Launch app
Launch app

Docs

Security.

The strongest security is having nothing sensitive to steal. Kata's whole architecture is built around keeping your health data off our servers in the first place.

Nothing sensitive to breach

Your logs, chats, memory and photos are stored only on your device. There is no central database of user health data to breach, because it does not exist. An attacker who reached our servers would find accounts and aggregate counters, not anyone's diary.

Namespaced per account

On a shared device, each account's data is isolated under its own namespace in local storage, so signing in as someone else never exposes your entries.

In transit

Coach messages and the context needed to answer them travel encrypted, are used to generate the reply, and are not retained on our side. Connection tokens (such as WHOOP) are kept in on-device, httpOnly cookies rather than exposed to page scripts.

Accounts

Authentication is handled by Supabase with the project hosted in the EU, and it stores no health data: only your email, sign-in method and timestamps. Sign in with a password, Google, Apple or a magic link.

Your part

Because your data lives on your device, it is only as safe as your device. Use a device lock, and keep a backup so a lost phone is an inconvenience, not a loss.