Privacy Policy

1. Scope

This policy covers personal data we process about: visitors to our marketing pages; people who create or use a Kryptos account; people who contact us for sales, support, or partnerships; and developers who use the Kryptos Connect API.

It does not cover third-party services we link to (exchanges, blockchains, accountant directories). Those services have their own privacy policies.

2. Information we collect

Account data: email, name, country, payment method, and the wallets and accounts you connect.

Usage data: pages viewed, features used, errors encountered, device and browser data. Used to improve the product and debug issues.

Transaction data: read-only copies of your on-chain and exchange transactions, fetched via the API keys and wallet addresses you provide. We never receive your private keys.

Communications: when you email support, sales, or partnerships, we keep the conversation in our helpdesk for as long as needed to support you.

Cookies: we use a small number of first-party cookies for session, preferences, and analytics. No third-party advertising cookies.

3. How we use your data

We process your data to: provide the Service (sync transactions, compute reports, present your portfolio); bill you for paid plans; support you when you ask; comply with our legal obligations (tax, anti-fraud, sanctions screening); and improve the product through aggregated analytics.

We do not sell your personal data. We do not share it for advertising. We never sell or share transaction data outside the workflows you explicitly choose (e.g. exporting a report to your accountant).

4. Who we share data with

Sub-processors that help us run the Service: cloud infrastructure (AWS), payment processing (Stripe), email delivery (Postmark), helpdesk (Helpscout), analytics (PostHog).

Legal authorities when required by law, with notice to you unless prohibited.

A new owner if Kryptos is acquired, subject to this policy continuing to apply.

5. Data retention

Account and transaction data: kept while your account is active, and for 7 years after closure to support tax-evidence requests.

Support conversations: 3 years after the last message.

Server logs and analytics: 90 days, then aggregated.

You can request earlier deletion by contacting us; we comply unless legally required to retain (e.g. tax records).

6. Your rights

Wherever you live, you can: access the personal data we hold about you; correct inaccurate data; export your data in a portable format; restrict or object to specific processing; close your account.

If you're in the EU/UK, you also have GDPR rights to lodge a complaint with your supervisory authority. Our lead authority in the EU is the Singapore Personal Data Protection Commission (PDPC); EU residents may also use their local DPA.

7. Security

Kryptos is SOC 2 Type II certified. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). API keys you provide are read-only; we never receive private keys or seed phrases.

We run pen tests at least annually, with critical findings remediated within 30 days. Engineers access production data only via least-privilege controls and audit logging.

8. International transfers

Kryptos is based in Singapore. We operate infrastructure in Singapore, Frankfurt, and Virginia. EU/UK personal data is processed under Standard Contractual Clauses (SCCs) where it leaves the EEA/UK.

9. Children

The Service is not directed to people under 18. We do not knowingly collect data from children. If you believe we have, contact us and we'll delete it.

10. Changes to this policy

We may update this policy from time to time. Material changes are emailed to account holders at least 30 days before they take effect. Browsing or continued use after the effective date constitutes acceptance.