Privacy Policy for Kryptos
Effective date: 2026-07-16
Kryptos (“the app”) is a local-first, end-to-end-encrypted vault for your photos, videos, notes, and related metadata. This policy explains what the app does — and does not do — with your information.
Short version: Kryptos stores your data on your device, encrypted. The developer operates no servers and collects nothing about you. The app has no user accounts and no analytics, telemetry, advertising, or crash-reporting SDKs. The only time any of your data leaves your device is if you personally turn on the optional Sync feature — and even then, the app sends only end-to-end-encrypted data to a server that you run and control.
Who we are
Kryptos is developed by Greg Coonrod. You can reach us at support@microcode.io.
Data the app stores on your device
Everything you put into Kryptos is stored locally on your device, including:
- Media you import (photos and videos) and their thumbnails
- Notes
- Tags and other metadata you create
- App settings and preferences
This content is held in an encrypted database (SQLCipher) and, where applicable, encrypted files, using strong authenticated encryption (XChaCha20-Poly1305). The encryption keys are derived from your passphrase and stay on your device.
Unlocking the app
Access to your vault is protected by a passphrase and, if you enable it, biometric unlock (such as Face ID). Unlocking happens entirely on your device. Your passphrase and biometric data never leave your device and are never sent to us or anyone else. Biometric matching is performed by the operating system; the app never receives your biometric data.
We collect nothing
The developer of Kryptos runs no backend service for the app and does not collect, receive, store, or have access to your content, your keys, or any usage data. The app contains:
- No user account or sign-in
- No analytics or telemetry
- No advertising or advertising identifiers
- No third-party crash-reporting or monitoring SDKs
Consistent with this, Kryptos does not track you. We do not use your data to track you across apps or websites owned by other companies (NSPrivacyTracking = No), and the app’s App Store privacy label is “Data Not Collected.”
If the app crashes, we may receive an anonymized crash report only if you have opted in to sharing diagnostics with Apple through iOS Settings or TestFlight. Such reports are provided by Apple under Apple’s terms, contain no vault content, and are governed by Apple’s privacy policy — not ours. We operate no crash-reporting system of our own.
Optional Sync (self-hosted, end-to-end encrypted)
Kryptos includes an optional Sync feature that is off by default. If you choose to enable it:
- You pair the app with a sync server that you set up and operate yourself, by scanning a pairing QR code with your device camera. The camera is used only to read that QR code; camera images are not stored or transmitted.
- The app establishes an end-to-end-encrypted connection (Noise protocol) to your server and transmits only ciphertext. Your server stores encrypted data only.
- Because your data is end-to-end encrypted on your device before it is sent, neither the server operator (you) nor the developer of Kryptos ever sees your plaintext content or your encryption keys.
- The server address and pairing details you provide are used solely to connect to your server.
The developer does not host, provide, or have access to any sync server. If you enable Sync, you are responsible for the server you run and its data. This policy covers the Kryptos app; it does not cover any server software or hosting you choose to use.
Device permissions
The app requests device permissions (such as camera and photo library access) only to provide features you use — for example, scanning a pairing QR code or importing media into your vault. Data accessed through these permissions is used on-device for those features and is not sent to us.
Sharing
We do not sell, rent, or share your information. Because we do not collect your data in the first place, there is nothing for us to share with third parties.
Availability
Kryptos is offered only to users in the United States.
Children’s privacy
Kryptos is not directed to children and is not intended for use by children under 13. We do not knowingly collect information from children — and, as noted above, we do not knowingly collect information from anyone.
Data retention and deletion
Because your data lives on your device, you control it. You can delete content within the app, or remove it entirely by deleting the app, which removes its local encrypted data from your device. If you used Sync, deleting data on your self-hosted server is done through that server.
Changes to this policy
We may update this policy from time to time. Material changes will be reflected by updating the effective date above and, where appropriate, within the app.
Contact
Questions about this policy? Contact us at support@microcode.io.