Privacy policy

A note before you read.

We wrote this policy in plain English because we think you deserve to actually understand it; not just have access to a document. If we have to use a legal term, we will explain what it means straight away.
If you have any questions, email us at privacy@keryth.com. We will reply within two working days.

1. Who are we?

Keryth is a product of LBFG Ltd, a company registered in England and Wales.
Company name: LBFG Ltd
Registered office: Unit 78, Basepoint Business & Innovation Centre, Metcalf way, RH11 7XX, Crawley, United Kingdom
Company number: 14105347
VAT registration number: GB471177977
ICO registration number: ZC112897
Privacy contact: privacy@keryth.com

Under data protection law, LBFG Ltd is the data controller for Keryth. “Data controller” is the legal term for the company that decides how your personal data is used and is responsible for keeping it safe. That is us.

2. What this policy covers

This policy explains what personal information we collect when you use Keryth, why we collect it, what we do with it, and what rights you have over it.
It covers the Keryth web application, the desktop applications (Windows, macOS, Linux), and any emails we send you.
It does not cover other websites we may link to. If you follow a link to another side, their privacy policy applies there, not ours.

3. What information we collect and why

We only collect information we actually need. Here is everything, explained honestly.
In the section below, “legal basis” is to be understood as the legal reason we need to collect this data.

Your name and email address
We collect your first name, last name, and email address when you sign up.
We need these to create your account, to send you your activation link, and to communicate with you about your subscription. Without them, we cannot provide the service.
Legal basis: “Performance of contract”; meaning we need this information to deliver the service you signed up for.

Your country
We ask for your country when you sign up.
We need this because UK and EU tax law requires us to charge the correct rate of VAT (value added tax) based on where you are. We pass your country to Quaderno, our tax compliance provider, for this purpose.
Legal basis: “Legal obligation”; VAT compliance is a legal requirement that we cannot avoid.

Your subscription details
We keep a record of which plan you are on, when your subscription started, when it renews, and whether it is active or not.
We need this to manage your account, enforce your plan’s allowances, and send you renewal receipts.
Legal basis: Performance of contract.

Payment information
When you subscribe, you are redirected to the checkout page operated by Mollie, our payment provider. Mollie collect your card details, billing address, and payment information directly on their own secure systems. Their privacy policy is here: https://www.mollie.com/gb/legal/privacy
We never see your card number, expiry date, or CVV. They got to Mollie, not us.
After your payment completes, Mollie sends us a confirmation that includes your name, your country, and a transaction reference. We store that confirmation so we can activate your account and keep a financial record.
Legal basis: Performance of contract (activating your subscription) and legal obligation (keeping financial records).

How you heard about us
During sign-up we ask how you found out about Keryth. This field is completely optional, you can leave it blanc and nothing changes.
If you do fill it in, we use the information to understand which channels are bringing writers to Keryth, so we can focus our limited marketing budget more effectively.
Legal basis: “Legitimate interests”; this means we have reasonable business reason to collect it, but only because it is optional and genuinely useful.

Your writing, files and chat messages
This is the most important part. Please read it carefully.
When you upload files or have conversations with Keryth, that content lives on our services. Here is exactly what happens to it:
While in transit: Everything between your device and our servers is encrypted using industry-standard Curve25519 algorithm. Your data is encrypted on your device using a unique security key before transmission, ensuring that it remains unreadable to anyone—including internet service providers or anybody that would manage to intercept it—while in transit to our servers.”
When stored: Your files are stored encrypted using AES-256 encryption. AES-256 is a military-grade encryption standard. The encrypted data is unreadable without the key.
During indexing: To let the AI assistant actually read and understand your work, there is one brief moment where your content needs to exist in readable form on our servers. This is called RAG indexing (RAG stands for Retrieval-Augmented Generation; it is the process that lets the AI search your documents to answer your questions). During this process your content is decrypted inside a sandboxed (isolated, walled-off) environment. We extract the text from your files, split it into chunks, and create searchable indexes; Keryth does not read your files but the indexes we create from them. The readable text is then immediately and automatically deleted. No member of our staff has any technical means to read your content during this process, even if they wanted to. Only the encrypted file and the encrypted index remain after this.
What we never do with your writing: We do not read it. We do not use it to train AI models (ours or anyone else’s). We do not sell it. We do not share it (except when it is sent to the AI model to answer your question – see the section on who we share data with). We do not use it for advertising. We do not keep a readable copy after indexing.
Legal basis: “Performance of contract”. We cannot run the AI assistant without processing your content.

