Privacy Policy

Information You Provide

When you create a Krafio account or use our services, we may collect: your email address and password (stored in hashed form), your name or display name if provided, craft project data including photos, notes, materials lists, and project metadata, and any other information you choose to submit through the app.

Information Collected Automatically

When you use Krafio, we may automatically collect: device information (device type, operating system version, unique device identifiers), app usage data (features accessed, session duration, crash reports), IP address and approximate location (country/region level only), and performance and diagnostic data to improve app stability.

Photos and Media

Photos you upload for your craft projects are stored securely and accessible only to you via signed, time-limited URLs. We do not use your photos for any purpose other than displaying them within your account.

Service Delivery

We use your information to: create and manage your account, sync your craft project data across your devices, provide customer support when you contact us, and send essential service notifications (e.g., security alerts, policy updates).

Service Improvement

We may use aggregated, anonymized data to understand how users interact with Krafio, identify and fix bugs, and improve features. This data cannot be used to identify you individually.

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data on the following legal bases: (a) Performance of a Contract — to provide the services you signed up for; (b) Legitimate Interests — to improve and secure our services; (c) Legal Obligation — to comply with applicable laws; (d) Consent — for any optional data processing where we have asked for your permission.

Infrastructure

Your data is stored on Google Firebase infrastructure (Firestore, Firebase Storage, Firebase Authentication), which uses industry-standard encryption (AES-256 at rest, TLS in transit). Firebase is operated by Google LLC and data may be stored and processed on Google's global server infrastructure, including servers located in the United States and other regions. Google maintains appropriate data processing agreements and safeguards consistent with applicable law, including GDPR Standard Contractual Clauses for transfers outside the EEA.

Security Measures

We implement technical and organizational security measures including: encrypted data storage, secure HTTPS connections, access controls limited to authorized personnel, regular security reviews, and secure signed URLs for photo access that expire after a limited time.

Data Retention

We retain your account data for as long as your account remains active. If you delete your account, all personal data and project content will be permanently deleted within 30 days. Anonymized analytics data may be retained for up to 2 years.

We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing or commercial purposes.

Service Providers

We work with trusted third-party service providers who process data on our behalf under strict data processing agreements. These include: Google Firebase (database, storage, and authentication infrastructure), Apple / Google (app distribution platforms subject to their own privacy policies), RevenueCat (subscription management), and crash reporting or analytics tools (using anonymized data only).

Legal Disclosures

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a legal obligation.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice within the app before your personal information is transferred and becomes subject to a different privacy policy.

Rights for All Users

Regardless of your location, you have the right to: access the personal data we hold about you, correct inaccurate or incomplete data, delete your account and all associated data, request a copy of your project data in a commonly used machine-readable format (where technically feasible), and opt out of non-essential communications.

GDPR Rights (EEA & UK Users)

If you are located in the EEA or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including: the right to restriction of processing, the right to object to processing, and the right to lodge a complaint with your local data protection authority (DPA).

CCPA Rights (California Residents)

California residents have the right to know what personal information is collected, used, shared, or sold; to opt out of the sale of personal information (we do not sell personal information); to access their personal information; and to deletion of personal information. We do not discriminate against users who exercise their CCPA rights.

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@krafio.app. We aim to acknowledge requests within 5 business days and complete verified privacy requests within 30 days, unless a longer period is permitted by law. We may ask you to verify your identity before processing your request.

Age Restriction & Parental Consent

Krafio is not directed to children under 13, unless the child resides in a jurisdiction requiring a higher digital age of consent, in which case that age applies. Children under the applicable age limit may only use Krafio with verifiable parental or legal guardian consent. For users between 13 and 18, parental consent is recommended. We do not knowingly collect personal information from children where consent requirements are not met.

COPPA Compliance (US Children)

For children under 13 in the United States, Krafio complies with the Children's Online Privacy Protection Act (COPPA). We: (a) collect only the minimum information necessary (email and password for account creation); (b) do not use children's information for marketing, targeted advertising, or third-party sales; (c) implement reasonable security measures to protect children's data; (d) provide parents access to their child's information; (e) allow parents to request deletion of their child's account and data.

Photo & Project Data Safety

For users under 18, photos and project content remain completely private and are not shared with peers or third parties unless explicitly requested through app features. We use industry-standard encryption to store all project data. Parents and guardians may contact privacy@krafio.app to request a full audit of their child's account.

Verifiable Parental Consent Process

If a user under the applicable age of digital consent wishes to create an account, we may request verifiable parental consent through: (a) a form completed by a parent/guardian with their credit card verification (using third-party payment verification, not charged), or (b) a signed parental consent form submitted by email. The parent/guardian will be given the option to manage, review, or delete the child's account at any time.

Action on Discovery of Underage Users

If we become aware that we have inadvertently collected personal information from a child without proper consent, we will: (a) immediately notify the parent or guardian (if contact information is available), (b) take immediate steps to delete that user's personal data from our systems (subject to legal holdback periods), and (c) retain only the minimum information necessary to comply with law. If you believe we may have collected information from a child in violation of COPPA or other law, please contact us immediately at privacy@krafio.app.

In-App Tracking

The Krafio mobile app does not use traditional browser cookies. We may use local storage on your device solely to maintain your session and preferences. We do not use cross-app tracking technologies for advertising purposes.

App Tracking Transparency (iOS)

On iOS 14.5 and later, we will request your permission before tracking your activity across other apps and websites. You may change this permission at any time in your device's Settings > Privacy > Tracking.

Analytics

We may use anonymized, aggregated analytics to understand app usage patterns. This data does not identify you and is used solely to improve Krafio's features and performance.

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes, we will notify you by: updating the 'Last Updated' date at the top of this page, sending a notification through the Krafio app, and/or sending an email to the address associated with your account.

Continued Use

Your continued use of Krafio after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the revised policy, you must discontinue use of the app and may request deletion of your data.