain-language explanations of continuity events. This runs entirely on your device; no data is sent to us or any third party for this feature.
Optional phone-number protection. If you choose to verify your phone number, Pulse sends the phone number you enter, verification-code requests/checks, and carrier-record lookup requests to Kenshiki’s PulseAPI proxy so the feature can work. PulseAPI uses service providers such as Vonage to deliver verification codes and retrieve carrier information. Two optional checks build on a verified number: a SIM-swap recency check (a yes/no within a look-back window; US carriers do not report the swap date), and a carrier name/address match you can pre-fill by scanning your driver’s license barcode. The scan is data entry on your device — the license fields you submit (name, address, birthdate, document number) go to PulseAPI and its carrier partner only to be compared against your carrier’s records, and the scanned fields are stored sealed on your device so re-checks never need a rescan.
Push notifications. If you allow notifications, Pulse registers your device’s Apple push token with PulseAPI, optionally bound to your verified number, and sends periodic liveness pings so Kenshiki’s servers know your protection is still active. If your phone goes quiet, we first send invisible background check requests, then a visible reminder. Notification content is deliberately generic — no personal data, phone number, or carrier fact ever rides inside a push. Token records self-delete after 90 days without contact.
Passkeys. Pulse can hold passkeys — sign-in credentials you approve with Face ID. Passkey private keys are generated inside this iPhone’s Secure Enclave and never leave the device: not synced, not backed up to Kenshiki, not recoverable by anyone who doesn’t have your face and your phone. When you register or sign in at a website, the only thing transmitted is the standard WebAuthn message that website needs, sent directly to it. Pulse keeps a local, tamper-evident receipt log of every passkey event, on device, for you to review under Trust → Passkeys.
Call defense coaching. If you use Pulse’s defense coach during a suspicious call, the app sends Kenshiki’s coach service the topic you selected (which company or data broker, and the situation) plus a device-integrity assertion. It does not hear your call: no call audio, no transcript, and no conversation content is captured or transmitted.
Research sharing (off by default). Settings offers an optional research toggle that shares de-identified continuity traces to improve Pulse. It is off until you turn it on, and what a trace contains is shown before you agree.
Connecting to a website (device bonding). When you scan a partner website’s QR code and approve the request, Pulse proves to that website that a real, present device approved. To do this, Pulse sends to Kenshiki’s PulseAPI: an Apple App Attest assertion (a device-integrity proof, not personal data); a derived presence and continuity signal; and a short “life rhythm” day-shape summary. These derived summaries are not raw sensor data. Raw motion readings, location trails, and individual sensor readings are never sent.
Passport reading (optional). If a workflow asks for document-backed proof, Pulse can read your passport’s NFC chip — or the printed machine-readable zone — on your device. If you then bond to a partner website, Pulse sends the passport fields the document contains to PulseAPI: name, date of birth, sex, nationality, place of birth, document number, issuing state and authority, date of issue, expiry date, and personal number, along with chip-validation facts (whether the chip was authenticated and its certificates verified). This lets the partner confirm a genuine, government-issued document backs the action. It happens only when you have read a passport and chosen to bond. We do not retain this data beyond what the bond requires, do not sell it, and do not use it to track you.
Your account: Sign in with Apple, no analytics. Pulse sets up your account with Sign in with Apple — no password, and Apple’s private relay email works. We receive the identifier Apple issues for your account plus the name and email you choose to share, and Apple notifies our server if you later revoke the connection. The app contains no third-party analytics, advertising, or tracking. App state such as your continuity status and settings is stored locally on your device.
Deleting your data. Settings → “This isn’t for me” deletes your account and data everywhere: Kenshiki’s server records are erased first, then everything on the phone. If our servers can’t confirm the erase, nothing is deleted anywhere and the app tells you to retry — it never pretends. A separate control, “Erase my identity data,” removes passport, license, and carrier identity records from the device without closing your account. Push-token records self-expire after 90 days of silence; server records tied to your account are removed when you delete it.
Everything that leaves is written down. The app keeps an on-device ledger — Settings → “What left your phone” — recording every payload sent off the device, exactly as it was sent, at the moment it leaves. You can read it any time.
Data collected. For app functionality only — never to track you, never sold: (1) the phone number you enter, if you use phone-number protection, and — if you run the optional carrier match — the license fields you submit (name, address, birthdate, document number); (2) your Sign in with Apple identifier and the name/email you choose to share; (3) your Apple push token and liveness timestamps, if you allow notifications; (4) when you bond to a partner website, a derived presence and continuity signal and a life-rhythm day-shape summary, alongside an Apple App Attest device-integrity assertion; (5) if you have read your passport and choose to bond, the passport fields it contains (name, date of birth, sex, nationality, place of birth, document number, issuing state and authority, dates of issue and expiry, personal number) plus chip-validation facts; and (6) during a verified call you start, your location while the call runs. Pulse does not collect your raw motion data, individual sensor readings, location trail, passkey private keys, AI prompts, or AI output text.
Future functionality (not active today). A later release may let you connect Pulse to credit bureaus and the Kenshiki registry, which would involve identity information you choose to provide — such as phone, email, or Social Security Number, with the SSN reduced to its last four digits on the device. That functionality is not present or enabled in this version, and this notice will be updated before any such data is collected.
Contact. Questions about app privacy: hello@kenshikilabs.com.