Thank you for choosing to be part of our community at Kryptos, doing business as Kryptos ("Kryptos", "we", "us", "our"). We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about this privacy notice, or our practices with regards to your personal information, please contact us at contact@kryptos.io. When you visit our website https://kryptos.io (the "Website"), and more generally, use any of our services (the "Services"), which include the Website, we appreciate that you are trusting us with your personal information. We take your privacy very seriously. In this privacy notice, we seek to explain to you in the clearest way possible what information we collect, how we use it and what rights you have in relation to it.
1. Scope
This privacy notice applies to all information collected through our Services (which, as described above, includes our Website), as well as any related services, sales, marketing or events. Please read this privacy notice carefully as it will help you understand what we do with the information that we collect. If there are any terms in this privacy notice that you do not agree with, please discontinue use of our Services immediately.
2. What information do we collect?
Personal information you disclose to us. We collect personal information that you voluntarily provide to us when you register on the Website or otherwise when you contact us. The personal information we collect may include the following:
- Personal information provided by you. We collect email addresses and other similar information.
- Payment data. We may collect data necessary to process your payment if you make purchases, such as your payment instrument number (such as a credit card number) and the security code associated with your payment instrument. All payment data is stored by Stripe and Coinbase Commerce. You may find their privacy notices at https://stripe.com/en-se/privacy and https://commerce.coinbase.com/legal/privacy-policy/.
- Social media login data. We may provide you with the option to register with us using your existing social media account details, like your Facebook, Twitter or other social media account.
All personal information that you provide to us must be true, complete and accurate, and you must notify us of any changes to such personal information.
Information automatically collected. Some information, such as your Internet Protocol (IP) address and/or browser and device characteristics, is collected automatically when you visit our Website. This information does not reveal your specific identity but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Website and other technical information. This information is primarily needed to maintain the security and operation of our Website, and for our internal analytics and reporting purposes.
The information we collect includes:
- Log and Usage Data. Service-related, diagnostic, usage and performance information our servers automatically collect when you access or use our Website and which we record in log files (IP address, device information, browser type, activity timestamps, error reports, and hardware settings).
- Device Data. Information about your computer, phone, tablet or other device you use to access the Website (IP address or proxy server, device and application identification numbers, location, browser type, hardware model, internet service provider, mobile carrier, operating system and system configuration information).
3. How do we use your information?
We use personal information collected via our Website for a variety of business purposes described below. We process your personal information for these purposes in reliance on our legitimate business interests, in order to enter into or perform a contract with you, with your consent, and/or for compliance with our legal obligations. We indicate the specific processing grounds we rely on next to each purpose listed below.
We use the information we collect or receive:
- To facilitate account creation and logon process. If you choose to link your account with us to a third-party account (such as your Google or Facebook account), we use the information you allowed us to collect from those third parties to facilitate account creation and logon.
- To post testimonials. We post testimonials on our Website that may contain personal information. Prior to posting a testimonial, we will obtain your consent to use your name and the content of the testimonial.
- Request feedback. We may use your information to request feedback and to contact you about your use of our Website.
- To enable user-to-user communications. We may use your information in order to enable user-to-user communications with each user's consent.
- To manage user accounts. We may use your information for the purposes of managing our account and keeping it in working order.
- To send administrative information to you. We may use your personal information to send you product, service and new feature information and/or information about changes to our terms, conditions, and policies.
- To protect our Services. We may use your information as part of our efforts to keep our Website safe and secure (for example, for fraud monitoring and prevention).
- To enforce our terms, conditions and policies for business purposes, to comply with legal and regulatory requirements or in connection with our contract.
- To respond to legal requests and prevent harm. If we receive a subpoena or other legal request, we may need to inspect the data we hold to determine how to respond.
- Fulfill and manage your orders. We may use your information to fulfill and manage your orders, payments, returns, and exchanges made through the Website.
- Administer prize draws and competitions. We may use your information to administer prize draws and competitions when you elect to participate in our competitions.
- To deliver and facilitate delivery of services to the user. We may use your information to provide you with the requested service.
6. Is your information transferred internationally?
We may transfer, store, and process your information in countries other than your own. Our servers are located in the European Economic Area (EEA), primarily in Sweden and the broader EU. If you are accessing our Website from outside the EEA, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information, in countries other than your own.
