Back to home
Last updated: April 8, 2026

Privacy Policy

1. Introduction

This Privacy Policy explains how krypt.cc ("Krypt", "we", "us") collects, uses, stores, and protects your personal information when you use our platform and services. We are committed to protecting your privacy and complying with applicable data protection laws including GDPR and CCPA.

2. Information We Collect

2.1 Account Information

  • Email address (for authentication, notifications, and account recovery)
  • Username / handle (public, displayed on your profile)
  • Password (hashed with Argon2id — we never store or see your plain password)
  • Discord account data if you choose to link it (username, avatar, banner — synced from Discord OAuth)

2.2 Profile Information (User-Provided)

  • Display name, bio, and social media links
  • Profile customizations (colors, themes, animations, widgets)
  • Uploaded images, avatars, backgrounds, and audio files

2.3 Game & Platform Data

  • Pet collection, battle history, ratings, and marketplace transactions
  • Coin balance and transaction history
  • Team configurations, expedition data, and mission progress

2.4 Tool Usage Data

  • Hosted images (stored on Cloudflare R2 CDN)
  • Shortened URLs and click analytics
  • Pastes and their view counts

2.5 Security Data

  • Two-factor authentication secrets (encrypted in database)
  • Recovery codes (hashed with Argon2id)
  • Login timestamps and verification codes (temporary, auto-deleted)

2.6 Automatically Collected Data

  • IP address (used for rate limiting and abuse prevention — not stored long-term)
  • Browser type, device type, and operating system
  • Pages visited, timestamps, and referral source
  • Profile view analytics (anonymized visitor counts)

3. Legal Basis for Processing (GDPR Article 6)

We process your data under the following legal bases:

3.1 Contract Performance

  • Account creation and authentication
  • Providing the Service (profile, pets, marketplace, tools)
  • Processing premium subscription payments
  • Delivering purchased features (image hosting, AI assistant)

3.2 Legitimate Interest

  • Fraud detection, abuse prevention, and rate limiting
  • Service analytics and performance monitoring (aggregated, anonymized)
  • Maintaining platform integrity (anti-cheat, anti-bot measures)
  • Sending security alerts (password changes, 2FA changes, login from new contexts)

3.3 Consent

  • Linking your Discord account (you can revoke this at any time)
  • Using the AI assistant (conversations processed by third-party providers)
  • Uploading images to our CDN

3.4 Legal Obligation

  • Responding to lawful data access requests
  • Retaining transaction records as required by tax/financial regulations

4. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To authenticate your identity and secure your account
  • To send transactional emails: verification codes, password resets, security alerts, account deletion confirmations
  • To power the pet battle system, marketplace, and ranked seasons
  • To provide AI assistant responses (conversations are not stored)
  • To deliver and compress hosted images
  • To track profile view analytics for your dashboard
  • To detect and prevent abuse, fraud, and Terms of Service violations
  • To improve the Service based on aggregated, anonymized usage patterns

5. Automated Decision-Making

We use automated systems in the following areas. These do not produce legal effects but may affect your experience on the platform:

  • Elo matchmaking: Automated pairing based on your rating for ranked battles.
  • Gacha system: Random item generation when hatching eggs, governed by predefined drop rates.
  • Rate limiting: Automated throttling based on request frequency to prevent abuse.
  • Anti-bot measures: Automated detection of suspicious patterns (consistent timing, API-only access).
  • Content moderation: Automated systems may flag or restrict content that appears to violate our Terms.

You may contact [email protected] to request human review of any automated decision that significantly affects your account.

6. AI Assistant

The AI assistant processes your messages in real-time to generate responses. We do not store conversation history. Messages are sent to a third-party AI provider (via OpenRouter) for processing.

  • Conversations are ephemeral — they exist only during your active session and are not stored on our servers.
  • Image inputs sent to the AI are processed in-memory and not persisted.
  • We do not use your conversations to train AI models.
  • The AI provider may process your messages under their own privacy policy. We use providers that do not train on user data from API calls.
  • AI responses may be inaccurate. We are not responsible for actions taken based on AI output.

7. Data Storage & Security

7.1 Where Data is Stored

  • Account and platform data: PostgreSQL database (hosted infrastructure)
  • Uploaded images and files: Cloudflare R2 (global CDN)
  • Sessions: JWT tokens stored in HttpOnly browser cookies (not server-side)
  • Payment data: processed and stored by Stripe (we never see or store your card number)

7.2 Security Measures

  • Passwords hashed with Argon2id (memory-hard, GPU-resistant)
  • Two-factor authentication (TOTP) available for all accounts
  • Recovery codes hashed with Argon2id
  • CSRF protection on all state-changing endpoints
  • Rate limiting on authentication, uploads, and API endpoints
  • Image uploads validated by magic bytes (content inspection, not just file extension)
  • EXIF metadata (including GPS location) automatically stripped from all uploaded images
  • All connections encrypted via HTTPS/TLS
  • Database queries use parameterized statements (SQL injection prevention)

7.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users via email within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. We will also notify the relevant supervisory authority where required.

