Privacy Policy
Last updated: 11 June 2026
Privacy is the reason Krosos exists. Each customer gets a dedicated application instance with its own database — your financial data is never stored alongside anyone else's. This policy explains what data we process, why, and what your rights are.
1. Who is responsible
The data controller is Vulpra Consulting SRL, registered in Belgium, company number 1027.151.509 (full company details in our terms of service). Contact: [email protected].
2. What we collect
Account data
- Your email address, obtained when you sign in with Google (see section 3) or sign up.
- Your chosen subdomain, subscription plan and status.
Data inside your instance
- The financial data you enter or import: accounts, assets, transactions, balances.
- Read-only exchange/wallet API keys you choose to connect — stored encrypted at rest with a key unique to your instance, never displayed back to you and never written to logs.
- If you link a bank account, the read-only open-banking session token and the account details it returns (IBAN, holder name, balances) — also stored encrypted at rest with your instance's key, and processed only on your own instance.
- This data lives only in your own instance's database. We do not aggregate, analyse, sell or advertise on it. Our staff do not access it except for support at your request, or where strictly required to operate the Service (e.g. restoring a backup).
Billing data
- Payments are handled by Stripe, our merchant of record. Stripe collects your payment details and billing address under its own privacy policy; we never see your full payment details — we receive your email, plan and subscription status.
Technical data
- Standard server logs (IP address, request path, timestamp) for security and operations, retained for a limited period.
- If you consent, this marketing website uses privacy-friendly analytics and first-party signup-intent events to understand public-site traffic and trial interest. We store a first-party visitor ID in your browser's local storage and track page paths, referrers, campaign parameters and checkout-intent events, but not financial data from your instance.
- Your application instance uses a single, essential session cookie to keep you signed in. There are no analytics or trackers inside your instance.
3. Google user data
You sign in to Krosos with Google (OAuth). We request only the email scope: your email address and its verification status. We use it solely to verify that you are the owner of your instance and to contact you about your subscription. We do not request access to your Gmail, Drive, contacts, calendar or any other Google data.
Krosos's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
4. Why we process data (legal bases)
| Purpose | Legal basis (GDPR art. 6) |
|---|---|
| Providing your instance, sign-in, sync and backups | Performance of a contract (6.1.b) |
| Billing and tax compliance (via Stripe) | Contract (6.1.b) and legal obligation (6.1.c) |
| Marketing website analytics and signup-intent measurement | Legitimate interest (6.1.f) |
| Security logging, abuse and fraud prevention | Legitimate interest (6.1.f) |
| Service emails (receipts, "instance ready", payment issues) | Contract (6.1.b) |
| Product news (only if you opt in) | Consent (6.1.a), withdrawable anytime |
5. Who we share data with (subprocessors)
We use a small number of service providers. None of them may use your data for their own purposes.
| Provider | Purpose | What they process |
|---|---|---|
| Railway | Hosting of your instance and database (EU region) | Everything stored in your instance |
| Cloudflare | DNS, TLS and privacy-friendly web analytics for our public website | Connection metadata and public-site usage metrics |
| Sign-in (OAuth) | Your email address | |
| Stripe | Payments, invoicing, VAT (merchant of record) | Billing details (as its own controller) |
| Price data providers (e.g. CoinGecko, stock/FX data, Zerion, ECB) | Fetching market prices and on-chain balances | Only the queried tickers and, for on-chain wallets, the wallet addresses you add — never your name or holdings overview |
| Enable Banking (regulated AISP, PSD2 open banking) | Connecting your bank to read account balances, only if you choose to link one | Brokers the read-only connection to your bank; the balances and account details it returns are processed only on your own instance, not stored by us centrally |
| Zoho Mail | Support and service email | Your email address and the content of emails you exchange with us |
| Sentry | Error monitoring | Technical error context, scrubbed of personal data |
Instances are hosted in the EU. Where a provider processes data outside the EEA, transfers are covered by an adequacy decision or EU Standard Contractual Clauses.
We never sell personal data.
6. How long we keep data
- While you subscribe: your instance and its nightly backups remain active.
- If you cancel during the trial: your instance, its database and its backups are deleted immediately — trial data is not retained.
- After a paid subscription is cancelled: your instance is retained for 30 days so you can export your data or come back, then the instance, its database and its backups are permanently deleted.
- If you delete your data in-product: the database is wiped immediately; backups age out of the rotation within 30 days.
- Server logs: retained up to 30 days.
- Billing records: kept as long as tax law requires (in Belgium, generally 7 years), by us and by Stripe.
7. Security
- Single-tenant isolation: your data lives in its own database in its own application instance.
- All traffic is encrypted in transit (TLS). Exchange API keys are encrypted at rest with a per-instance key and are write-only — they are never returned by any API or shown in the UI.
- We require read-only API keys, so the Service can never move your assets.
- Sign-in is delegated to Google; we store no passwords.
8. Your rights
Under the GDPR you can ask for access, rectification, erasure, restriction, portability, and object to processing based on legitimate interest. Most of this is built into the product:
- Access & portability: download your full database or a JSON export anytime, in-product.
- Erasure: delete all your data in-product, or cancel and let the 30-day retention lapse.
- For anything else, email [email protected] — we respond within 30 days.
You can lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) or your local supervisory authority.
9. Children
The Service is not directed at children and requires you to be at least 18.
10. Changes to this policy
We will update this policy as the Service evolves (for example when an email or error-monitoring provider is added). Material changes are announced by email or in-product notice before they take effect.
11. Contact
Vulpra Consulting SRL · Belgium · company number 1027.151.509
[email protected]