LEGAL

Klos Privacy Policy

Effective date: TBD
Last updated: TBD
Contact: privacy@getklos.com

1. Introduction

Klos is operated by a Florida limited liability company. This Privacy Policy explains how Klos collects, uses, protects, and shares information when you use the Klos iOS app, Android app, web viewer at view.getklos.com, backend services, and related account and sharing features.

Klos is an encrypted document vault for household administration: IDs, insurance cards, school forms, medical documents, financial records, vehicle documents, and the other paperwork real life asks you to find quickly. Because those documents are sensitive, this policy is intentionally specific about what Klos can see and what Klos cannot decrypt.

If you have questions, email us at privacy@getklos.com.

2. What Information We Collect

From You Directly

We collect the information you provide when you create and use your account, including:

  • Account information, such as your email address, password, optional first name, optional last name, and optional phone number.
  • Sign-in choices, such as whether you use email and password, magic link, Apple Sign-In, Google Sign-In, or biometric vault lock.
  • A yes/no biometric result from your device if you enable biometric vault lock. Klos never receives your face, fingerprint, or biometric template.
  • Documents you add to Klos. Document content is encrypted on your device before upload, but some document metadata is not encrypted at V1, including document type, filename, creation timestamps, expiration metadata, and related pouch or family-sharing references.
  • Persons and contacts you add, including names, email addresses, phone numbers, and family group status.
  • Share settings, such as recipient identifier, permission level, expiration, revoked status, and whether a share is view-only or view-and-download.
  • Recovery settings. If you generate an optional 12-word recovery phrase in Settings → Security, you hold it outside Klos. Klos never receives or stores that phrase.

Automatically When You Use Klos

Klos collects limited operational and usage information so the product works and so we can improve it without third-party analytics processors.

Klos collects anonymized usage events to its own Supabase events table. No third-party analytics processor is used: no Mixpanel, no Amplitude, no Segment, no PostHog cloud, and no Google Analytics.

The V1 analytics taxonomy has 26 events across four bands:

  • Onboarding funnel events, such as signup steps, biometric setup, and first-document or first-share walkthrough completion.
  • Friction events, such as auth retry, biometric failure, decryption failure, document import failure, share send failure, and viewer error.
  • Activation and lifecycle events, such as signup, activation, document import, share creation, share opening, share revocation, pouch creation, subscription start, and subscription churn.
  • App lifecycle events, such as app cold start, foreground, and background.

Event rows include a fixed event type, your user UUID, timestamp, session UUID, optional numeric value, and structured context. Event context is designed not to contain personally identifying information.

For share audit logs, Klos records share events such as created, opened, expired, and revoked. Recipients are not authenticated. Recipient IP addresses and user agents may be hashed for abuse detection and audit logging rather than stored as raw values.

From Third-Party Sign-In Providers

If you use Apple Sign-In or Google Sign-In, Klos receives the basic account information needed to authenticate you through Supabase Auth. Depending on the provider and your settings, this may include your email address, provider user ID, and basic profile information made available by Apple or Google.

3. How We Use Your Information

We use information to:

  • Provide the Klos service, including encrypted document storage, account sign-in, pouches, sharing, family access, and the web viewer.
  • Encrypt, store, retrieve, and display documents and document metadata.
  • Compute and show freshness reminders, expiration status, and document organization views.
  • Enforce share permissions, expiration, revocation, watermarking, and audit logs.
  • Send account communications, magic links, share notification emails, and service messages.
  • Provide optional push notifications if you enable them.
  • Protect accounts, prevent abuse, diagnose failures, and investigate security issues.
  • Improve Klos through in-house analytics based on the fixed V1 event taxonomy.
  • Process account deletion, export, correction, and privacy requests.

We do not use your information for advertising. We do not sell, rent, or trade user data.

4. The End-to-End Encryption Story

Klos is designed so your document content is encrypted before it reaches our servers. Klos uses AES-256-GCM symmetric encryption for document content, with a 12-byte IV and a 16-byte authentication tag.

