Privacy Protection

GDPR Compliance.

KeyFT (Operated by Aditya) is committed to processing data in accordance with the General Data Protection Regulation (GDPR) and global privacy standards.

1. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

Contractual Necessity: To execute the mission verification you agreed to perform.
Legitimate Interest: To prevent fraud (GPS spoofing, emulators) and ensure protocol security.
Legal Obligation: For financial reporting and tax compliance via our Merchant of Record, Paddle.

2. Data Subject Rights

As a user, you have specific rights designed to give you control over your personal information:

Right to Access: Obtain a copy of your mission logs and payment history.
Right to Erasure: Request the permanent deletion of your worker profile and WhatsApp ID.
Right to Rectification: Update inaccurate bank details or contact information.
Right to Data Portability: Receive your data in a structured, JSON/CSV format.

3. Data Transfers & Security

Data is stored using Cloudflare’s encrypted infrastructure. As we operate globally, your data may be processed outside the EEA. We ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), to maintain protection equivalent to EU standards.

Protocol Security: All biometric "Liveness Checks" are processed on-device. KeyFT does not transmit or store raw facial imagery on central servers.

4. Third-Party Processors

We share limited data with essential partners to maintain the service:

Lemon squeezy (Merchant of Record): Manages billing, tax, and compliance globally.
Cloudflare: Provides DDoS protection and secure data hosting.
Mission Owners: Access worker names and WhatsApp IDs only to facilitate payroll.

5. Data Retention & Automated Anonymization

We adhere to the principle of "Storage Limitation" by ensuring personal data is not kept longer than necessary for its intended purpose. Our system operates an automated "Zero-Bloat" privacy protocol:

Mission Reports: To protect field worker privacy, personal identifiers (names, phone numbers, bank accounts, and exact GPS coordinates) are permanently stripped and anonymized once the mission reaches its automated expiry date. The retention limit is 90 days for PRO, 30 days for STARTER, and 7 days for DEMO plans.
Temporary Data & Activity Logs: Short-lived instructions or transient session messages (Job Instructions) are permanently deleted every 32 days. Additionally, internal worker activity logs are completely purged from our database every 30 days.
Financial Records: Payment metadata is retained by our Merchant of Record (Lemon Squeezy) as required by international tax laws, independent of our local worker data anonymization.

Warning: Once the respective plan tier limit is reached, personal data recovery is strictly impossible as the records are altered and wiped directly across Cloudflare D1 nodes. We strongly advise owners to export their official reports (.xlsx) regularly for long-term records.

6. Contact Our DPO

If you wish to exercise your rights or have questions about how we handle your data, please contact our Data Protection Officer:

[email protected]