Privacy Policy — Krest
Last updated: 2026-06-11
This document describes which data Krest handles, where it goes, and what choices you have. Krest is built privacy-first: the app works without an account, and the cryptographic anchoring service never sees the content of your media.
1. Who runs Krest
TODO before launch: insert legal entity, postal address, jurisdiction and contact email of the operator (controller in the sense of GDPR Art. 4(7)).
Operator: <Firma / Inhaber>
Address: <Strasse, PLZ, Ort, Land>
Email: <privacy@deine-domain.de>2. What Krest processes — and what it does not process
2.1 Data that never leaves your device
- The photo / video bytes captured or selected for verification.
- The AES-256-GCM session key used to encrypt Krest-Share blobs.
- The Secure Enclave private key that signs your captures.
- Your Apple Photos library outside of items you explicitly pick.
2.2 Data the Anchoring Relay sees
The relay accepts only opaque cryptographic material:
- A 32-byte device public key (anonymous; not linked to your Apple ID).
- A 32-byte Merkle-root hash plus a signature over it.
- An App-Attest assertion proving the request came from a genuine Krest
install on a genuine Apple device.
- Standard request metadata (IP address, user agent, timestamp) which is
retained for at most 30 days for abuse prevention and then deleted.
The relay does not see, store or forward your media bytes, file names, sensor data, captions, contacts or any personal identifier.
2.3 Data the Share Relay sees
When you create a krest://share/<token> link, Krest uploads the already-encrypted ciphertext to a transport relay. The relay sees:
- The encrypted blob (random bytes).
- Token, byte count, MIME hint (
image/jpeg,video/mp4, …), TTL. - The device public key + App-Attest assertion (same anonymous key as
above).
The relay never receives the decryption key — that travels solely inside the share link (URL fragment or query parameter you forward via WhatsApp, iMessage etc.).
Single-use links are deleted immediately after the first download. Otherwise, links expire at the TTL you chose (max 7 days) and are purged.
2.4 Data the Lookup Service sees
When you verify someone else's content, the app sends only the SHA-256 hash of their file. The lookup service responds with the timestamp, Merkle proof and Bitcoin anchor it can find for that hash. We log nothing user-identifying.
2.5 Bitcoin anchoring
Krest writes Merkle roots into the Bitcoin blockchain via OP_RETURN transactions. The blockchain is by design public and permanent. The written data is a 48-byte hash — no media, no identity.
2.6 Legal bases (GDPR Art. 6)
We process the limited data described above on the following bases:
- Operating the verification service you request — registering your
anonymous device public key, accepting Merkle roots, anchoring, lookup and share transport: Art. 6(1)(b) (performance of the service you asked for) and Art. 6(1)(f) (our legitimate interest in a functioning, abuse-resistant protocol).
- Short-lived request metadata (IP address, user agent, timestamp, retained
at most 30 days): Art. 6(1)(f) (legitimate interest in security and abuse prevention).
- On-device permissions (camera, microphone, photo library, motion) are
granted by you through iOS and used only on your device — the operator receives none of that sensor or library data, so it is not processed by us in the GDPR sense.
We do not carry out automated decision-making or profiling (Art. 22), and we do not process special categories of data (Art. 9) on our servers.
3. Permissions Krest requests on your device
| Permission | Why |
|---|---|
| Camera | Capture photos / videos that get signed by the Secure Enclave. |
| Microphone | Audio track for video captures. |
| Photo library | Optional — to verify or share existing photos you select. |
| Motion sensors | Accelerometer / gyroscope reading folded into the capture proof. |
| App-Attest (Secure Enc.) | Prove to the relay that the capture really came from your device. |
All permissions are opt-in and can be revoked any time in iOS Settings.
4. Data retention
| Surface | Retention |
|---|---|
| Anchoring Relay logs | 30 days, then deleted. |
| Share Relay blobs | Until single-use download or TTL expiry (max 7 days). |
| Lookup Service queries | Not logged with user-identifying fields. |
| Bitcoin blockchain | Permanent (public). Contains only 32-byte hashes. |
| Local app database | Stays on device. Deleted with the app. |
5. Your rights under GDPR
If you are in the EU/EEA you have the right to:
- access, rectify and erase personal data we hold about you,
- restrict or object to processing,
- portability of your data,
- lodge a complaint with the supervisory authority of your country.
Because Krest is account-less, the relay does not store personal data that could be linked back to you as an individual. If you believe a piece of data is identifiable nonetheless, contact us with details and we will delete or rectify within the legally required period.
6. Transfers outside the EU/EEA
Server infrastructure currently runs in Germany (Hetzner Cloud). Bitcoin anchoring transactions are submitted to the public Bitcoin network and are therefore visible globally, but as stated above contain only non-identifying hash data.
TODO before launch: confirm a data processing agreement (AV-Vertrag, GDPR Art. 28) is in place with every processor that touches request metadata (e.g. the hosting provider) and name them here.
7. Children
Krest is not designed for children under the age of digital consent in your jurisdiction (16 in most EU member states, 13 in the US per COPPA).
8. Changes
We may update this policy as features evolve. The "last updated" date at the top of this document reflects the most recent revision. Material changes will be announced in the app changelog.
9. Contact
For privacy questions or data-protection requests:
<privacy@deine-domain.de>See also: TERMS.md (terms of service) and IMPRESSUM.md (provider identification under § 5 DDG). German version: DATENSCHUTZ.md.