Technical information
When you use Keryth, our servers automatically record certain technical information: your IP address (a number that identifies your internet connection), the date and time of access, the type of device used (whether you used our web application, our desktop application or our mobile application), and the type of request made.
We use this to keep the service secure, to detect attacks or unusual activity, and to diagnose technical problems. We keep server logs for 30 days and then delete them.
We also store a session token (a temporary encrypted code) that keeps your logged in while you are using Keryth. This expires automatically.
Legal basis:“Legitimate interest” Keeping the service secure is a legitimate reason to collect this data.

Support messages
If you contact us for help, we keep a record of the conversation so we can resolve your issue and learn from common problems. We delete support records after two years.
Legal basis: “Legitimate interest”

4. Who we share your data with

We share your data with as few people as possible. Here is the complete list.

The AI model that powers the assistant.
When you ask Keryth a question, your message and relevant excerpts from your documents are sent to a third-party AI company to generate the response. At the time of writing, this company is based in the European Union and operates under GDPR (the EU’s strict data protection law).
We have a legal agreement with this company that prohibits them from using your data to train their models or for any other purpose. They process your query and discard the data — they do not retain it.
We do not name the specific AI company in this policy because we may switch providers as the technology develops. If you want to know who it currently is, email us at privacy@keryth.com and we will tell you. We will also update this policy when the provider changes. We may have also mentioned it on our website.
A note about the future: We plan to run our own AI model as Keryth grows. When that happens, your queries will never leave our own servers at all.

Mollie – our payment provider
Mollie handles our payments. When you subscribe, you are sent to Mollie’s checkout page on their website (mollie.com). They are a Dutch company, based in Amsterdam, operating under both GDPR and PSD2 (the EU payment services law).
We share your name, email, and country with Mollie when setting up your payment. After payment, they send us confirmation details. Mollie’s own privacy policy explains what they do with payment data: https://www.mollie.com/gb/legal/privacy

Quaderno – our tax compliance provider
Quaderno calculates the right amount of VAT to charge based on your country and handles our tax reporting. We share your country and transaction amount with them. They are based in Spain and operate under GDPR. Their privacy policy is at https://quaderno.io/legal/privacy/

Hetzner – our hosting provider
Our servers are hosted by Hetzner Online, a German company. As our hosting provider, they store the encrypted data on our behalf but cannot access its content. They operate under GDPR and are certified in accordance with DIN ISO/IEC 27001:2022. Their privacy policy is at https://www.hetzner.com/legal/privacy-policy/

Our staff and professional advisors
Occasionally our employees or professional advisors (such as our accountant or solicitor) may need to access account-level data to do their jobs. They are bound by confidentiality obligations and can only access what they need.

Authorities, if legally required
We may be required to share data with law enforcement or tax authorities if ordered to do so by law. We would only do this if legally required and could not avoid it. Se the section below on the Investigatory Powers Act for more details on this.

Nobody else
We do not sell your data. We do not share it with advisers. We do not share it with data brokers or marketing companies. This is not how Keryth works. Your subscription is our income, not your data.

5. The Investigatory Powers Act – being honest with you

We think you deserve to know about this, even though most privacy policies do not mention it

As a UK company, LBFG Ltd is subject to the Investigatory Powers Act 2016. This law allows the UK government to issue what is called a Technical Capability Notice (TCN) – a secret order requiring a company to provide access to user data, with a legal gag preventing the company from telling anyone they have received it.

The honest answer is: if we received one of these orders, we might not legally be able to tell you.

However, the way Keryth is built limits what we could be compelled to hand over. Your files are stored encrypted and we delete the readable text after indexing. So even in the worst case, we would be handing over an encrypted block that cannot be read without your credentials.

We maintain a warrant canary on our website. It is a regularly updated statement confirming that we have not received any such order. If that statement disappears or stops being updated, you can draw your own conclusions. If we are ever in a position where we can legally tell you more, we will.

This is one of the reasons we are working towards moving Keryth’s infrastructure to Iceland, which has stronger constitutional privacy protections and sits outside the Five Eyes intelligence-sharing arrangement. Please be assured that when we do move, while it will be a new company, it will still be the same team of people behind it.

6. Advertising

Keryth has no adverts. We do not use advertising networks, tracking pixels, or any tools associated with behavioural advertising. We have no financial relationship with any advertiser. To be clear by this, we mean that we are not paid by advertiser but we do pay to advertise Keryth on platforms like Facebook (not limited to). Your attention is not our product, your subscription is, and your trust is a benefit we aim to prove we deserve.

