Legal · Privacy
Privacy Policy
Contents
1. Privacy commitment
Krystal Unity Pty Ltd (“Krystal Unity”, “we”, “us”, “our”) is an Australian company committed to protecting the privacy of individuals whose personal information we hold. This policy explains what information we collect across the Krystal Unity product portfolio, how we use it, who processes it on our behalf, and the rights you have in relation to it.
This is a single shared policy covering every Krystal Unity product. Each product page may include additional product-specific notices that supplement (but never weaken) the protections described here.
2. Scope & products covered
This policy applies to all services operated by Krystal Unity, including but not limited to:
- KrystalView — session replay, heatmaps, and behavioural analytics with native MCP server (krystalview.com)
- Krystal Trace — claimant-side blockchain evidence and tracing for legal matters (krystaltrace.com)
- FixLine — AI field diagnostics and equipment knowledge base (usefixline.com)
- BlackDome — honeypot-driven cyber threat intelligence and Sentinel governance
- Krystal Reception & Krystal Clinic — AI phone receptionists for venues, restaurants, and health practices
- Krystal Minting Hub (KMH) — ERC-1155 minting on Polygon for evidence and digital collectibles
- HIT CRM — voice-driven CRM with MYOB and CartonCloud integration for HIT Equipment Pty Ltd
- Arena, Grant Hunter, and other Krystal Unity services
- The Krystal Unity website at krystalunity.com and developer documentation
Where a product is operated under a separate trading entity (for example FixLine is operated by HIT Equipment Pty Ltd), that entity's role is identified in the relevant product-specific notice.
3. What we collect
Account information (customers and operators)
- Name and email address
- Company or organisation name, ABN where applicable
- Billing information — processed securely via Stripe; we do not store card numbers
- Account preferences, role assignments, and product configuration
- Support correspondence and communications history
- Authentication tokens and OAuth grants you authorise (see Section 7)
Product usage data
We collect data generated by your use of each product, with the specifics depending on the product:
- KrystalView: DOM snapshots via rrweb for session replay reconstruction, click coordinates, page URLs, viewport dimensions, scroll depth, browser user agent, and event timestamps from the customer-installed tracker. Granular details are in the KrystalView product addendum at krystalview.com/privacy.html.
- Krystal Trace: blockchain addresses and transaction hashes you submit, generated tracing reports, and matter metadata (case ID, jurisdiction).
- FixLine: uploaded equipment manuals, diagnostic queries by text/photo/voice, phone call metadata and recordings where enabled.
- BlackDome: honeypot-derived attacker telemetry (source IPs, payloads, session transcripts) collected from our own infrastructure — this is not personal information of our customers.
- Reception/Clinic: caller phone numbers, call recordings, transcripts, booking and order details.
- KMH: wallet addresses, mint metadata, and on-chain transaction hashes you submit or generate.
- HIT CRM: voice call recordings and transcripts, sales-order data, and integration data exchanged with MYOB and CartonCloud.
Krystal Unity website (krystalunity.com)
The marketing website uses Google Analytics (tag G-9KH6VE99NB) to understand aggregate traffic patterns. This is the only third-party analytics tool active on the marketing site. Individual product applications use only first-party telemetry described in their own privacy notices.
4. What we don't collect
No cross-site tracking. No data sold to advertisers. Krystal Unity products are designed for operator and customer benefit, not for data brokerage.
- We never sell personal information to third parties.
- We do not share data with advertising networks for behavioural targeting.
- The KrystalView tracker sets no cookies on visitor browsers and does not perform cross-site tracking.
- Password input fields and any element marked
data-kv-no-recordare excluded from session replay. - Voice call recordings are retained only for the periods described in Section 12 and are never used to train external AI models.
5. How we use data
- To deliver, maintain, and improve the contracted services.
- To process payments and manage subscriptions.
- To send service communications (usage reports, billing notices, security advisories, product updates).
- To respond to support requests.
- To detect and prevent fraud, abuse, and security incidents.
- To improve products based on aggregated, de-identified usage patterns.
- To comply with applicable laws and lawful requests from authorities.
We do not use customer data for our own marketing or advertising purposes.
6. Sub-processors
To deliver our services we engage trusted third-party sub-processors. Each is bound by contract to handle personal information only on Krystal Unity's instructions and consistent with this policy. The current list:
| Processor | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Primary hosting infrastructure (compute, storage) | Germany / Finland |
| DigitalOcean | Edge nodes for BlackDome honeypots; FixLine Sydney workloads | Multi-region (Sydney, EU, US, etc.) |
| Stripe | Payment processing, subscription billing, tax | Multi-region |
| Postmark / Resend | Transactional email delivery | United States |
| Anthropic (Claude API) | AI inference for analysis, planning, reasoning agents | United States |
| OpenAI | AI inference for some product flows (FixLine diagnostics, voice realtime) | United States |
| Google Cloud / Google Ads API | OAuth-connected campaign performance read (KrystalView Campaign Intelligence; with explicit user consent) | Multi-region |
| xAI (Grok) | AI inference fallback for some agent flows | United States |
| Twilio | Voice and SMS infrastructure for FixLine, Reception, Clinic | Multi-region |
| Cliniko | Health-practice booking integration for Krystal Clinic | Australia |
| OpenTable / Tock | Reservation integration for Krystal Reception (where enabled) | United States |
| MYOB | Sales-order ingestion for HIT CRM | Australia |
| CartonCloud | 3PL warehouse integration for HIT CRM | Australia |
| Polygon (Polygon Labs) | Public blockchain for KMH minting (on-chain data is public by design) | Decentralised |
| GitHub | Source code, OAuth provider for some developer tools | United States |
| Cloudflare | DNS, DDoS protection (where enabled) | Multi-region |
| Sentry | Error tracking and performance monitoring | United States / EU |
An updated sub-processors list is available on request to privacy@krystalunity.com. We will provide reasonable notice of new sub-processors handling personal information of EU/UK data subjects.
