Data Governance &
Privacy Framework.
Document Revision: v3.6.0 (Effective July 2026)
01. Client-Side Compute and Local Execution
The foundational engineering philosophy of Kitolity is zero-trust local execution. The majority of our modules, including JSON processors, Base64 encoders, Regex engines, and syntax formatters, execute entirely within your device browser runtime environment. We do not transmit, proxy, log, or persist your text payloads, code strings, or sensitive data arrays to any external server architecture.
02. Cloud Processing & Sub-Processors
Certain tools — PDF conversion and compression, Word-to-PDF, and document translation — require server-side processing and send your file or text to specialized sub-processors on your behalf. We use: Cloudflare (hosting, edge delivery, file storage, and abuse-prevention infrastructure — including a bot check that distinguishes humans from automated traffic before a cloud tool runs); CloudConvert, operated by Lunaweb GmbH (PDF-to-Word conversion, PDF compression, and Word-to-PDF); Google Cloud Translation (document translation); Resend (delivery of messages you send us through the contact form); and Axiom (storage of the security logs described below). Data is transmitted over encrypted TLS connections. For the file-conversion tools, your uploaded file and the converted result are stored briefly in our own Cloudflare R2 storage so the job can run and you can download your result; the uploaded file is removed as soon as processing finishes, and all such objects are automatically deleted within 24 hours. CloudConvert processes each file in an isolated container located in the European Union or the United States, keeps no backups, and irreversibly deletes the uploaded and converted files within 24 hours; for these tools Kitolity is the data controller and CloudConvert acts as our processor. Text translations are processed transiently and are not stored by us. While a sub-processor handles your data, it is also subject to that provider's own terms and privacy policy. For anonymous usage statistics we use Google Analytics 4 (Google LLC) — but only if you accept analytics cookies; you can decline and analytics stays off. We do not use advertising networks or third-party marketing cookies.
03. International Data Transfers
Our sub-processors operate global infrastructure, and processing may occur in the United States or other countries outside your own, including outside India and the European Economic Area. Where personal data is transferred across borders, we rely on the processing being necessary to provide the tool you requested and on the safeguards offered by these established providers (such as standard contractual clauses where applicable). By choosing to use a cloud-based tool, you instruct us to transmit that content for processing.
04. Local Storage Mechanics
To prioritize workflow convenience, specialized modules such as the clipboard sandbox use HTML5 Web Storage on your own device. This reads and writes data directly to your browser's local storage. Kitolity has no server-side access to this data, and you can clear it from your browser settings at any time. We do not set advertising or cross-site tracking cookies.
05. Cookies & Consent
Kitolity uses two kinds of browser storage. (1) Essential local storage — a few tools (such as the clipboard workspace) save data on your own device so they function; this never leaves your browser and needs no consent. (2) Optional analytics cookies — only if you choose "Accept" on the cookie banner, Google Analytics 4 sets cookies to measure anonymous usage (pages viewed, approximate region, device type) so we can improve the site. If you decline, no analytics cookies are set and no analytics data is collected — the tools work exactly the same. You can change your mind at any time by clearing your browser's site data for this site, which brings the banner back.
06. Donations & Affiliate Links
Kitolity is free to use. To help cover costs we offer two entirely optional things. (1) A voluntary "Support Kitolity" link in the footer that takes you to our page on Ko-fi, a third-party donation platform; if you choose to donate, your payment is handled by Ko-fi and its payment processors under their own terms and privacy policy — we never see or store your card or bank details. (2) On some pages we may show clearly-labelled affiliate links to relevant third-party products. These are marked "Affiliate" and use a rel="sponsored" tag; if you click one and make a purchase, we may earn a small commission at no additional cost to you. Affiliate links are ordinary outbound links — we do not share any of your data with the linked merchant, and the destination site has its own privacy policy. Donating and using these links are always optional and never change how the tools work.
