Privacy Protection

GDPR Compliance.

KeyFT (Operated by Aditya) is committed to processing data in accordance with the General Data Protection Regulation (GDPR) and global privacy standards.

1. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

Contractual Necessity: To execute the mission verification you agreed to perform.
Legitimate Interest: To prevent fraud (GPS spoofing, emulators) and ensure protocol security.
Legal Obligation: For financial reporting and tax compliance via our Merchant of Record, Paddle.

2. Data Subject Rights

As a user, you have specific rights designed to give you control over your personal information:

Right to Access: Obtain a copy of your mission logs and payment history.
Right to Erasure: Request the permanent deletion of your worker profile and WhatsApp ID.
Right to Rectification: Update inaccurate bank details or contact information.
Right to Data Portability: Receive your data in a structured, JSON/CSV format.

3. Data Transfers & Security

Data is stored using Cloudflare’s encrypted infrastructure. As we operate globally, your data may be processed outside the EEA. We ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), to maintain protection equivalent to EU standards.

Protocol Security: All biometric "Liveness Checks" are processed on-device. KeyFT does not transmit or store raw facial imagery on central servers.

4. Third-Party Processors

We share limited data with essential partners to maintain the service:

Lemon squeezy (Merchant of Record): Manages billing, tax, and compliance globally.
Cloudflare: Provides DDoS protection and secure data hosting.
Mission Owners: Access worker names and WhatsApp IDs only to facilitate payroll.

5. Data Retention & Automated Deletion

We adhere to the principle of "Storage Limitation" by ensuring personal data is not kept longer than necessary for its intended purpose. Our system operates an automated "Zero-Bloat" protocol:

Mission Reports: All worker data and mission logs are subject to a 90-day maximum retention limit. Records are permanently purged after 90 days, regardless of account status. Additionally, reports are deleted 5 days after a plan expires if not renewed.
Temporary Data: Short-lived instructions or transient session messages (Job Instructions) are purged every 32 days from the date of creation.
Financial Records: Payment metadata is retained by our Merchant of Record (Lemon Squeezy) as required by international tax laws, independent of our local worker data purge.

Warning: Once the 90-day limit or the 5-day post-expiration window is reached, data recovery is strictly impossible as the records are wiped from all Cloudflare D1 nodes. We strongly advise owners to export their data monthly.

6. Contact Our DPO

If you wish to exercise your rights or have questions about how we handle your data, please contact our Data Protection Officer:

support@keyft.com