Privacy Policy

1. Introduction

Welcome to Krypt ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our diary application.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Password (encrypted and hashed)
• Account creation date

2.2 Diary Content

Important: All diary entries you create are end-to-end encryptedusing AES-GCM 256-bit encryption before being stored. This means:

• Your diary content is encrypted on your device before being sent to our servers
• We cannot read, access, or decrypt your diary entries
• Even database administrators cannot view your diary content
• Only you can decrypt and read your entries

2.3 Usage Data

We collect metadata about your usage, including:

• Entry dates (not the content)
• Word counts per entry
• Login timestamps
• Streak statistics

2.4 Technical Information

• Browser type and version
• Device type
• IP address (for security purposes)
• Session information

3. How We Use Your Information

We use the collected information for:

• Providing the Service: To enable you to create, store, and access your diary entries
• Authentication: To verify your identity and maintain account security
• Statistics: To show you streak counts and writing statistics
• Security: To detect and prevent fraud, abuse, and unauthorized access
• Improvements: To analyze usage patterns and improve our service (using aggregated, anonymized data only)
• Communications: To send you important service updates and security notifications

4. Data Security

We implement industry-standard security measures to protect your data:

• End-to-End Encryption: AES-GCM 256-bit encryption for all diary content
• Key Derivation: PBKDF2 with 100,000 iterations for encryption keys
• Secure Authentication: Industry-standard authentication protocols via Supabase
• HTTPS: All data transmission is encrypted using TLS/SSL
• Database Security: Encrypted at rest with restricted access controls
• Regular Backups: Automated backups (your encrypted data remains encrypted in backups)

5. Data Storage and Location

Your data is stored on secure servers provided by Supabase. The data is encrypted at rest and in transit. Your diary content is additionally encrypted end-to-end, meaning it remains encrypted even on our servers.

6. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties.

We may share information only in the following circumstances:

• Service Providers: With trusted third-party service providers (e.g., Supabase for hosting) who are contractually obligated to protect your data
• Legal Requirements: When required by law, court order, or legal process
• Safety: To protect the rights, property, or safety of Krypt, our users, or the public
• Business Transfer: In connection with a merger, acquisition, or sale of assets (users will be notified)

Note: Even in these circumstances, your diary content remains encrypted and unreadable by us or third parties.

7. Your Rights and Choices

You have the following rights regarding your data:

• Access: Request access to your personal information
• Correction: Update or correct your account information
• Deletion: Request deletion of your account and all associated data
• Export: Export your diary entries in a standard format
• Opt-Out: Opt out of non-essential communications

To exercise these rights, please contact us at privacy@krypt.app(replace with your actual email).

8. Data Retention

We retain your data as follows:

• Active Accounts: Data is retained while your account is active
• Deleted Accounts: Data is permanently deleted within 30 days of account deletion
• Backups: Encrypted backups may be retained for up to 90 days for disaster recovery

9. Cookies and Tracking

We use essential cookies for:

• Authentication and session management
• Security and fraud prevention
• Storing encryption keys locally (localStorage)

We do not use third-party tracking cookies or advertising cookies. You can control cookie preferences through your browser settings, but disabling essential cookies may affect functionality.

10. Children's Privacy

Krypt is not intended for users under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. International Users

If you are accessing Krypt from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using our service, you consent to this transfer.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Your continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

14. GDPR Compliance (EU Users)

For users in the European Union, we comply with GDPR requirements:

• Legal Basis: We process your data based on consent and contractual necessity
• Data Protection Officer: Contact dpo@krypt.app
• Right to Complaint: You have the right to lodge a complaint with your local data protection authority

15. California Privacy Rights (CCPA)

California residents have additional rights under the CCPA:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of sale of personal information (we do not sell your information)
• Right to deletion of personal information
• Right to non-discrimination for exercising your rights