Skip to content

PRIVACY & SECURITY

We built Keryth so that we
genuinely cannot read your work.

Privacy is not a feature we added to Keryth. It is the reason Keryth exists. Here is exactly how it works. No jargon, no small print.

HOW IT WORKS

The encryption flow — plain English

When you upload a file or start a chat with Keryth, here is exactly what happens to your data, step by step.
We believe you deserve to know this, not just trust us.

Your device Keryth app, desktop app, or browser Your chats and files All content starts here Encryption AES-256 on your device Our servers Secure, access-controlled infrastructure Receive encrypted block Unreadable without your credentials Temporary — sandboxed process File decryption Sandboxed virus scan RAG indexing and embedding Temporary plaintext only Plaintext deleted Immediately and automatically Encrypted storage Only encrypted copy kept EU-based LLM — encrypted transit Relevant excerpts sent to LLM EU-based provider · encrypted in transit Response encrypted AES-256 on our servers Your device — decrypt the response Readable only on your device

Whether you’re using the Keryth web interface, the desktop app on Windows, Max, or Linux, or – in future – the mobile app on your phone, the same principle applies: your files and chats are encrypted on your device before they are transmitted anywhere. They travel to our servers already locked. This is not something that varies by platform or connection type. It is how every version of Keryth works, by design.

WHAT THIS MEANS FOR YOU

The one moment we can see your text, and why

Our servers are hosted in a secure, access-controlled environment. We have taken every reasonable precaution to prevent unauthorised access, both from outside and from within. Critically, our staff have not technical means to access plaintext files during the indexing and embedding process, even if they wanted to. The pipeline is automated and isolated. No human is in the loop at any point where your content exists unencrypted.

We want to be completely honest about this. When you upload a file, there is one brief moment when your test exists in plaintext on our servers, during the indexing step that powers AI assistant’s ability to understand and search your work. This lasts from a few milliseconds to a few seconds, depending on the size of your document.

That plaintext is deleted the instant indexing is complete. What remains on our servers is an encrypted index and an encrypted copy of your file. Neither is readable by our staff, our systems, or anyone else without your credentials.

This is not a policy we could quietly change. The plaintext deletion is built into the processing pipeline. It happens automatically, every time, without human involvement.

The AI assistant that powers Keryth runs on a large language model provided by Mistral AI, a third-party AI company based in the European Union, operating under GDPR. Your prompts and relevant document excerpts are sent to this model encrypted in transit. The model provider does not retain your data for training purposes under our data processing agreement. For v1.0 launch, we are working towards self-hosting our own model; at which point no data will leave our own infrastructure at any stage.

We tell you this because we believe you deserve a complete picture, not a simplified one. “End-to-end encrypted” sounds reassuring, but you should know exactly what it means, and what it doesn’t, before you trust us with your work.

OUR COMMITMENTS

What we will never do

These are not aspirations. They are constraints built into how Keryth operates — technically, contractually, and as a matter of principle.

Read your writing

Our staff have no access to your files or chat history. The architecture makes this technically impossible, not just against policy.

Use your writing to train AI models

Your content is used for one purpose only: powering your own AI assistant. It is not used to train, improve, or fine-tune any model — ours or anyone else’s.

Sell or share your data

We do not sell personal data. We do not share it with advertisers, data brokers, or third-party analytics platforms. We share only the minimum required data with our payment provider Mollie, and our LLM provider Mistral. Both are EU based and bound by the same GDPR rules as we are.

Serve you advertisements

Keryth has no advertising model. Your subscription is our revenue. We have no financial incentive to profile you or monetise your attention.

Retain plaintext after indexing

The only moment your text exists unencrypted on our servers is during the RAG indexing step. It is deleted automatically and immediately — never stored, never logged.

Allow staff access during indexing

The indexing and embedding pipeline is fully automated and isolated. No member of staff has any technical means to access your content during this process — even if they wanted to.

YOUR LEGAL RIGHTS

GDPR compliance — what it actually means for you

The General Data Protection Regulation (GDPR) is the European Union’s framework for personal data protection. It is widely regarded as one of the strictest and most comprehensive data protection laws in the world, setting a standard that many other countries have since used as a model for their own legislation. Under GDPR, companies must be explicit about what data they collect, why they collect it, how long they keep it, and who they share it with. Vague privacy policies and hidden data practices are not permitted.

LBFG Ltd, the UK-based company behind Keryth, is legally required to comply with UK GDPR, the domestic version of the regulation that was retained and enshrined into British law after Brexit. In practice, UK GDPR and EU GDPR are substantively identical. This means that whether you are writing from Paris, New York, Sydney, or anywhere else in the world, the same robust protections apply to your data when you use Keryth.

In plain terms, GDPR means we cannot collect data we don’t need, cannot keep it longer than necessary, cannot share it without your knowledge, and cannot use it for purposes you haven’t agreed to. It gives you real, enforceable rights over you own information, not just a privacy policy you have to trust us to honour, but legal obligations we are required by law to to uphold. If we breach them, you have the right to report us to the Information Commissioner’s Office (ICO) in the UK, or to your legal data protection authority if you are based in the EU or EEA.

Right to access

Download a complete copy of all data we hold about you at any time.

Right to erasure

Delete your account and all associated data permanently. Irreversible and immediate.

Right to portability

Export your files, projects, and chat history in standard formats.

Right to rectification

Correct any inaccurate personal data we hold about you.

Right to object

Object to any processing of your data at any time.

Right to complain

Lodge a complaint with your national data protection authority if you feel your rights have been breached.

These rights apply to you regardless of where in the world you are based. GDPR was designed to protect individuals, not just EU citizens. If you use a service operated by a UK or EU company, these protections follow you.

STILL HAVE QUESTIONS?

We believe in full transparency

If you have a specific question about how your data is handled that isn’t answered here or in our privacy notice, we want to hear it. Not to five you a canned response — because if we can’t answer it clearly, that’s a sign we need to improve.

You can reach our privacy team directly at privacy@keryth.com. We aim to respond within two business days. You can also reach us directly on our Stoat server here https://stt.gg/KvK7MTRx and chat with our development team.

For the full legal detail, our Privacy Policy and Terms of Service are written in plain language, not designed to obscure.

Ready to write with nothing to hide?

Your story. Your data. Your rules. Early access opens 13th April 2026.

Claim your early access place