Privacy Policy

The cryptoalert.report service (the “Service”) is operated by KYT GROUP LIMITED, a company incorporated in Hong Kong (Business Registration Number: 76814411), registered address: Unit 2A, 17/F Glenealy Tower, No.1 Glenealy, Central, Hong Kong (the “Operator”, “we”).

The Operator is the data controller of users' personal data under the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong and, for users located in the EU and the UK, under the GDPR / UK GDPR.

For any question relating to the processing of your personal data (access, rectification, erasure, complaints), please email [email protected]. We respond within 30 days.

We collect only the minimum data required to operate the Service:

• Email sign-up — your email address (used to send magic-link logins and security notifications).
• Google / GitHub sign-in — email, name and the provider's stable user identifier (returned by the OAuth provider with your consent). We never see or store your Google or GitHub password.
• Technical information — IP address, User-Agent string, timestamp. Used for abuse protection, rate-limiting and session handling.
• Session cookie — a strictly necessary cookie ca_session, HttpOnly + Secure, 30-day TTL. Without it sign-in cannot work.
• Content you create in the Service — the list of blockchain addresses you choose to watch (watchlist), your labels and alert settings. Public blockchain addresses are not personal data on their own, but when linked to your account we treat them as personal data.
• Telegram chat ID — only if and when you link a Telegram bot to your account (upcoming feature). We store only the numeric identifier, never chat contents.
• Payment data — when paid plans launch, we will use an external processor (planned: CryptoCloud). We do not store crypto-wallet details of payers; we only receive the fact of payment, amount and a transaction identifier.

• Authentication and session maintenance.
• Transactional email (magic links, account security).
• Providing Service features (watchlist alerts, analytics, API).
• Abuse protection: rate-limiting, detection of suspicious activity.
• Compliance with applicable legal obligations.

Legal bases (for users under GDPR): performance of a contract (Art. 6(1)(b) GDPR) — to operate the Service; legitimate interest (Art. 6(1)(f)) — for abuse protection and security; consent (Art. 6(1)(a)) — for any marketing messages (we currently send none).

We do not sell your data. We share the minimum necessary with the following processors:

• Resend (Resend, Inc., USA; processing in eu-west-1, Ireland) — email delivery for magic links. We pass: email address, message contents.
• Google and GitHub — OAuth sign-in providers. They see the fact of a sign-in request from our domain; we receive a verified email and name (only upon your explicit consent on the OAuth screen).
• Cloudflare, Inc. (USA) — DNS, TLS termination, DDoS protection for part of our domains. Sees IP address and HTTP request metadata.
• QuickNode, Inc. (USA) — Ethereum and TRON RPC provider. We do not pass personal data; we only consume public on-chain data.
• MVPS.net (VPS hosting, Bulgaria) — hosts Service servers. Sees traffic as part of normal network operation.
• CryptoCloud (upon launch of paid plans) — crypto payment processor. Will receive: email, amount, plan identifier.

We maintain standard contractual safeguards with all processors. When data is transferred outside the EEA, recognised mechanisms (Standard Contractual Clauses or equivalent) are used.

• Login magic tokens: 15 minutes; deleted on use.
• Sessions: 30 days from last activity; deleted thereafter.
• Account data (email, OAuth identities, watchlist): retained while the account is active. Deleted upon your request or after 24 months of full inactivity.
• Request logs (IP, User-Agent, endpoint): 90 days, then anonymised or deleted.
• Financial records (once paid plans launch): retained in accordance with Hong Kong bookkeeping requirements (7 years).

Regardless of your location, upon request to [email protected] you may:

• receive a copy of your personal data;
• request rectification of inaccurate data;
• request deletion of your account and related data (right to be forgotten);
• export your data in a machine-readable format (data portability);
• restrict or object to certain kinds of processing;
• withdraw previously given consent.

If you believe we violate your rights, you may also file a complaint with the PCPD (Hong Kong) or with your national supervisory authority (if applicable).

We use strictly necessary cookies only — the session cookie ca_session for sign-in. We do not use advertising cookies or third-party analytics trackers (Google Analytics, Facebook Pixel and similar). Therefore, no consent banner is required.

• All traffic travels over HTTPS (TLS 1.2+, automatic certificate renewal).
• We do not store passwords — login is via magic link or OAuth only.
• Session cookies are HttpOnly, Secure, SameSite=Lax.
• Magic tokens are single-use with a 15-minute TTL.
• The database runs on an isolated Docker internal network, unreachable from the public internet.

The Service is not intended for persons under 18. We do not knowingly collect data from minors. If you believe a minor has provided us with data, write to [email protected] and we will delete it.

We may update this policy. Material changes will be announced on the website and emailed to registered users at least 7 days before taking effect. The last-updated date is shown at the top of this document.

This policy is governed by the laws of Hong Kong. Disputes arising out of the processing of personal data shall be resolved by the competent courts of Hong Kong, unless mandatory rules of the law of your country of residence provide otherwise.