Klos's V1 encryption model uses three-tier envelope encryption:

  • Key Encryption Key (KEK) — Argon2id-derived from the user's account password cross-platform. On iOS, the KEK is additionally cached in the device Keychain with iCloud Keychain sync as a convenience layer. On Android, the KEK is held in the Android Keystore; recovery on a new Android device re-derives the KEK from the user's password.
  • Content Encryption Key (CEK) — random AES-256 key wrapped by the KEK and stored as ciphertext in user_keys.encrypted_key_blob with a KEK-keyed HMAC-SHA256 commitment over user_id || key_version || algorithm || IV || ciphertext.
  • Document custody keys — Private Vault documents use the account CEK. Family Vault documents use per-document keys wrapped through shared-vault key material for active Family Vault members.

The server stores encrypted CEK blobs, KEK-keyed commitment MACs, recoverable sharing-key material, Family Vault key envelopes, and encrypted document content. The server never holds plaintext document content, plaintext encryption keys, your password, or your recovery phrase.

That means a Klos employee with full backend access cannot decrypt your document content. A storage-layer incident at Supabase would expose encrypted blobs that Klos cannot decrypt.

But end-to-end encryption does not make all metadata invisible. Klos can see information needed to run the service, such as your email address, account status, number of documents, creation timestamps, document type, filename, pouch names, person/contact records, family group membership, and share events. For example, we may be able to see that you have 47 documents, but we cannot decrypt the contents of those documents.

Klos uses a three-net recovery model:

  1. Apple iCloud Keychain can sync your master key automatically across your Apple devices.
  2. Your Klos account password derives the KEK via Argon2id on any device, anywhere.
  3. An optional 12-word recovery phrase generated in Settings → Security can derive an alternate KEK if you forgot your password.

We do not have your password and we do not have your recovery phrase. If you lose access to all three recovery nets at the same time — for example, you forget your password, lose iCloud Keychain access, and never generated or lose your recovery phrase — Klos cannot recover your encrypted documents for you. That is the honest trade-off of end-to-end encryption: it protects against server-side compromise, but it also means Klos cannot decrypt your vault on your behalf.

5. Third-Party Processors

Klos uses third-party processors to operate the service. These vendors process data on Klos's behalf. They are not allowed to sell or use Klos user data for their own advertising purposes.

  • Supabase — database, storage, authentication, and edge functions. Supabase stores account records, encrypted document blobs, encrypted key material, document metadata, share metadata, person/contact records, family records, share-event logs, and in-house analytics events. Klos data resides in the United States.
  • Resend — transactional email. Resend delivers authentication magic links and share notification emails from Klos. Resend receives recipient email addresses and email contents. For share notification emails, the email includes the share link. The share link contains the per-share decryption key in the URL hash fragment; recipients can see that link, and email systems may log it. Resend does not receive document content.
  • Apple — Apple Sign-In if you choose it, iCloud Keychain on iOS, and Apple Push Notification Service if you enable push notifications on iOS.
  • Google — Google Sign-In if you choose it. Android push notifications may use Firebase Cloud Messaging if enabled.
  • Vercel — hosts the Klos web viewer. The viewer receives recipient requests when a share link is opened. Klos uses the viewer to enforce share status and serve encrypted blobs according to share permission.

Klos does not include third-party crash reporting in V1. Klos may add privacy-preserving crash reporting in a future release, and this policy will be updated if that happens.

Klos may use a self-hosted dashboard tool for internal analytics. It runs in Klos-controlled infrastructure; analytics data does not leave the Klos region for a third-party analytics cloud.

6. Data Sharing

Klos never sells, rents, or trades your data. No advertising. No third-party analytics. No data brokers.

We share data only in these circumstances:

  • With processors listed above, so they can provide infrastructure, email, authentication, push notification, hosting, and related services on Klos's behalf.
  • With people you choose to share with, through external share links or family sharing.
  • If required by law, subpoena, court order, or valid legal process.
  • To protect Klos, users, recipients, or others from abuse, fraud, security threats, or harm.

When legally allowed, Klos will try to notify you before disclosing your account information in response to legal process.

