Last updated: July 1, 2026
KronosPay LLC ("Kronos," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, share, and safeguard your data when you use the Kronos mobile application, website, and related services. By using Kronos, you consent to the practices described in this policy. This notice is provided in compliance with the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act (CCPA/CPRA), and other applicable federal and state privacy regulations.
Personal Information: When you create an account, we collect your full name, email address, phone number, date of birth, Social Security Number (for KYC verification), and mailing address.
Financial Information: We collect banking details (account and routing numbers), transaction history, direct deposit information, and linked debit/credit card details to facilitate our services. Debit card data is processed and stored in compliance with Payment Card Industry Data Security Standards (PCI DSS).
Gig Platform, Mileage, and Tax Data: If you connect gig platform accounts or enter gig activity manually, we collect earnings data, work history, payout schedules, trip counts, hours, mileage logs, tax-reserve preferences, and related notes to provide earnings, tax, and income-management tools.
Biometric and Identity Data: If you enable Face ID, Touch ID, or fingerprint unlock, your device biometric template stays on your device and Kronos receives only a yes/no confirmation from your operating system. For account opening and compliance, identity verification may also require a government ID image, selfie, and liveness check. Those identity images are used only for KYC, fraud prevention, and legally required recordkeeping.
Contacts, Location, Support, and Membership Data: If you choose to find friends on Kronos, we read phone numbers and email addresses from your device contacts, hash them on-device, send only hashes for matching, and do not store your contact list. If you use mileage tracking, we use precise or background location only to detect and calculate trips you choose to save. If you contact support, we collect support messages, attachments, call metadata, and call audio routed through support providers. If you subscribe or claim perks, we collect subscription status, purchase receipts, renewal state, shipping details for merch, and perk-claim records.
Device & Usage Data: We automatically collect device type, operating system, IP address, app usage patterns, session duration, diagnostics, and crash reports to secure the service, improve reliability, and detect fraud.
Device Fingerprint & New-Login Verification: Each time you sign in, Kronos generates a one-way hash of your device's hardware signals (model, OS version, model year, total memory, and a stable installation identifier) and records the public IP address of the request. The hash and IP are written to a dedicated known_devices table and used only to detect new-device or new-location logins, in which case we may require additional verification (email OTP, SMS OTP, or biometric re-auth). The device hash and IP are retained for ninety (90) days from the most recent login and then automatically purged. Raw hardware signals are never transmitted to Kronos servers — only the resulting hash.
Third-Party Service Providers (data shared by category): To deliver banking, crypto, identity-verification, support, subscription, yield, fulfillment, and analytics functions, Kronos shares the minimum data required with the following processors, each bound by a Data Processing Agreement: our banking partner (USD ↔ stablecoin rails + on/off-ramp — name, address, SSN/ITIN, transaction history); Plaid (bank linking + Plaid Identity Verification — name, contact info, bank credentials, government-issued ID image, selfie, liveness check); Astra Financial or similar payment processors (card payments + card payouts — name, address, card-funding source, transaction amounts); Apple App Store and Google Play (subscription purchases, receipts, renewals, cancellations, and refunds); licensed crypto exchange and liquidity partners (trade routing, quotes, fills, and settlement details); Turnkey, Inc. (non-custodial wallet-key infrastructure used to hold and sign Kronos's DeFi yield position on the Base network — pseudonymous user identifier + on-chain wallet address only; no PII); Alchemy (Base mainnet RPC provider used to read blockchain state and submit transactions — IP address + on-chain wallet address); Spark Savings / Sky Protocol (underlying DeFi yield protocol; interacted with via permissionless smart contracts — receives only on-chain wallet addresses and transaction amounts, no off-chain PII); Sentry (crash + error reporting — pseudonymous user ID and PII-scrubbed breadcrumbs only; sendDefaultPii: false); Resend (transactional email — name, email address); Freshdesk / Freshchat (customer support — name, email, support-conversation content); Telnyx, Twilio, or similar communications providers (SMS, voice, support-call routing, and account-verification metadata); Printful or other fulfillment partners (merch-box order and shipping details); Google Places API (address autocomplete during signup, accessed via a Kronos server-side proxy so your IP is not exposed to Google); and Meta, Reddit, TikTok, Google Ads, or similar web attribution tools on the website only, when enabled and permitted by consent settings.
On-Chain Wallet Addresses. Kronos creates a Turnkey-managed wallet address on the Base network for each user to hold the DeFi yield position. The wallet address is pseudonymous (a 42-character hexadecimal string) and is recorded on a public blockchain. Any party can view transaction history associated with a wallet address; Kronos does not publish the mapping between wallet addresses and user identities. On-chain transaction history is permanent and publicly auditable. If a user shares their wallet address with a third party, that third party can view all transactions associated with the address. Kronos cannot delete or amend on-chain records — they are governed by the underlying blockchain protocol, not by Kronos.
We use your information to: provide, operate, and maintain banking, money movement, crypto, savings/yield, card, payout, international transfer, gig-income, mileage, tax, subscription, support, and perk features; verify your identity and comply with KYC/AML regulations; match contacts privately when you ask us to find Kronos users; process transactions and send notifications; calculate subscription billing and membership eligibility; ship eligible merch and other physical perks; detect, prevent, and investigate fraudulent or unauthorized activity; communicate important account updates and promotional offers; perform automated risk assessments for fraud prevention; and improve our products through aggregated analytics.
Kronos uses automated systems to make certain decisions that may affect your account, including: fraud risk scoring (based on transaction patterns and device data), and account risk assessments. You have the right to request an explanation of any automated decision that significantly affects your account. To request a review, contact support@getkronos.io.
