Privacy Policy

Who we are

Krystalize is operated by Krystalize LLC ("we," "us," or "Krystalize").
Contact: privacy@krystalize.ai

The short version

• Your content stays on your device. Krystalize runs locally. Your calendar events, emails, messages, and files are stored only on the Mac where you install the app.
• We never ship your content to Krystalize servers. We have no server that receives, stores, or indexes your content.
• Third-party integrations are strictly user-authorized. When you connect a Google, Microsoft, Apple, or other account, Krystalize talks to their servers directly from your device using credentials you provided. We don't relay, proxy, or mirror that data.
• Credentials are encrypted at rest on your device. The vault is protected with AES-256-GCM derived from a key that never leaves your device.
• No analytics, no behavioral tracking. We don't collect usage telemetry by default.

What information Krystalize handles

1. Information you enter into the app

This includes projects, tasks, contacts, crystals, notes, settings, and anything else you type or import. It is stored locally in ~/Library/Application Support/Krystalize/ (or your OS equivalent) and is not transmitted to Krystalize.

2. Credentials you store in the vault

API keys, OAuth refresh tokens, passwords, and similar secrets that you add to Krystalize's Credential Locker or Agent Vault are encrypted at rest using authenticated encryption. They are never transmitted to Krystalize and never written to logs.

3. Data from connected third-party services

When you connect a service like Google Calendar, Microsoft 365, Apple iCloud, a Matrix homeserver, or an IMAP/CalDAV server, Krystalize authenticates on your device and exchanges data directly between your device and that service. Depending on what you connect, this may include:

• Calendar: events, attendee lists, reminders, calendar metadata
• Email: messages, attachments, mailbox folders, contact addresses
• Contacts: names, addresses, phone numbers, notes
• Messaging bridges: message content, contact names, media attachments

This data is cached locally so the app can work offline and render quickly. It is not sent to Krystalize servers at any point. If you remove an account in the app, the local cache for that account is purged.

4. Communication with AI model providers

When you use Krystalize features that invoke a language model (chat with "Krys," agent runs, classification, summarization, etc.), the prompt and any relevant context are sent to the model provider you configured — for example, Anthropic for cloud Claude, or the local oMLX / Qwen model that runs entirely on your machine.

• Local model usage: no data leaves your device.
• Cloud model usage (e.g., Anthropic API): the prompt is sent to the provider per their terms. Krystalize does not add any telemetry layer on top. You can configure which providers are enabled.

Krystalize does not store transcripts of these exchanges on any server we operate.

5. Update checks and crash reports

If you enable update notifications, Krystalize checks our release endpoint for new versions. This request may include your app version and OS version so we can serve the correct build. It does not include your name, email, or any content.

Crash reports are not collected automatically. If you choose to send a bug report via the in-app form, only the content you include is transmitted — we do not sweep logs or capture your screen.

What Krystalize does not do

• We do not sell, rent, or share your information with advertisers, data brokers, or affiliates.
• We do not track you across websites or apps.
• We do not build profiles of you.
• We do not read, index, or analyze your calendar events, emails, messages, files, or crystals on any server we operate.
• We do not use your data to train models.

Third-party services and the Google API Services User Data Policy

When you connect Google Calendar (or any other Google service) to Krystalize, you authorize Krystalize to read and modify data in the scopes you grant. Krystalize's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• Google user data is used only to provide and improve the in-app calendar features you see.
• Google user data is not transferred to third parties except as strictly necessary for the user-facing feature, for security, or to comply with applicable law.
• Google user data is not used for serving advertisements.
• Humans do not read Google user data unless you explicitly share it with us for a support case, or where required by law.

You can revoke Krystalize's access to your Google account at any time at myaccount.google.com/permissions. Revoking access on Google's side will cause syncing to stop; the local cache remains on your device until you remove the account in Krystalize. Equivalent revocation paths exist for Microsoft (account.microsoft.com) and Apple (appleid.apple.com).

Children

Krystalize is not directed to children under 13, and we do not knowingly collect information from children under 13.

Security

Krystalize's security practices include:

• AES-256-GCM authenticated encryption for credentials at rest
• No plaintext credentials in logs
• HTTPS/TLS for all outbound connections to third-party services
• OS-level process isolation for AI model subprocesses

No system is perfectly secure. If you suspect a security issue with Krystalize, please email security@krystalize.ai.

Your choices

• Disconnect an account: Open Settings → service → Remove. The local cache and stored credentials for that account are purged.
• Delete everything: Quit Krystalize and remove ~/Library/Application Support/Krystalize/. This removes all local data.
• Contact us: Email privacy@krystalize.ai for questions about what Krystalize does with your information.

California, EEA, UK residents

Depending on where you live, you may have rights under local law — for example, access, correction, deletion, or portability of personal information. Because Krystalize does not hold your content on our servers, most of these rights are exercised by you directly on your device (delete the app, remove an account, etc.). For any right that requires action on our end — such as confirming what we hold about your account registration — email privacy@krystalize.ai.

We do not sell personal information as "sale" is defined under the California Consumer Privacy Act or any analogous law.

Changes to this policy

We will update this page when the policy changes and revise the "Last updated" date. For material changes, we will notify active users in-app before the change takes effect.

Contact