Kriovate

Privacy Policy

Version 1.0 · Effective 20 May 2026

This is the Privacy Policy of Kriovate Ltd. It applies to all software published by Kriovate Ltd. At present, that means the Krypsis iOS application. If we publish additional products in the future, this policy will be updated to cover them, or we will publish a product-specific addendum.

The short version

  • We don’t track what you do in our apps. There’s no analytics, no profile, no account.
  • Your content stays on your device.
  • The only things that ever leave your device are:
    1. Anonymous crash reports, if you turn them on. They’re off by default.
    2. Your purchase transaction ID, when you buy Krypsis Lifetime or (in future) subscribe to Premium Sync. Apple and our receipts service (RevenueCat) handle this; no name, email, card number, or billing address reaches us.

That’s it. The rest of this document explains the details, your rights under UK and EU data protection law, and how to contact us.

1. Who we are

Krypsis is published by Kriovate Ltd, a company registered in England & Wales.

  • Registered office: 167-169 Great Portland Street, 5th Floor, London W1W 5PF
  • Companies House number: 17256908
  • ICO registration number: [ICO REG NUMBER]
  • Privacy contact: privacy@kriovate.com

We are the data controller for the limited data described below.

2. What we collect

2.1 Anonymous crash reports — opt-in, off by default

If and only if you enable Settings → Privacy → Send anonymous crash reports in Krypsis, the app sends crash stack traces to Sentry (operated by Functional Software, Inc., trading as Sentry).

A crash report contains:

  • The stack trace showing where in the app code the crash happened
  • iOS version and device model (e.g. “iPhone 15 Pro, iOS 18.5”)
  • The version of Krypsis you’re running
  • A randomly generated installation ID, not linked to your Apple ID, your name, your email, or anything else identifying

A crash report does NOT contain:

  • Your photos, videos, or documents
  • Filenames, album names, or any vault content metadata
  • Your PIN, encryption keys, or any decrypted data
  • Your IP address (we configure Sentry to drop it before storage)
  • Your Apple ID, location, contacts, or third-party app data

Crash reporting stays off unless you explicitly switch it on, and you can switch it back off at any time. The toggle takes effect immediately.

Retention: Sentry deletes crash data after 30 days. You can request earlier deletion of any data tied to your installation ID by emailing privacy@kriovate.com.

Sub-processors: Sentry uses Amazon Web Services and Google Cloud Platform for infrastructure. They process the data on Sentry’s instructions only and have no independent access.

2.2 Purchase records — handled by Apple and RevenueCat

When you buy Krypsis Lifetime or (in future) subscribe to Premium Sync:

  • Apple processes your payment under their own privacy terms.
  • RevenueCat (the receipts service we use, operated by RevenueCat, Inc.) receives a transaction ID and an installation ID so we know your purchase status across your devices.

We never see your card number, billing address, name, or email address. RevenueCat is contractually limited to processing only what’s needed to verify your entitlements.

Retention: RevenueCat retains transaction records for the lifetime of your purchase (so we can validate Lifetime entitlements indefinitely).

3. What we do NOT collect

We do not see, log, or transmit any of the following:

  • Your photos, videos, or documents
  • Filenames, album names, captions, or any other content metadata
  • When you unlock your vault, what you import, what you view, what you share, what you delete
  • The existence of a decoy vault on your device (the decoy feature is invisible to anyone outside this device by design)
  • Your Apple ID, name, email address, phone number, location, contacts, calendar, or any third-party app data
  • IP addresses or device fingerprints

The audit trail is the source code. The production Krypsis app contains no os.Logger or os_log calls that record vault activity. Anyone with the binary can verify.

4. Where your data lives

Vault content in Krypsis (your photos, videos, documents, albums, PIN verifier, decoy data) is encrypted with a key derived from your PIN using PBKDF2 and ChaCha20-Poly1305, and stored only on your device. It never leaves the device unless you explicitly:

  • Export a .vaultbak backup file (the file is itself encrypted with your PIN)
  • Share an item via iOS’s share sheet (you control the destination)
  • Export an item back to the iOS Photos library

iCloud sync (Premium Sync) is coming in a future update. It will be off by default and opt-in. We’ll update this policy with full processing details before that feature ships.

The two pieces of data that do leave the device today — opt-in crash reports and purchase records — are fully described in Section 2.

5. International transfers

Sentry processes opt-in crash reports in the European Union and the United States. RevenueCat processes purchase records in the United States. Transfers to the United States are covered by the EU-US Data Privacy Framework and the UK Extension to the Data Privacy Framework, and by standard contractual clauses.

If you’ve opted into crash reporting, your anonymous crash data may be processed in the US under these frameworks.

6. Your rights under UK GDPR and EU GDPR

You have the right to:

  • Erase your data. Delete the Krypsis app from your device — all vault content is gone instantly. If you’d opted into crash reporting, anything we received is automatically deleted after 30 days; you can request immediate deletion via privacy@kriovate.com.
  • Access your data. We have effectively nothing to give you. If you’d like a copy of any anonymous crash reports tied to your installation ID, email us — we’ll send what we have.
  • Object to processing. Switch off crash reporting in Settings → Privacy.
  • Restrict processing or request portability. Same — switch off crash reporting; the rest of your data never reaches us, so portability is automatic (it’s all on your device).
  • Lodge a complaint with the UK ICO at https://ico.org.uk, or with your local supervisory authority if you’re in the EU.

We respond to verified requests within 30 days.

7. Cookies and trackers

Our apps contain:

  • No advertising SDKs
  • No analytics SDKs (no Google Analytics, no Firebase, no TelemetryDeck, no Mixpanel)
  • No cross-app tracking, no IDFA usage
  • No third-party trackers running in the background

Apple’s standard StoreKit framework handles purchases. That’s the only third-party SDK that talks to anything outside the device, and only when you initiate a purchase.

This website (kriovate.com) also contains no analytics, no tracking pixels, no cookies, and no third-party scripts. We don’t know that you’ve visited.

8. Children

Krypsis is rated 17+ in the App Store and is not intended for users under 13. We don’t knowingly collect data from anyone under 13. If you believe a child under 13 is using one of our apps, please contact privacy@kriovate.com and we’ll delete any anonymous crash data tied to that installation if you can identify it.

9. Security

For Krypsis specifically:

  • Vault content is encrypted on-device using ChaCha20-Poly1305 with a per-vault random master key. The master key is wrapped (encrypted) with a key derived from your PIN using PBKDF2 (100,000 iterations).
  • Your PIN is never stored. A wrapped-key verifier is stored in the iOS Keychain; if your PIN is wrong, the wrapped key won’t unwrap.
  • We have no master key, recovery key, or backdoor. If you forget your PIN and have no backup, the data is mathematically unrecoverable. See our Terms of Service for the consequences.

10. Changes to this policy

If we add new processing — for example, when Premium Sync ships, when we publish a new product, or when we add a new sub-processor — we’ll update this policy and bump the version number at the top. Existing users will see an in-app notice on next launch (for app changes) or a notice on this page (for website / corporate changes).

The current and previous versions of this policy will remain available at the published URL.

11. Contact

WhatWhere
Privacy questions / GDPR requestsprivacy@kriovate.com
ICO complaintshttps://ico.org.uk
PostalKriovate Ltd, 167-169 Great Portland Street, 5th Floor, London W1W 5PF