app privacy policy

Cookie Policy

App Privacy Policy

Regulatory Statement Page

Kraster App Privacy Policy
Version / Effective Date: 2025-10-06

1. Scope and Purpose

This App Privacy Policy (the «Policy») explains how Kraster Technology Solutions Limited («Kraster», «we», «us», or «our»), a company incorporated in Hong Kong Special Administrative Region, processes data within the Kraster application mobile and and its in-app features (the «App»).
This Policy applies only to data processed through the App, including:
• operation of core App functions, connecting and managing cards;
• optional portfolio tracking and in-app integrations;
• delivery of push notifications (if enabled);
• technical data strictly necessary to ensure the stability and security of the application.
Kraster operates on a non-custodial basis. We never collect, transmit, or store private keys, seed phrases, PINs, or any credentials that can control digital assets.
The App may process public wallet addresses and card metadata only to deliver requested functionality, always under your control.
The App is designed to process only the minimal technical data needed for functionality.
Depending on your settings, this may include:
• Device or push tokens (only if you opt in to notifications);
• Public wallet addresses and portfolio items you choose to track;
• Card identifiers and metadata used for provisioning and operation (e.g., card serial, issuance month, activation order, total transaction count);
• Basic technical details (device type, OS, App version).
No personal identifiers such as name, email address, or phone number are collected unless you provide them voluntarily (e.g., in a support request).
The App may interact with a limited set of services. These partners receive only the minimum data necessary for requested features. Where they act as independent controllers, their own privacy notices apply. Further details are provided in Section 5 (Data Sharing).
We process App data exclusively to:
• operate and maintain the App`s core features;
• deliver push notifications (if enabled);
• improve performance and reliability;
• ensure security and prevent fraud or abuse;
• and comply with applicable legal obligations.
Where required (for example, for users in the EEA), processing is carried out under appropriate legal bases and safeguards, as described in Section 4.
This Policy does not cover our website, online store, logistics, or email communications - those are governed by the Kraster Website Privacy Policy. This Policy complements, but does not replace, our Website Privacy Policy.
If you use both the App and the website, each Policy applies to the corresponding platform. By using our APP you acknowledge that you have read and understood this Policy.

2. Data Controller

The entity responsible for determining the purposes and means of data processing within the App is:
Kraster Technology Solutions Limited
Incorporated in Hong Kong Special Administrative Region
Registered office address: Hong Kong, Wan Chai, 171 Lockhart Road, Kingswell Commercial Tower, Flat A 8/F
privacy@kraster.business
Kraster Technology Solutions Limited acts as the data controller for the processing of App-related data. Certain technical operations - such as hosting, storage, and push-notification delivery - may be performed by carefully selected data processors acting on Kraster`s behalf and bound by written data-protection agreements (see Section 5 - Data Sharing).
If you have questions or requests regarding this Policy or the handling of your data, you can contact us using the email above. We aim to respond to privacy-related requests within one month, or within any longer period permitted by applicable law.
For users located in the European Economic Area (EEA), Kraster applies the principles and safeguards of the General Data Protection Regulation (GDPR).
Where required, Kraster may appoint: an EU Representative (Article 27 GDPR); and/or a Data Protection Officer (DPO).
If appointed, their contact details will be published in this Policy and made available in the App and on our website.

3. Categories of Personal Data We Collect

The App is developed according to the principle of data minimization.
We collect and process only the data strictly necessary to operate the App, deliver requested features, and maintain its stability and security. The categories of data processed in the App are listed below.
User Account and Identification Data (applies only if you register or log in through the App)
• Email address - if registration or authentication via email is available in the App;
• Public wallet address(es) - used for portfolio tracking, card linkage, and visualization of transaction history;
• Card identifiers – unique serial number, issue month, and activation sequence (to identify your card within the App);
• Timestamps – such as registration date, card linking, or last activity.
The App never processes or stores private keys, seed phrases, or PINs.
All cryptographic material remains entirely under your control on the device or physical card.
Technical and Device Data (automatically generated and processed to ensure App functionality and performance)
• Device model, operating system, and App version;
• System or vendor identifiers, including push notification token (if notifications are enabled);
• Country and language preferences (derived from device settings for localization);
• Crash logs and performance telemetry (technical diagnostics only - no personal content);
• Anonymous usage metadata (e.g., feature activation, error events, aggregated analytics).
This information is used solely to ensure compatibility, stability, and correct localization of the App. It is not used for marketing, profiling, or behavioral tracking.
If you opt in to push notifications, the App processes:
• a push notification token generated by your device;
• your notification preferences (for example, card status or transaction alerts).
Push tokens are managed through OneSignal and are not associated with your name, wallet, or any personal identifiers. You may disable notifications at any time in your device or App settings.
We use limited, privacy-friendly analytics tools to understand App performance and usability. All analytics operate in anonymized or pseudonymized form. No advertising identifiers or cross-service profiling are used. Where required by law (e.g., for EEA users), analytics are based on your consent.
If you choose to use optional integrations, the App may exchange limited data with:
• Exchange APIs (ChangeHero) – to initiate swaps or transactions, transmitting only wallet address and transaction metadata;
• Support channels – if you contact us via in-App chat or email, we process your message and contact details solely to respond to your request.
Each partner processes only the minimum data necessary for its function.
Where such partners act as independent controllers, their own privacy notices apply.
The App does not access or collect:
• contacts, photos, or media files;
• biometric data;
• microphone, camera;
• any private cryptographic material or seed phrase information.

