how we protect your family
Information Security Program
the administrative, technical, and physical safeguards that keep your memories safe.
how we protect your family
the administrative, technical, and physical safeguards that keep your memories safe.
Last Updated: May 4, 2026
Renji Labs, Inc. ("Renji Labs," "we," "our," or "us") operates Kaiary, an AI-powered family journaling application. This Information Security Program ("Program") describes the administrative, technical, and physical safeguards we maintain to protect the confidentiality, integrity, and availability of personal information processed in connection with Kaiary—including family content, biometric data, and account information.
This Program is intended to satisfy our obligations under applicable laws, including the Children's Online Privacy Protection Rule (COPPA), the Illinois Biometric Information Privacy Act (BIPA), state biometric and information-security statutes (such as Texas CUBI, Washington RCW 19.375, and the New York SHIELD Act), the California Consumer Privacy Act (as amended by CPRA), and equivalent obligations in other jurisdictions in which we operate.
Why this document exists: A privacy policy describes what data we collect and how we use it. This Program describes how we protect that data—the controls, processes, and people who keep your family's memories safe. We publish it so users, regulators, and partners can verify our security posture, and to satisfy specific legal requirements that mandate a written, publicly available program.
Responsibility for this Program is allocated as follows:
We classify data into the following categories so that controls can be applied proportionally to sensitivity:
Children's Personal Information receives Tier 1 protection regardless of where it appears in the system.
We perform a risk assessment at least annually, and whenever there is a material change to our processing activities, infrastructure, or applicable law. The assessment evaluates:
Findings are documented and used to drive remediation. The Designated Security Coordinator tracks open risks to closure.
All workforce members with access to personal information are subject to:
Access to systems containing personal information is governed by the principle of least privilege:
All workforce members complete security and privacy training upon onboarding and at least annually thereafter. Training covers, at minimum: phishing recognition, secure-handling practices for personal information, the special protections that apply to children's data and biometric data, the incident-reporting process, and the requirements of this Program.
Before engaging any third party that will receive or have the ability to access personal information, we evaluate the vendor's security posture, contractual commitments, sub-processor practices, and any relevant certifications. Material vendors are subject to:
Kaiary does not operate its own data centers. Production data resides with cloud infrastructure providers (primarily Amazon Web Services) that maintain physical security controls described in their published certifications, including SOC 2 Type II and ISO/IEC 27001. Renji Labs offices and workforce devices are protected through device management, full-disk encryption, automatic screen locking, and standard physical-access controls.
Although Kaiary accounts may only be created by adults aged 18 or older, family content frequently includes photographs, videos, audio recordings, and biographical information about children. We treat all such information as Children's Personal Information and apply heightened safeguards:
If a user opts into face recognition, Kaiary extracts and stores facial geometry vectors (numerical embeddings) derived from photos. We protect this data with the following additional controls:
We maintain a documented incident-response process for events that may compromise the confidentiality, integrity, or availability of personal information. The process covers:
Family content and database state are backed up on a routine schedule, with backups encrypted at rest and stored in geographically separate facilities operated by our infrastructure providers. Backups are retained according to the timelines in our Data Retention & Destruction Policy and tested periodically to confirm restorability. When a user deletes data, we propagate that deletion through active systems immediately and apply the documented backup-rotation timeline so that the data is purged from all retained copies.
This Program is reviewed at least annually and updated when there is a material change to our processing activities, infrastructure, vendor relationships, or applicable law. The "Last Updated" date at the top of this document reflects the most recent review. Material changes are summarized in our Privacy Policy and may be communicated to users through the app or by email.
For questions about this Program or to report a suspected security issue, please contact:
Security and Privacy
Renji Labs, Inc.
2093 Philadelphia Pike #6689
Claymont, DE 19703
Security: security@kaiary.ai
Privacy: privacy@kaiary.ai
This document is the publicly available summary of Renji Labs' Written Information Security Program. Internal procedures, system designs, and operational runbooks contain additional detail that is not publicly disclosed for security reasons.
see also our privacy policy and data retention & destruction policy.