07. Accounts & Subscriptions (Kitolity Pro & Pro Max)
Creating an account is optional — every tool works without one, and accounts exist only for our paid plans. If you do sign in, we store your email address to identify you, using passwordless "magic-link" sign-in, so we never receive or store a password. A session is kept as a random identifier in a secure, http-only cookie on your device with a matching server record; signing out revokes it. When you subscribe to Kitolity Pro or Pro Max, or buy a one-time cloud-credit top-up, payment is processed by our Merchant of Record, Paddle, which is the seller of record and handles your card details, billing, invoicing, and taxes under its own privacy policy — Kitolity never sees or stores your card or bank information. We keep only a minimal billing record (your plan/tier, remaining cloud-credit balance, and Paddle's customer/subscription identifiers) so we can grant your paid features, plus the security-related webhook identifiers needed to process billing events exactly once. You can delete your account and its data at any time via the contact page.
08. Security Logging & Telemetry
To protect the service against abuse and to keep it reliable, our edge layer records request metadata for each API and tool request: your IP address, approximate region, browser user-agent, the request path, response status, and timing. Under data-protection law an IP address can be personal data, so we disclose this clearly. These logs are used only for security, abuse prevention, and reliability, are not sold or used for advertising profiling, and are retained for a limited period (approximately 30 days) by our logging provider before rotation. Separately, anti-abuse rate-limit counters are keyed to your IP and auto-expire within 24 hours.
09. Lawful Bases for Processing
Where the GDPR or India's DPDP Act applies, we rely on the following bases: (a) performance of the service you request — when you upload a file or submit text to a cloud tool, we process it to return your result; (b) your consent — you actively choose to initiate each cloud action, and you may simply not use those tools; and (c) our legitimate interest in the security, integrity, and reliability of the service — the basis for the limited security logging above. You may withdraw consent by discontinuing use of the cloud-based tools.
010. Your Rights & Data Deletion
Depending on your jurisdiction (including under India's DPDP Act 2023, the GDPR, and the California CCPA/CPRA), you may have the right to access, correct, port, or request erasure of the personal data we hold about you — which for most users is limited to the security log entries tied to your IP address — and to lodge a complaint with your data-protection authority. To exercise a right, use the contact page and select the "Privacy / Data Request" category; we will verify and action valid requests within the period required by applicable law. Exercising these rights will not result in discriminatory treatment.
011. California Privacy Notice (CCPA/CPRA)
In the past 12 months we have collected only the security/telemetry metadata described above (an identifier — your IP address — and internet-activity metadata), for the security and reliability purposes stated. We do not sell your personal information, and we do not share it for cross-context behavioral advertising. California residents have the rights to know, delete, and correct, and the right to non-discrimination for exercising them; submit requests through the contact page.
012. Children's Privacy
Kitolity is a general-purpose developer utility and is not directed to children. We do not knowingly collect personal data from children as defined under applicable law (including under India's DPDP Act). If you believe a child has provided us personal data, contact us and we will delete it.
013. Grievance Officer & Contact
In accordance with India's DPDP Act 2023 and applicable IT rules, you may raise privacy grievances or data-protection requests with our Grievance Officer at admin@kitolity.com (subject line: "Grievance Officer"). We will acknowledge grievances and respond within the timelines prescribed by applicable law. For all other privacy questions, reach us through the contact page.
014. Changes to This Policy
We may update this policy as our tools, sub-processors, or legal obligations evolve. Material changes will be reflected by updating the revision and effective date shown above. Your continued use of the service after an update constitutes acknowledgement of the revised policy.
015. Compliance Frameworks
Kitolity is designed around data minimization: we collect only what a tool needs, process it transiently, and retain as little as possible. Our handling is intended to align with the principles of India's DPDP Act 2023, the EU/UK GDPR, and the California CCPA/CPRA. This policy is provided for transparency and is not legal advice. For enterprise data-handling assessments or a data-processing agreement, reach us through the contact page.