If you are a resident in the EEA, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. We will however take all necessary measures to protect your personal information in accordance with this privacy notice and applicable law, including the use of EU Standard Contractual Clauses (Module 2) where required.
7. How long do we keep your information?
We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). No purpose in this notice will require us keeping your personal information for longer than the period of time in which users have an account with us.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. Backups are retained for up to 15 days; point-in-time recovery (PITR) is retained for up to 7 days.
8. How do we keep your information safe?
We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.
We encrypt data in transit (TLS 1.3) and at rest (AES-256-GCM via Google Cloud KMS), enforce multi-factor authentication for administrative access, run weekly vulnerability scans and monthly penetration tests, and are certified to SOC 2 Type II. ISO/IEC 27001:2022 certification is in process.
9. What are your privacy rights?
In some regions (like the European Economic Area), you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.
Right of access (Article 15 GDPR). You can ask us to confirm whether we hold personal data about you, and if so, to give you a copy of that data along with information about how we process it.
Right to rectification (Article 16). If any personal data we hold about you is inaccurate or incomplete, you can ask us to correct or complete it. You can also update most account details directly from your account settings.
Right to erasure (Article 17). Also known as the "right to be forgotten." You can ask us to delete your personal data where it is no longer necessary for the purposes it was collected, where you withdraw consent, or where you object to processing and we have no overriding legitimate ground to continue.
Right to restriction of processing (Article 18). You can ask us to pause processing of your personal data while we verify a rectification request, while we evaluate an objection, or in place of erasure where you need the data preserved for legal claims.
Right to data portability (Article 20). Where we process your personal data on the basis of consent or contract, and the processing is carried out by automated means, you can ask to receive that data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
Right to object (Article 21). You can object to processing carried out on the basis of legitimate interests, including profiling. You can object to direct marketing at any time, and we will stop processing your data for that purpose.
Right to withdraw consent (Article 7(3)). Where we rely on your consent to process personal data, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Automated decision-making (Article 22). We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing.
Right to lodge a complaint (Article 77). You have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal data infringes the GDPR.
To exercise any of these rights, email dpo@kryptos.io. We will respond within 30 days.
10. Controls for Do-Not-Track features
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. No uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.
11. Do California residents have specific privacy rights?
If you are a California resident, the California Consumer Privacy Act (CCPA, as amended by CPRA) gives you the right to opt out of the "sale" or "sharing" of your personal information, including for cross-context behavioral advertising, at any time. To exercise this right, email dpo@kryptos.io with the subject line "Do Not Sell or Share My Personal Information," or use the "Do Not Sell or Share My Personal Information" link in our website footer. We will action your request within 15 days. We will not discriminate against you for exercising this right.
California residents also have rights to access, deletion, correction, and portability of their personal information; to limit the use of sensitive personal information; and to non-discrimination for exercising these rights. To exercise any of these rights, contact dpo@kryptos.io.
If you are under 18 years of age, reside in California, and have a registered account with the Website, you have the right to request removal of unwanted data that you publicly post on the Website. To request removal of such data, please contact us using the contact information provided below.
12. Children's privacy
We do not knowingly solicit data from or market to children under 13 years of age. By using the Website, you represent that you are at least 13 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Website. If we learn that personal information from users less than 13 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 13, please contact us at dpo@kryptos.io.
13. Do we make updates to this notice?
We may update this privacy notice from time to time. The updated version will be indicated by an updated "Last Updated" date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.
14. How can you contact us about this notice?
If you have questions or comments about this notice, you may email our Data Protection Officer at dpo@kryptos.io or by post to:
Kryptoskatt AB
Attn: Data Protection Officer
A2-1101, Frida Hjertbergs Gata 12
Göteborg, Sweden 41281
15. How can you review, update, or delete the data we collect from you?
Based on the applicable laws of your country, you have the right to request access to the personal information we collect from you, change that information, or delete it in some circumstances. To request to review, update, or delete your personal information, please email dpo@kryptos.io. We will respond to your request within 30 days.
Data protection contact
For questions about this notice or to exercise your rights, contact our Data Protection Officer at dpo@kryptos.io.
privacy@kryptos.io