4. Purposes of Processing and Legal Bases

Kraster processes personal data within the App only for purposes that are necessary to operate its features and to maintain a secure, reliable service.
All data handling follows applicable privacy laws. For users in the EEA, this means compliance with the GDPR
The main reasons why your data may be processed are listed below:
App registration and account management
Data: device information and (if registration is enabled) email and timestamps.
Legal basis: legitimate interest (to provide App functionality)/ user request.
Used to enable login, account linkage, and secure authentication in the App.
Card provisioning and linkage
Data: card identifiers, public wallet addresses, timestamps.
Legal basis: legitimate interest / legitimate interest.
Required to link your cards with the App and display related information.
App functionality and maintenance
Data: technical and device data, crash logs, telemetry.
Legal basis: legitimate interest (ensuring service operation and security).
Helps maintain compatibility, performance, and system stability.
Localization and interface preferences
Data: language and region settings derived from your device (no personal identifiers processed).
Legal basis: legitimate interest / user request.
Allows automatic localization of the App`s interface and improves usability.
Push notifications (optional)
Data: push-notification token and notification preferences.
Legal basis: consent.
Used to deliver only those App notifications you explicitly enable (for example, card updates or system messages).
You may withdraw your consent at any time in your App or device settings.
Analytics and performance improvement
Data: aggregated usage and telemetry data.
Legal basis: consent (for EEA users) / legitimate interest (for others).
Used to understand performance and user flow to improve the App.
All analytics are pseudonymized and never used for advertising or profiling.
Security and fraud prevention
Data: device identifiers and limited network information (such as approximate IP, if temporarily logged by our infrastructure or analytics providers).
Legal basis: legitimate interest (ensuring App integrity and preventing misuse).
This information is used only for technical diagnostics and security purposes, not for user profiling or tracking.
Customer support and compliance obligations
Data: message content and contact details you provide when requesting assistance; account-related and technical records where legally required.
Legal basis: legitimate interest / legal obligation.
Processed to comply with applicable laws, such as fraud-prevention or accounting requirements.
Kraster does not use App data for profiling, marketing, or targeted advertising.
Where consent is required, it is obtained transparently in the App, and you may withdraw it at any time. Processing under legitimate interest is carried out in a manner that does not override your rights or freedoms.

5. Data Sharing: Processors and Independent Controllers

We never sell or trade user information collected through the App. We share limited data with trusted partners only when necessary to operate the App, deliver requested features, or comply with legal obligations.
Some of our partners handle data for us under contract, while others run their own services and apply their own privacy terms.
Processors (service providers acting on our behalf)
These partners process data solely under Kraster`s written instructions and data-protection agreements:
• Hosting and Infrastructure – DigitalOcean, LLC
Purpose: hosting of backend components and encrypted technical logs.
Jurisdiction: USA / Netherlands (Standard Contractual Clauses applied for EEA users).
• Push Notifications – OneSignal, Inc.
Purpose: delivery of push notifications based on user opt-in.
Jurisdiction: USA (Standard Contractual Clauses applied).
• Email and Support Tools – Kraster internal system or appointed processor
Purpose: managing user-initiated support requests.
Jurisdiction: Hong Kong.
• Security and Diagnostics – Kraster internal tools
Purpose: monitoring App integrity, detecting anomalies, and ensuring reliability.
Jurisdiction: Hong Kong.
Independent Controllers (third parties operating under their own policies):
• Payment or exchange integrations – only if initiated by the user via connected third-party services (e.g., ChangeHero).
Kraster does not access or store payment or transaction credentials; such services operate under their own privacy policies.
• Regulatory or Legal Authorities
Purpose: disclosure when required by applicable law or valid legal order.
Note: Kraster assesses each request to ensure it is lawful, necessary, and proportionate.
• App distribution platforms (Apple App Store, Google Play) may collect technical logs under their own privacy policies.
Legal Disclosures. Kraster may disclose information only when required by law or following a lawful, proportionate request from a competent authority. Each request is reviewed to verify its legal basis and necessity before any data is released.
Changes to Third-Party Relationships. Our list of processors and independent controllers may evolve as the App develops. The current version of this list is maintained in this Policy.
If future updates materially affect how data is shared, Kraster will notify users where legally required.

