Kryptos Download
Legal

Privacy Policy

The short version: your vault stays on your device, encrypted with a key only you control. We don't have it. We don't want it.

Last updated: 15 May 2026

TL;DR
  • Your documents, cards, and notes are encrypted on your device with AES-256.
  • We do not run servers that hold your vault contents. We cannot read them.
  • Backups are encrypted blobs stored in your Google Drive — Google can't read them either.
  • We collect minimal diagnostic data (crash logs) to keep the app working. No tracking, no ads, no selling data.

1. Who we are

Kryptos ("the app", "we", "us") is published by Faizal Zain, an independent developer based in Kuala Lumpur, Malaysia. You can reach us at [email protected].

2. What data Kryptos handles

Kryptos handles two distinct categories of data:

2.1 Vault data (your documents)

Anything you store inside Kryptos — passport details, ID numbers, payment cards, notes, API keys, scanned images, OCR results — is your vault data. It includes:

  • Document fields you enter or that OCR extracts on-device
  • Photos or scans you choose to attach
  • Data read from NFC chips (ePassports, EMV payment cards)
  • Any notes, API keys, or tax numbers you add

Vault data never leaves your device unencrypted. It is stored in a SQLCipher (AES-256) encrypted database whose key is held in the Android Keystore — hardware-backed on supported devices — and gated behind your Android biometric authentication.

2.2 Account & diagnostic data

To make the app work, we may receive:

  • Your Google account email, only because Google Sign-In requires it to enable Drive backup and to scope the per-user encrypted database.
  • Anonymous crash & diagnostic reports from Google Play (you can disable this in your device settings) so we can fix bugs.
  • Google Play purchase tokens for verifying that you own Kryptos Pro.

We do not collect analytics events about your behaviour inside the vault. We do not log document contents, field values, or filenames.

3. What we do not do

  • We do not run a backend server that stores your vault contents.
  • We do not have a copy of your encryption key, biometrics, or password.
  • We do not sell, rent, or share your data with third parties.
  • We do not show ads, and we do not embed advertising SDKs.
  • We do not perform server-side OCR. ML Kit text recognition runs entirely on-device.
  • We do not transmit camera frames, NFC chip reads, or scanned images off-device.

4. Cloud backup & Google Drive

If you enable backup, Kryptos uploads your encrypted vault blob to your own Google Drive:

  • Free: The blob is written to the hidden Drive AppData folder, which only Kryptos can see for your account.
  • Pro: You may also write the blob to a visible "KryptosBackups" folder in My Drive, so you can copy it elsewhere for safekeeping.

In both cases, the file Google receives is opaque ciphertext. Google Drive cannot decrypt it. We cannot decrypt it. Only your device, after a successful biometric unlock, can.

5. Permissions we request

  • Camera — to scan documents with OCR. Frames are processed on-device and not stored unless you save the document.
  • NFC — to read electronic passports and EMV cards. Reads happen locally; nothing is transmitted.
  • Biometric — to unlock your vault using Android Biometric.
  • Internet — only for Google Sign-In, Google Drive backup, expiry notifications, and Play purchase verification.
  • Notifications — to remind you before passports, IDs, and cards expire.

6. Children's privacy

Kryptos is not directed at children under 13. We do not knowingly collect personal information from children.

7. Data retention & deletion

Because your vault lives on your device, deleting Kryptos deletes your vault. To delete cloud backups:

  • Open Google Drive → Settings → Manage apps → Kryptos → Delete hidden app data (free tier).
  • Or delete the "KryptosBackups" folder in My Drive (Pro tier).

Diagnostic and crash reports collected by Google Play are managed under Google's retention policies and your Play Console settings.

8. Your rights

Depending on your jurisdiction (GDPR in the EU/UK, PDPA in Malaysia, CCPA in California, etc.), you may have the right to access, correct, or delete personal data we hold about you. Since we hold no copy of your vault data, requests under these laws will primarily concern your account email and any diagnostic information — write to [email protected].

9. Third-party services

Kryptos relies on a small number of third parties, each used for the narrowest possible purpose:

  • Google Sign-In / Credential Manager — authentication.
  • Google Drive — encrypted backup storage.
  • Google ML Kit — on-device OCR (no network).
  • Google Play Billing — Pro purchase verification.

These services are governed by their own privacy policies.

10. Changes to this policy

If we update this policy, we will revise the "Last updated" date above and, for material changes, notify you in-app. Continued use of Kryptos after a change constitutes acceptance.

11. Contact

For privacy questions or requests, email [email protected].