Klos cannot decrypt your document content even under legal compulsion. If legally required, Klos may be able to produce encrypted blobs and metadata, but not plaintext document content or plaintext encryption keys.

7. Data Retention and Deletion

You may delete your account from Settings → Account → Delete Account.

When deletion is triggered, the account enters a soft-deleted state for 30 days. During that period:

  • The account is invisible to the app.
  • Login is disabled.
  • Notifications do not fire.
  • Shares are not servable.
  • You may reverse deletion within the 30-day window by contacting Klos support at privacy@getklos.com.

After 30 days, a daily scheduled job hard-deletes the account. This removes the user record, encrypted document blobs from Supabase Storage, share records, pouch item references, person/contact records owned by the user, family membership rows for the user, and event-log entries. Storage orphan cleanup runs separately to catch blobs whose owning row was deleted before the cascade completed.

You can revoke external shares. For view-only shares, revocation is real-time: the next fetch attempt fails immediately after revocation because the viewer server revalidates share status per fetch. For view-and-download shares, revocation prevents future fetches but cannot retract bytes the recipient already downloaded.

8. Your Rights

You can ask Klos to:

  • Access the personal information Klos has about you.
  • Correct inaccurate information.
  • Delete your account and associated data.
  • Export or receive a portable copy of your information where technically feasible.
  • Object to or restrict certain processing where applicable law gives you that right.

You can exercise these rights by emailing privacy@getklos.com. Klos aims to respond within 30 days unless applicable law allows or requires a different period.

California users have rights under the CCPA and CPRA, including access, deletion, correction, portability, opt-out of sale, opt-out of certain sharing, and limits on use of sensitive personal information. Klos does not sell personal information and does not share personal information for cross-context behavioral advertising.

EU users have rights under GDPR, including access, rectification, erasure, restriction, portability, and objection. Klos's legal bases for processing are contract, because we provide the service you request, and legitimate interest, including security, fraud prevention, and service improvement. Klos data resides in the United States, so EU use involves international transfer to the United States.

Florida's Digital Bill of Rights may not apply to Klos at V1 scale, but Klos applies the same baseline rights — access, deletion, correction, and portability — to all users regardless of state.

9. Children

Klos is intended for adults 18 and older. The product is for household administration, financial documents, insurance, IDs, and similar adult-context records.

Klos does not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will delete it promptly. A parent or guardian who believes a child has provided information to Klos can contact privacy@getklos.com.

10. Security

Klos protects data through:

  • End-to-end encryption for document content, as described above.
  • AES-256-GCM client-side encryption before upload.
  • Keychain storage on iOS and Keystore storage on Android for local key handling.
  • Argon2id password-derived KEK recovery across platforms.
  • Optional recovery phrase in Settings → Security.
  • Biometric vault lock if you enable it. Biometrics unlock an already-signed-in vault; they do not authenticate sign-in after full sign-out.
  • TLS 1.3 in transit.
  • Private storage buckets and signed URLs or viewer proxying for blob fetches.
  • Per-fetch share-status revalidation for view-only shares.
  • Watermarking on shared documents.
  • Share audit logs.

No system is perfectly secure. Klos's security model is built to keep document content unreadable to the server, but you are responsible for keeping your account password, devices, iCloud / Google / Apple accounts, and optional recovery phrase safe. If all recovery nets are lost, Klos cannot recover encrypted documents.

11. Changes to This Policy

Klos may update this policy as the product, law, or infrastructure changes.

For material changes, Klos will notify users through an in-app banner and/or email before the change takes effect where practical. The top of this policy will show the effective date and last updated date.

If you disagree with a material change, you may delete your account before the change takes effect.

12. Contact and Jurisdiction

Questions or privacy requests: privacy@getklos.com
Mailing address: TBD

Klos is operated by a Florida limited liability company. This policy is governed by the laws of Florida, without regard to conflict-of-law rules. Venue for disputes is an appropriate court in Florida, unless applicable law gives you a non-waivable right to bring a claim elsewhere.