7. Cookies

A cookie is a small piece of text that a website stores on our device to remember something about you.
Keryth only uses cookies that are strictly necessary for the service to work:

Session cookie: Keeps you logged in while you are using Keryth.
Security token: Protects your account from a type of attack called cross-site request forgery.
Setting cookies: Remembers settings you have chosen on our website such as currency, language and dark/light mode. It is used to present the website as per your preferred settings.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking or advertising cookies.

Because we only use essential cookies, we do not need to show you a cookie consent banner for these. If you disable cookies in your browser, you will not be able to log in to Keryth.

If you click a link in one of our emails, we may use an encrypted identifier to understand whether our emails are useful. The identifier is only used by us and is not shared with anyone.

8. How long we keep your data

What	How long
Your name and email	While your subscription is active, plus 2 years after it ends.
Financial records	7 years – UK law requires this for accounting records.
Your files and chats	Deleted within 30 days of you closing your account If you delete a file or chat, it goes in the rubbish bin for 15 days then is definitely deleted from our servers
Server logs	30 days
Audit records	1 year
Support conversations	2 years
Activation links	24 hours

Even after we delete your data, it may remain in encrypted backups for a short period before those backups cycle out. It is still encrypted and cannot be read. We apply strict access controls to backup data.

9. Your rights

Under UK data protection law you have the following rights. Most of these you can exercise directly from your account settings, without needing to contact us.

Right to see your data: You can request a copy of everything we hold about you. We will provide it within one month, free of charge.

Right to correct your data: If we have something wrong, you can ask us to fix it. You can update most things yourself in your account settings.

Right to delete your data: You can delete your account at any time from your settings. Deletion is immediate and permanent. We will keep financial records for 7 years as required by law. We are not legally allowed to delete or amend the invoices we have issued to you.

Right to take your data with you: You can export your files and account data in standard formats, directly from your account settings.

Right to restrict how we use your data: In certain circumstances you can ask us to stop using your data while you raise a concern. It may prevent us from providing Keryth service to you.

Right to object: If we are using your data based on our legitimate interests, you can object. We will stop unless we have a compelling reason to continue.

No automated decisions: We do not make any automated decisions about you that have legal or significant effects on you.

To exercise any of these rights, email privacy@keryth.com. We will respond within one month. We may need to verify your identity first.

10. If something goes wrong

If we ever have a data breach that is likely to affect your rights (for example, if data were accessed by someone who should not have it) we are required by law to report it to the Information Commissioner’s Office (ICO) within 72 hours of finding out about it. If the breach poses a significant risk to you directly, we will also contact you as quickly as possible.

If you suspect any misuse of your data, please contact us at security@keryth.com immediately.

11. How to complain

If you are unhappy with how we have handled your data, please email us first at privacy@keryth.com. We would like the chance to put it right.

If you are still not satisfied, you can complain to the ISO
Website: ico.org.uk
Telephone: +44 (0)3031 231 113
Post: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, United Kingdom

If you are in the EU, you can also complain to your local data protection authority. A directory is at edpb.europa.eu.

12. If Keryth is sold or transferred

If LBFG Ltd is sold or merged with another company, your data may be transferred to the new owner as part of that process. If this happens, the new owner will only be permitted to use your data for the same purposes described in this policy. We will notify you before any such transfer takes place and will require the acquirer to maintain privacy protections no less strong than this policy.

13. Changes to this policy

If we make significant changes to this policy, we will email you before the changes take effect. Minor changes (like correcting a typo or adding a new subprocessor that does not change how your data is used) will be reflected in the updated date at the top without direct notification.

Previous versions of this policy are available on request.

14. The legal bits we have to include

The following clauses are required by law or are standard legal protections. We are including them in plain English where possible.

Severability: If any part of this policy is found to be unenforceable by a court, the rest of it remains in force.

No waiver: If we do not immediately enforce a right under this policy, that does not mean we have given it up.

Governing law: This policy is governed by the laws of England and Wales. Any disputes will be resolved in the courts of England and Wales.

Transfer of rights: You cannot transfer your rights under this policy to someone else. We can transfer our obligations, but only if your rights are not affected.

15. Contact us

Email: privacy@privacy.com
Post: LBFG Ltd, Unit 78, Basepoint Business & Innovation Centre, Metcalf way, RH11 7XX Crawley, West Sussex, United Kingdom

LBFG Ltd is a private limited company registered in England and Wales.
Company number: 14105347
VAT number: GB471177977
ICO number: ZC112897