Privacy Policy

Last updated: April 2026

This policy explains what personal data Krylia collects, why, how long we keep it, and what your rights are. It applies to all users of Krylia Content Protection (krylia.app).

Data controller: IT WORKS | Spierings Consultancy (CHE-424.838.817), Switzerland. Contact: [email protected]

1. What we collect and why

We collect only what is necessary to operate the service.

Account and identity data

We collect your email address and the stage names or aliases you provide when creating protected identities. Legal basis: performance of a contract (GDPR Article 6(1)(b)) — we need your email to authenticate you and your stage names to know what to scan for.

Consent record

When you authorise Krylia to submit DMCA takedown requests on your behalf, we record a timestamp and a session token confirming that authorisation. Legal basis: legal obligation (GDPR Article 6(1)(c)) — DMCA law requires us to hold evidence of authorisation before submitting notices on your behalf.

Scan results and takedown history

We record the URLs of content found during scans, the status of takedown requests we submit, and action logs for each request (timestamps, what was sent, to whom, and the outcome). Legal basis: performance of a contract (GDPR Article 6(1)(b)) — this is the core service; and legitimate interests (GDPR Article 6(1)(f)) — an accurate evidence record protects both you and Krylia in any future legal dispute.

Payment data

Payment is processed entirely by Stripe. We do not receive or store your card number, bank details, or any payment instrument. We hold only a record of your current subscription plan and billing status. Legal basis: performance of a contract (GDPR Article 6(1)(b)).

Notification preferences

If you choose to receive notifications, we store your preferred channel (email or Telegram) and — if you provide a separate notification address — that email. If you connect Telegram, we store your Telegram chat ID. Legal basis: consent (GDPR Article 6(1)(a)) — you opt in to each channel explicitly and can withdraw at any time in Settings.

Technical logs

Our hosting infrastructure collects standard server logs including IP addresses and request metadata, used solely for security monitoring and debugging. Legal basis: legitimate interests (GDPR Article 6(1)(f)).

2. What we do not collect

We do not store your images, videos, or any media files. We do not use tracking cookies. We do not sell your data to any third party. We do not run advertising of any kind.

3. Data processors

We share data only with the following sub-processors, each bound by a data processing agreement:

• Stripe (United States) — payment processing. Stripe is certified under the EU–US Data Privacy Framework. stripe.com/privacy
• Railway (United States) — infrastructure hosting (API server, database, Redis). railway.app/legal/privacy
• Cloudflare R2 (United States / distributed) — storage for content screenshots used as evidence during active takedowns. cloudflare.com/privacypolicy
• Mailgun (United States) — transactional email delivery (notifications and outbound DMCA notices). mailgun.com/privacy-policy
• Vercel (United States) — frontend hosting. vercel.com/legal/privacy-policy

All processors are located in the United States. Transfers are covered by Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework where applicable.

4. Retention

• Consent records — 7 years minimum. Required by DMCA law as evidence of authorisation for each notice submitted on your behalf.
• Takedown logs and action history — 5 years. Needed to respond to counter-notices and any legal disputes arising from submitted takedowns.
• Account data (email, identities, scan results) — retained while your account is active, then deleted within 30 days of account closure, except where the periods above apply.
• Screenshots — deleted automatically when a takedown is confirmed resolved. If unresolved, retained for the duration of the active takedown plus 90 days.
• Notification preferences and Telegram chat ID — deleted immediately on account closure or channel disconnection.
• Technical logs — 30 days, then automatically purged by our infrastructure provider.

5. Your rights

Under GDPR and the Swiss DSG, you have the following rights. To exercise any of them, email [email protected] with your account email address. We respond within 30 days.

• Access — request a copy of all personal data we hold about you.
• Rectification — correct inaccurate data in your account settings, or ask us to correct data you cannot access yourself.
• Erasure — request deletion of your account and personal data. We will delete everything except consent records and takedown logs, which we are required to retain under DMCA law. We will confirm in writing what was deleted and what was retained and why.
• Portability — request an export of your data in a machine-readable format (JSON).
• Restriction — ask us to pause processing of your data while a dispute is resolved.
• Object — object to processing based on legitimate interests (server logs, evidence records). We will stop unless we can demonstrate compelling grounds.
• Withdraw consent — where processing is based on consent (notification channels), you can withdraw at any time in Settings without affecting the lawfulness of prior processing.

6. Supervisory authority

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority. In Switzerland: Federal Data Protection and Information Commissioner (FDPIC). If you are based in the EU, you may also contact the data protection authority in your country of residence.

7. Changes to this policy

We will notify you by email at least 14 days before making any material changes to this policy. The date at the top of this page always reflects the last update.

8. Contact

Privacy questions: [email protected]

Full company details: Imprint