Privacy Policy
This policy explains what personal data Kromacat collects, why, and what rights you have over it.
1. Who We Are (Data Controller)
Kromacat is the data controller for personal data processed through this platform. Contact us about privacy matters at privacy@kromacat.com.
2. Data We Collect
| Category | Data | Why |
|---|---|---|
| Account | Email address, hashed password | Authentication and account recovery |
| Profile | Display name, username, bio, social links | Public profile page |
| Photos | Image files, alt text, tags, descriptions | Core platform service (Grid/Feed/Pitch) |
| Avatar | Profile photo, crop coordinates | Identity representation |
| Social graph | Who you follow / are followed by | Feed chronology |
| Session | Auth tokens, session ID | Keeping you signed in (via Supabase Auth) |
| Technical | IP address, browser/OS, timestamps | Security, abuse prevention, consent audit |
| Analytics | Page URL and dynamic path, referrer, filtered query parameters, country / region / city (derived from IP β IP itself is never stored), device OS & version, browser & version, device type (mobile / desktop / tablet), event timestamp | Understanding platform usage and improving the service. Data is aggregated only β it cannot identify or re-identify any individual. Collected via Vercel Web Analytics (cookie-less; session hash discarded after 24 hours). |
| Billing | Name, billing address, country, transaction IDs | Subscription processing and VAT compliance (Pitch only) |
| Consent log | Record of checkboxes accepted, document versions, IP at consent time | Legal compliance β GDPR Art. 7(1) |
3. Legal Basis for Processing
| Processing purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the platform service | Art. 6(1)(b) β contract performance |
| Sending email confirmations & password resets | Art. 6(1)(b) β contract performance |
| Security monitoring & fraud prevention | Art. 6(1)(f) β legitimate interest |
| Tax record keeping | Art. 6(1)(c) β legal obligation |
| Marketing emails (optional) | Art. 6(1)(a) β consent (you opted in at registration) |
| Consent audit trail | Art. 6(1)(c) β legal obligation |
| Aggregated, cookie-less analytics | Art. 6(1)(f) β legitimate interest (understanding platform usage and improving the service). No cookies are set, no IP address is stored, and data cannot identify individuals β the privacy impact is minimal. |
4. Third-Party Processors
We use the following sub-processors. All have been assessed for GDPR adequacy:
| Processor | Role | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | United States (SCCs in place) |
| Vercel Inc. | Application hosting, edge network, cookie-less web analytics | United States (SCCs in place) |
| Payment processor | Subscription billing (Pitch) | EU/US (DPA in place) |
| Transactional email provider | Account confirmation, password reset emails | EU/US (DPA in place) |
We do not sell your data to third parties. We do not share data with advertisers.
5. Data Retention
| Data type | Retention period |
|---|---|
| Account & profile data | Until account deletion + 30 days (backup purge) |
| Photos & Grid content | Until you delete them or close your account |
| Consent log | Account lifetime + 5 years (legal obligation) |
| Tax invoices | 7 years (EU/UK statutory requirement) |
| Moderation records | As long as necessary for ongoing proceedings |
| Anonymised analytics | Indefinitely (not linked to individuals) |
6. Your Rights
Under GDPR Arts. 15β21 and CCPA, you have the following rights:
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | Receive a copy of all your personal data | Email privacy@kromacat.com or use the in-app settings. We respond within 30 days. |
| Rectification (Art. 16) | Correct inaccurate personal data | |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten") | |
| Restriction (Art. 18) | Limit how we process your data | |
| Portability (Art. 20) | Export your data in machine-readable format | |
| Object (Art. 21) | Object to processing based on legitimate interest | |
| Withdraw consent | Revoke marketing email consent at any time | Unsubscribe link in every email, or account settings |
7. Security
- All data transmitted over HTTPS/TLS 1.3
- Passwords hashed with bcrypt (Supabase Auth)
- Database encrypted at rest (AES-256)
- Row-level security (RLS) enforced on every table
- Breach notification to supervisory authority within 72 hours (GDPR Art. 33)
- Affected users notified without undue delay if high risk (Art. 34)
8. Cookies & Analytics
We use only strictly necessary cookies for authentication. No advertising or tracking cookies are set. See our Cookie Policy for the full list.
We use Vercel Web Analytics to understand how the platform is used. This service is entirely cookie-less β it sets no cookies and stores no IP addresses. Visitors are identified by a temporary hash derived from the incoming request; that hash is automatically discarded after 24 hours. All data is aggregated and cannot be used to identify any individual.
9. Complaints & Supervisory Authority
If you believe we have mishandled your personal data, you may:
- Contact us first via our complaints process
- Lodge a complaint with the Spanish data protection authority: AEPD β Agencia EspaΓ±ola de ProtecciΓ³n de Datos
- Or with your local EU data protection authority