6. International Data Transfers

Kraster is incorporated in Hong Kong SAR, and our technical infrastructure and service providers may operate in several jurisdictions, including countries outside the European Economic Area (EEA).
This means your data may be transferred to, stored, or processed in countries whose privacy laws may differ from those in your country of residence.
If data has to be transferred between countries, we make sure it`s done securely and under proper legal safeguards. These safeguards include:
• Standard Contractual Clauses (SCCs) - for transfers to service providers located in countries without an adequacy decision, Kraster relies on the European Commission`s approved clauses to ensure appropriate protection.
• Contractual and organizational controls - all processor agreements include data-protection clauses, and Kraster verifies that each provider maintains adequate technical and organizational measures such as encryption, access control, and monitoring.
• Data minimization and encryption – we share only the minimum data necessary for the relevant purpose and apply encryption both in transit and at rest whenever feasible.
For users in the EEA, we follow Chapter V of the GDPR on international transfers.
For users outside the EEA, transfers follow the applicable local privacy laws.
By using the App, you agree that your data may be processed in Hong Kong, the EU, the US, or other countries where our trusted partners operate - always with the safeguards described above.

7. Data Retention

Kraster retains personal data only for as long as necessary to fulfil the purposes described in this Policy or as required by applicable law. Retention periods vary depending on the type of data and the purpose for which it was collected.
Whenever possible, data is stored in aggregated or de-identified form and securely deleted once it`s no longer required.
Account and linkage data. Information such as your email (if applicable), account timestamps, and card identifiers is retained only while your account or card remains active.
When you close your account or unlink your card, this data is deleted or anonymized within a reasonable period.
Portfolio and wallet data. Your public wallet addresses and tracked portfolio items are stored locally on your device, not on Kraster servers. You can delete this data at any time by clearing the App data or uninstalling the App.
Technical and diagnostic logs. Device and performance data, including crash reports and telemetry, may be retained only as long as needed for technical or legal purposes. Such data is stored in aggregated or anonymized form and cannot be linked to individual users.
Push-notification tokens. Push tokens are retained only while notifications remain enabled. They are automatically invalidated when you disable notifications or uninstall the App.
Analytics and telemetry data. Aggregated analytics are stored only as long as needed for technical or legal purposes. No raw personal data or advertising identifiers are retained.
Support correspondence. Messages sent to Kraster support are kept for as long as required under applicable legal or regulatory obligations.
Legal and compliance records. Certain records may be kept as required by applicable law (for example, up to five years under accounting or anti-fraud regulations). These are retained securely and separately from operational App data.
Once retention periods end, we permanently delete or anonymize the information so it can`t be tied back to you. Some App data - such as local settings, wallet tracking, or portfolio information - is stored exclusively on your device; deleting or uninstalling the App will permanently remove it from your local storage.

