Kraty
Open dashboard
Legal

Privacy Policy

Effective May 21, 2026

This Privacy Policy describes how Kraty ("we") collects, uses, and shares information when you use the Kraty platform (the "Service"). We operate the Service as a data processor on behalf of game studios (our "Customers"); their players' personal data is handled per the Customer's instructions.

1. Information we collect

From studio members (data controllers of their players' data)

  • Account details: name, email, profile picture from your OAuth provider.
  • Studio + game configuration: events, items, currencies, bots, reward tables.
  • API keys (hashed; we never store the plaintext).
  • Audit log of administrative actions in the dashboard.

From player traffic via your SDK (Customer Data)

  • External player identifiers chosen by your game backend (we never collect player PII directly).
  • Player context snapshots you submit (level, league, country, etc.) — used for matchmaking and reward scaling.
  • Attempt metrics, scores, and rank.
  • Grant + claim history.
  • IP address and request metadata for abuse prevention; not exposed to studios.

2. How we use it

  • To operate the Service: run events, leaderboards, bots, and reward pipelines.
  • To deliver signed webhooks to receivers you configure.
  • To monitor and protect the Service from abuse, fraud, and outages.
  • To send transactional emails: invitations, billing, security notices.

We do not sell personal data, use Customer Data to train AI models, or share data across studios.

3. Sub-processors

We use a small set of sub-processors to operate the Service. Current categories are listed below; the full list is available on request and updated with at least thirty (30) days' notice for material changes:

  • Cloud infrastructure (database, object storage, edge network).
  • Email delivery for transactional messages.
  • Error monitoring (with personal-data scrubbing rules in place).

4. Data residency

Customer Data is stored in the region you select at studio creation: US, EU, or APAC. Cross-region transfer happens only when you migrate or when required by an explicit instruction.

5. Retention

  • Player attempt + grant rows: kept for the lifetime of your studio.
  • Webhook delivery payloads: 90 days, then deleted.
  • Audit log: 90 days on Studio, 1 year on Scale.
  • Account data after termination: 90 days, then deleted (see Terms § 6).

6. Your rights

Where applicable law (such as the GDPR or CCPA) gives you rights of access, correction, deletion, or portability over your personal data, you can exercise those rights via your studio administrator or by emailing privacy@kraty.io. For end-user player data, those rights run through your Customer (the studio), since we hold that data as their processor.

7. Security

  • Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Row-level security tenancy isolation in our primary database.
  • API keys hashed with a memory-hard KDF; never stored in plaintext.
  • Webhook signatures use HMAC-SHA256 with rotating secrets per endpoint.
  • Annual penetration test; on-call incident response with public status page.

8. Children

The Service is not directed to children under 13. Studios are responsible for ensuring their own player base complies with applicable child-data laws (COPPA, UK Children's Code, etc.). On request we will support age-gate configurations on Customer events.

9. Changes

We may update this Privacy Policy as the Service evolves. Material changes will be announced at least thirty (30) days in advance to your studio administrator.

10. Contact

Privacy questions, requests, or complaints: privacy@kraty.io.