7. OAuth integrations
Some Krystal Unity products allow you to connect external accounts via OAuth. We only request the minimum scope necessary for the disclosed feature, and we never use the resulting access for any purpose beyond what you authorised.
Google Ads (KrystalView Campaign Intelligence)
- Scope requested:
https://www.googleapis.com/auth/adwords— this is Google's read/write Ads scope; we use it read-only to fetch campaign performance metrics. - What we read: campaign names, daily spend, click counts, conversions, and ROAS metrics for the customer accounts you authorise.
- What we do with it: display attribution and ROAS analysis inside your KrystalView dashboard alongside session replay data. We do not modify your Google Ads account, create campaigns, or change bids.
- How tokens are stored: refresh tokens are encrypted at rest and used only to fetch the data above. You can revoke access at any time at myaccount.google.com/permissions or by disconnecting the integration in your KrystalView console.
- Krystal Unity's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Other OAuth integrations
Where a product offers additional OAuth-connected services (Stripe Connect for FixLine, Cliniko for Krystal Clinic, etc.), the same minimum-scope and revoke-anytime principles apply. The product's own privacy notice will list the specific scopes requested.
8. International data transfers
Krystal Unity operates a global infrastructure. Personal information may be transferred to, stored in, and processed in countries outside your jurisdiction, including:
- Germany and Finland (primary hosting at Hetzner)
- Australia (Krystal Unity head operations; some product workloads in Sydney)
- United States (where AI providers, payment processors, and email infrastructure operate)
- Multi-region cloud provider footprints (Google, Stripe, Cloudflare)
For transfers of EU/UK personal data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (2021) and the UK Addendum where applicable. EEA customers may request a copy of the relevant SCCs.
9. GDPR & UK data subjects
For individuals in the European Economic Area, United Kingdom, and other jurisdictions with equivalent data protection laws, the following applies.
Legal bases
- Performance of a contract — to deliver the services you have subscribed to.
- Legitimate interest — to secure our services, prevent fraud, and improve the product (subject to your right to object).
- Consent — for OAuth integrations, optional features, and any non-essential cookies.
- Legal obligation — to comply with applicable law.
Your rights
- Access — request a copy of personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion (subject to lawful retention obligations)
- Restriction — restrict certain processing
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest or for direct marketing
- Withdraw consent — for processing previously authorised by consent
- Lodge a complaint — with your local supervisory authority
Data Processing Agreements
DPAs satisfying Article 28 GDPR are available for enterprise customers. Contact privacy@krystalunity.com.
10. Australian Privacy Principles
For individuals in Australia, we adhere to the Australian Privacy Principles set out in the Privacy Act 1988 (Cth). You have the right to access and correct your personal information held by us, and to lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) if you believe we have not handled your information appropriately.
OAIC: oaic.gov.au · 1300 363 992
11. California (CCPA / CPRA)
If you are a California resident, you have the right to: know what personal information we collect; access and delete your personal information; correct inaccurate personal information; opt out of any sale or sharing of your personal information (we do not sell or share for cross-context behavioural advertising); and not be discriminated against for exercising your rights.
To exercise your rights, contact privacy@krystalunity.com. We will verify your identity before responding.
12. Data retention
Retention is set by product and by the configuration you choose:
- KrystalView analytics: 7 days (Shard plan), 90 days (Facet/Prism), 180 days (Brilliance), 365 days (Infinite). Custom for enterprise.
- Krystal Trace reports: per matter retention, default 7 years to satisfy legal-matter recordkeeping obligations.
- FixLine documents and diagnostics: retained for the duration of the customer's account; deleted on account closure.
- Voice call recordings (Reception/Clinic/HIT CRM): 90 days by default; configurable up to 365 days; deleted on customer request at any time.
- BlackDome attacker telemetry: indefinite (this data is not personal information of our customers).
- Account information: retained for the duration of your account and for a reasonable period after closure to satisfy legal obligations or resolve disputes.
- Audit and security logs: 12 months minimum for compliance and incident response.
Data is automatically and permanently deleted at the end of the applicable retention period.
13. Security
We implement appropriate physical, electronic, and organisational safeguards to protect your information against unauthorised access, disclosure, alteration, or destruction.
- All data in transit is encrypted with TLS 1.2 or higher.
- Data at rest is encrypted using industry-standard ciphers.
- Production access is restricted to authorised personnel on a need-to-know basis with multi-factor authentication.
- Security practices are reviewed regularly and updated in response to evolving threats.
- We maintain incident response procedures and will notify affected customers and supervisory authorities of any data breach as required by applicable law.
While we take all reasonable steps to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but commit to transparent, prompt disclosure if an incident occurs.
14. Your rights and how to exercise them
Regardless of jurisdiction, you may at any time:
- Request a copy of personal information we hold about you
- Correct inaccurate information
- Request deletion of your personal information (subject to lawful retention obligations)
- Export your data in a portable format from each product's console
- Withdraw OAuth grants you have authorised
- Object to direct marketing and unsubscribe from non-transactional emails
To exercise these rights, contact privacy@krystalunity.com. We will acknowledge your request within 5 business days and respond fully within 30 days.
15. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or new product launches. Material changes will be notified to registered customers by email or in-app notice before they take effect. The “Last updated” date at the top of this page indicates when the policy was most recently revised. Historical versions are available on request.
16. Contact
Privacy enquiries and requests:
- Email: privacy@krystalunity.com
- General: hello@krystalunity.com
Krystal Unity Pty Ltd
Sydney, Australia