8. Your Rights

Depending on your country of residence and applicable law, you may have certain rights regarding your personal data processed through the Kraster App. Kraster respects these rights and provides practical ways to exercise them.
Access and Portability. You may request confirmation of whether Kraster processes your personal data and, if so, obtain a copy of that data. Where technically feasible, we can provide it in a structured, commonly used, and machine-readable format.
Rectification. If any information we hold about you is inaccurate or incomplete, you have the right to request correction or update.
Erasure («Right to be Forgotten»). You may request deletion of your personal data in the following cases:
• when the data is no longer necessary for the purposes for which it was collected;
• when you withdraw consent (if processing was based on consent);
• when processing is unlawful; or
• when required by applicable law.
Deleting or uninstalling the App will remove all locally stored data (such as wallet tracking and preferences). For account-related data, you can contact us at privacy@kraster.com to request deletion.
Restriction of Processing. You may request that Kraster restrict the processing of your personal data in certain cases - for example, while verifying its accuracy or if you have raised an objection.
Objection to Processing. Where processing is based on legitimate interest, you have the right to object. Kraster will stop such processing unless we demonstrate compelling legitimate grounds or the processing is necessary to establish, exercise, or defend legal claims.
Withdrawal of Consent. If you have given consent (for example, for push notifications or analytics), you may withdraw it at any time by:
• disabling the relevant setting within the App, or
• contacting us at privacy@kraster.com.
Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Complaints. If you are located in the EEA, you have the right to lodge a complaint with your local data protection authority. You may also contact the Office of the Privacy Commissioner for Personal Data (Hong Kong), which acts as our primary data protection authority.
We encourage you to contact us first — we will make every reasonable effort to resolve your concerns directly and amicably.

9. Data Security

Kraster takes the security of your data seriously and regularly review our security controls. We use a combination of technical and organizational safeguards to protect your data against unauthorized access, loss, or misuse.
Our security approach combines non-custodial architecture, end-to-end encryption, and restricted backend access, ensuring that your data remains primarily under your control.
Non-custodial architecture. The Kraster App never stores or has access to your private keys, seed phrases, or any data that enables control over digital assets.
All sensitive cryptographic operations occur locally on your device or card and are never transmitted to Kraster servers.
Encryption and transmission security. All communication between the App and Kraster`s backend (where applicable) is encrypted in transit. Data stored within our infrastructure is encrypted using industry-standard methods and managed under strict access controls.
Access control and least privilege. Only a few authorized team members can access personal data — and only when it`s genuinely needed. Access is protected by multi-factor authentication and role controls.
Anonymization and pseudonymization. Wherever possible, diagnostic and analytics data are collected in aggregated or pseudonymized form, ensuring that individual users cannot be directly identified.
Device-level protection. The App relies on the built-in security features of your operating system. We recommend keeping your device software up to date and protected with a PIN or biometric authentication.
Monitoring and incident response. Kraster continuously monitors its systems for irregularities or unauthorized activity. In the event of a data breach involving personal data, we will take immediate steps to contain the incident and, where required by law, notify affected users and relevant authorities without undue delay.
User responsibility. While Kraster implements strong security measures, some aspects of protection depend on you.
We encourage you to:
• keep your device and Kraster card secure;
• never share your private keys, recovery phrases, or authentication codes;
• download the Kraster App only from official sources (App Store, Google Play, or our website).

10. Children`s Data

The Kraster App is intended for use by individuals aged 18 or older, or the age of legal majority in their country of residence. The App and its features are not designed or marketed for use by children.
Kraster does not knowingly collect or process information from individuals under this age. If we become aware that data has been provided by a minor without verified parental consent, we will promptly delete it from our systems.
Parents or legal guardians who believe that their child may have shared information with Kraster are encouraged to contact us at privacy@kraster.com. We will review the request and take appropriate action to resolve the matter without delay.

11. Changes to This Policy

From time to time, we might update this Policy if our services, technology, or legal environment change. When updates are made, we will always indicate the effective date at the top of the document.
If any changes materially affect how your data is processed or alter your rights, we will provide clear notice - for example, through an in-App message or by email (where applicable) - before the changes take effect.
The most recent version of this Policy will always be available within the App and on our official website. We encourage you to review it periodically to stay informed about how we handle and protect your data.
Your continued use of the Kraster App after an updated Policy becomes effective will signify your acceptance of the revised terms.

12. Contact Information

If you have any questions about this App Privacy Policy or how Kraster processes your data, please contact us using the details below:
Kraster Technology Solutions Limited
Incorporated in Hong Kong Special Administrative Region
Registered office address: Hong Kong, Wan Chai, 171 Lockhart Road, Kingswell Commercial Tower, Flat A 8/F
privacy@kraster.business or the in-app support form
We aim to respond to privacy-related requests within one month, or within any longer period permitted by applicable law.
For users located in the European Economic Area (EEA): you may contact us directly at the address above if you have any questions or concerns under the GDPR.
Where legally required, Kraster may appoint: an EU Representative under Article 27 GDPR, and/or a Data Protection Officer (DPO). Once appointed, their contact details will be published in this Policy and made available within the App.