Legal

Privacy Policy

Last updated: 10 May 2026 · This document supplements the Krystal Unity master Privacy Policy

1. Privacy Commitment

Krystal Unity Pty Ltd (“Krystal Unity”, “we”, “us”, “our”) is an Australian company committed to protecting the privacy rights of individuals. We operate KrystalView, a session replay and analytics platform with a native Model Context Protocol (MCP) server (“the Service”).

This document is the KrystalView product addendum to the master Krystal Unity Privacy Policy. It supplements the umbrella policy with KrystalView-specific data flows. For the full sub-processors list, GDPR/CCPA framework, international transfers, and your overall privacy rights across all Krystal Unity products, see the master policy at krystalunity.com/privacy.

We adhere to the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) and to the GDPR (EU) and UK GDPR for European data subjects. By using KrystalView you agree to the practices described here and in the master policy.

2. What We Collect

We collect information in two contexts: details you provide as a KrystalView customer, and analytics data collected by the KrystalView tracker installed on your website.

Account information (customers):

  • Name and email address
  • Company or organisation name
  • Billing information — processed securely via Stripe; we do not store card numbers
  • Account preferences and settings
  • Support and communications history

Analytics data collected by the tracker on your websites:

  • DOM snapshots captured via rrweb for session replay reconstruction
  • Click coordinates and cursor movement for heatmap generation
  • Page URLs and in-session navigation paths
  • Browser user agent strings
  • Viewport dimensions and device type
  • Scroll positions and depth
  • Session duration and event timestamps

3. What We Don’t Collect

KrystalView is designed with privacy as a default. No cookies are set on visitor browsers. No personally identifiable information about your website’s visitors is collected by default.

  • No cookies are used by the KrystalView tracking script
  • No personally identifiable visitor information is collected by default
  • Password input fields are automatically masked and never recorded
  • Any HTML element marked with the data-kv-no-record attribute is excluded from recording entirely
  • No cross-site tracking is performed
  • No data is sold to or shared with advertising networks

4. How We Use Data

We use the information we collect for the following purposes:

  • To deliver, maintain, and improve the KrystalView session replay and analytics services
  • To process payments and manage your subscription
  • To send service communications including usage reports, billing notices, and important product updates
  • To respond to support requests and enquiries
  • To detect and prevent fraud, abuse, or security incidents
  • To improve our product based on aggregated, anonymised usage patterns

We do not use your analytics data for our own marketing or advertising purposes.

5. Data Sharing & Sub-processors

We do not sell your personal information or your analytics data to third parties under any circumstances.

KrystalView relies on the following sub-processors specifically for its operation (the full Krystal Unity sub-processor list is in the master policy):

  • Hetzner Online GmbH (Germany / Finland) — primary hosting, application servers, PostgreSQL with pgvector for the AI Evidence Store, Redis
  • Stripe — subscription billing, AI Design Intelligence credit packs, customer portal
  • Postmark / Resend — transactional email (signup confirmation, billing notices, weekly reports)
  • Anthropic (Claude API) — AI analysis of session evidence (friction scoring, intent classification, anomaly explanation)
  • OpenAI — AI inference for some report generation flows
  • Google Ads API — only where you have explicitly connected your Google Ads account via OAuth (see Section 5a)
  • Sentry — error tracking and reliability monitoring
  • Professional advisers (legal, accounting, audit) as necessary, under confidentiality
  • Authorities where required by applicable law or valid legal process

All sub-processors are bound by contract to handle your data only on Krystal Unity's instructions and consistent with this policy.

5a. Google Ads OAuth Integration (Campaign Intelligence)

KrystalView Campaign Intelligence allows you to connect your Google Ads account so that campaign performance data appears alongside session replay and conversion analysis in your dashboard.

  • Scope requested: https://www.googleapis.com/auth/adwords — we use this read-only to fetch campaign performance metrics. We never modify your Google Ads account, create campaigns, or change bids.
  • What we read: campaign names, daily spend, click counts, conversions, ROAS metrics, and account/customer ID for the customer accounts you authorise.
  • What we do with it: display attribution and ROAS analysis inside your KrystalView dashboard; expose it via the MCP server to AI agents you have authorised; store it in your AI Evidence Store for queryable analysis.
  • How tokens are stored: refresh tokens are encrypted at rest and used only to fetch the data above. They are not shared with any other sub-processor.
  • Revoking access: at any time at myaccount.google.com/permissions, or by disconnecting the integration in your KrystalView console.
  • Krystal Unity's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6. GDPR Compliance

For customers and visitors located in the European Economic Area, United Kingdom, or other jurisdictions with equivalent data protection laws, the following applies:

  • Legal basis: We process personal data on the basis of legitimate interest (providing the analytics service you have contracted) and, where required, explicit consent
  • Right to access: You may request a copy of the personal data we hold about you
  • Right to erasure: You may request deletion of your personal data, subject to any legal retention obligations
  • Right to portability: You may request your data in a structured, machine-readable format
  • Right to object: You may object to certain processing activities where we rely on legitimate interest
  • Data Processing Agreements (DPAs): Available upon request for enterprise customers to satisfy Article 28 GDPR requirements

To exercise any of these rights, contact us at hello@krystalunity.com. We will respond within 30 days.

7. Data Retention

Analytics data is retained according to your subscription plan:

  • Free plan: 7 days
  • Pro plan: 90 days
  • Enterprise: Custom retention period as agreed at time of contract

Data is automatically and permanently deleted after the applicable retention period expires. Account information is retained for the duration of your account and for a reasonable period thereafter to satisfy legal obligations or resolve disputes.

8. Security & Data Location

We implement appropriate physical, electronic, and managerial safeguards to protect your information against unauthorised access, disclosure, alteration, or destruction.

  • Primary infrastructure: Hetzner Online GmbH, Germany (Falkenstein/Helsinki regions), with EU-grade data protection. Some workloads, edge nodes, and email transit run via DigitalOcean and our other sub-processors as listed in Section 5.
  • All data in transit is encrypted with TLS 1.2 or higher.
  • Data at rest is encrypted using industry-standard ciphers.
  • Access to production systems is restricted to authorised personnel on a need-to-know basis with multi-factor authentication.
  • Session replay data is processed and stored within EU infrastructure for EU customers; international data transfers (where applicable) are governed by Standard Contractual Clauses (2021) per the master policy.
  • Security practices are reviewed regularly and updated in response to evolving threats.

While we take all reasonable steps to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to transparent, prompt disclosure if an incident occurs.

9. Your Rights

You have the right to access, correct, or request deletion of personal information we hold about you. You may also export your analytics data at any time through the KrystalView console.

To make a privacy request, contact us at hello@krystalunity.com. We will acknowledge your request within 5 business days and respond fully within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Changes become effective upon posting to this page.

We will notify registered customers of material changes by email or via an in-app notice before they take effect. We encourage you to review this policy periodically. The “Last updated” date at the top of this page indicates when the policy was most recently revised.