8. Third-Party Data Processors

We share the minimum data necessary with the following processors:

  • Cloudflare (US) — IP address, request headers for CDN delivery and DDoS protection. Privacy policy: cloudflare.com/privacypolicy
  • Stripe (US) — Email, payment details for subscription processing. We never store card numbers. Privacy policy: stripe.com/privacy
  • Resend (US) — Email address for transactional email delivery. Privacy policy: resend.com/legal/privacy-policy
  • Discord (US) — OAuth data you authorize (username, avatar, email) when linking your Discord account. Privacy policy: discord.com/privacy
  • OpenRouter (US) — Chat messages (text and images) for AI assistant processing. Messages are processed in real-time and not stored by us. Privacy policy: openrouter.ai/privacy

We do not sell, rent, or share your personal data with advertisers, data brokers, or any party not listed above.

9. Cookies & Tracking

We use essential cookies only:

  • Session cookie (NextAuth JWT) — HttpOnly, Secure, SameSite=Lax. Required for authentication.
  • CSRF token cookie — Required for security against cross-site request forgery.

We do not use tracking cookies, advertising cookies, analytics cookies, or third-party cookies of any kind. We do not participate in ad networks or use pixel tracking.

Do Not Track

We honor Do Not Track (DNT) browser signals. Since we do not track users across third-party websites, DNT has no additional effect on our data practices.

10. Data Retention

  • Account data: retained while your account is active.
  • Deleted accounts: 30-day soft-delete grace period, then permanently erased (all data, pets, images, profile, trades, marketplace history).
  • Verification codes: auto-expire and are deleted after 10 minutes.
  • Password reset tokens: auto-expire and are deleted after 15 minutes.
  • Rate limit data: in-memory only, cleared on server restart (not persisted).
  • AI conversations: not stored at all — ephemeral, session-only.
  • Profile view analytics: aggregated counts retained; individual visit records retained for 90 days.
  • Marketplace transaction history: retained for the lifetime of both buyer and seller accounts for dispute resolution.
  • Payment records: retained as required by applicable tax and financial regulations.

11. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

11.1 Access & Portability

You can view most of your data via your dashboard at any time. For a complete machine-readable data export, contact [email protected].

11.2 Correction

You can update your profile information, email, username, and password via Settings at any time.

11.3 Deletion (Right to be Forgotten)

You can delete your account via Settings. After the 30-day grace period, all personal data is permanently erased from our database and file storage, including all pets, images, trades, and profile data. This action is irreversible.

11.4 Restriction & Objection

Contact [email protected] to restrict processing of your data or object to specific processing activities based on legitimate interest.

11.5 Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time by unlinking third-party services, disabling optional features, or deleting your account. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.

11.6 GDPR (EU/EEA Users)

Under the General Data Protection Regulation, you have all rights listed above. We process data under the legal bases described in Section 3. You also have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe we have violated your rights.

  • Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
  • France: CNIL (cnil.fr)
  • Germany: BfDI (bfdi.bund.de)
  • UK: ICO (ico.org.uk)
  • Or your local EU/EEA supervisory authority.

11.7 CCPA (California Users)

Under the California Consumer Privacy Act:

  • Right to Know: You can request what personal information we collect, use, and disclose.
  • Right to Delete: You can request deletion of your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
  • We do not sell personal information as defined by the CCPA.
  • We do not share personal information for cross-context behavioral advertising.
  • To exercise your rights, contact [email protected] or use the account deletion feature in Settings.

11.8 Other Jurisdictions

If you reside in Brazil (LGPD), Canada (PIPEDA), Australia, or other jurisdictions with data protection laws, you may have similar rights. Contact [email protected] to exercise them.

12. Children's Privacy

The Service is not intended for children under 13 (or under 16 in the EU/EEA where applicable). We do not knowingly collect personal information from children under these ages. If we discover that a child has created an account, we will delete it and all associated data immediately. If you are a parent or guardian and believe your child has provided us with personal data, contact [email protected].

13. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. We use the following safeguards for international transfers:

  • Cloudflare operates under their Data Processing Addendum with Standard Contractual Clauses (SCCs) for EU data transfers.
  • Stripe is certified under the EU-US Data Privacy Framework.
  • All other processors are bound by data processing agreements that include appropriate transfer mechanisms.

By using the Service, you consent to the transfer of your data to these countries. We ensure that all transfers provide an adequate level of data protection consistent with this Privacy Policy.

14. Data Minimization

We follow the principle of data minimization — we only collect and retain data that is necessary for the purposes described in this policy. We do not collect data "just in case" and we regularly review our data practices to ensure compliance.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 30 days before taking effect, and/or via a prominent notice on the Service. The "Last updated" date at the top indicates when the policy was last revised. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Contact & Data Protection

For any privacy-related questions, data subject requests, or concerns:

  • Email: [email protected]
  • Response time: within 30 days for all data subject requests (GDPR, CCPA, or other)
  • For urgent security matters: include "URGENT" in the subject line

If you are unsatisfied with our response, EU/EEA users have the right to lodge a complaint with their local supervisory authority (see Section 11.6).