As a financial services provider, KronosPay LLC is subject to the GLBA. We collect nonpublic personal information (NPI) about you from account applications, transaction history, and third-party sources. We do not disclose NPI to non-affiliated third parties except as permitted by law, including: to process your transactions, to protect against fraud, to comply with legal requirements, and with service providers who are contractually obligated to keep your information confidential. You may opt out of certain information-sharing practices by contacting privacy@getkronos.io.
We do not sell your personal information. We share data only in the following circumstances: with our licensed money-movement partner HiFi and its FDIC-insured partner banks, who hold eligible USD deposits and process USD↔stablecoin conversion, ACH, RTP where available, wires, local payout, and related transfers; with payment processors and card networks (Visa, Mastercard) to facilitate transactions; with identity verification providers (for KYC/AML compliance); with App Store / Google Play for in-app subscriptions; with fulfillment providers for merch and physical perks; with on-device key derivation (BIP32/BIP39) for wallet and key management; with licensed cryptocurrency exchange and liquidity partners to facilitate trades; with cloud infrastructure providers (for hosting and data storage); with email, SMS, voice, and support providers (for transactional communications and customer support); with law enforcement or regulators when required by law, subpoena, or legal process; and with analytics or attribution providers using aggregated, de-identified, hashed, or consented website data only. All third-party service providers are bound by data processing agreements that require them to protect your information and use it only for the purposes we specify.
Sub-processors. Certain partners act as our sub-processors and may handle your data under their own privacy policies — including HiFi for banking, money-movement, KYC, and transaction processing. Where a partner processes your data as a controller for its own legal, compliance, or fraud-prevention obligations, that partner’s privacy policy also applies. You may direct requests relating to data held by HiFi to support@hifi.com, and we will assist where required.
International data transfers. Kronos and its service providers are based in the United States, and your information is processed in the U.S. Where data is transferred from the EEA, UK, or Switzerland, we and our sub-processors rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses (SCCs) and equivalent UK/Swiss mechanisms — to protect it.
We implement industry-leading security measures to protect your data, including: 256-bit SSL/TLS encryption for all data in transit and at rest; biometric and two-factor authentication; real-time transaction fraud monitoring; SOC 2-compliant cloud infrastructure; PCI DSS compliance for payment card data; regular third-party security audits and penetration testing; role-based access controls for internal data access; and encrypted database backups with geographic redundancy.
In the event of a data breach that compromises your personal information, we will notify affected users via email and in-app notification within 72 hours of confirming the breach, or as otherwise required by applicable state law. The notification will include: the nature of the breach, the types of data affected, the steps we are taking to address it, and recommended actions you can take to protect yourself. We will also notify applicable state attorneys general and regulatory authorities as required by law. Where appropriate, we will offer complimentary credit monitoring services to affected users.
We retain your personal information for as long as your account is active and for a period of five (5) years after account closure to comply with BSA/AML financial record-keeping regulations. Transaction records may be retained for up to seven (7) years as required by applicable tax and financial reporting laws. You may request deletion of your account data at any time, subject to regulatory retention requirements, by contacting privacy@getkronos.io.
Depending on your jurisdiction, you have the following rights regarding your personal data:
All Users: Right to access your data, correct inaccuracies, opt out of marketing communications, and request a portable copy of your information.
California Residents (CCPA/CPRA): Right to know what personal information is collected and disclosed; right to delete your data; right to correct inaccurate data; right to opt out of the sale or sharing of personal information (note: Kronos does not sell your data); right to limit the use of sensitive personal information; and right to non-discrimination for exercising your rights. To exercise your CCPA rights, contact privacy@getkronos.io or call our privacy line. We will respond within 45 days.
Virginia Residents (VCDPA): Right to access, correct, delete, and obtain a portable copy of your data; right to opt out of targeted advertising, profiling, and sale of personal data.
Colorado Residents (CPA): Right to access, correct, delete, and port your data; right to opt out of targeted advertising, sale of data, and profiling that produces legal effects.
Connecticut Residents (CTDPA): Right to access, correct, delete, and port your data; right to opt out of targeted advertising, sale of data, and profiling.
To exercise any of these rights, email privacy@getkronos.io with your request. We will verify your identity and respond within the timeframes required by applicable law.
Our website currently does not respond to "Do Not Track" (DNT) browser signals, as there is no industry-standard protocol for DNT compliance. However, you can control tracking through cookie preferences, browser settings, and the privacy controls offered by supported ad platforms.
Our website uses cookies and similar technologies to remember your preferences, protect forms from abuse, analyze traffic, attribute waitlist signups, and measure whether our own ads work. This may include Cloudflare, Turnstile, Google Ads, Meta, Reddit, TikTok, or similar attribution tools when enabled. You can manage cookie preferences through your browser settings. For detailed information about the cookies we use, their purposes, and how to control them, see our Cookie Policy.
The Kronos app and website may contain links to third-party websites, services, or applications that are not owned or controlled by KronosPay LLC. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services.
We strongly advise you to read the terms and privacy policies of any third-party website you visit. KronosPay LLC shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any third-party content, goods, or services.
Kronos is not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we discover that a minor has created an account, we will promptly delete the account and associated data. If you believe a minor has provided us with personal information, contact privacy@getkronos.io.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. Continued use of Kronos after updates constitutes acceptance of the revised policy. Prior versions of this policy are available upon request.
For privacy-related questions, data access requests, or concerns, contact our privacy team at privacy@getkronos.io. For general support, reach us at support@getkronos.io. To report fraud or unauthorized activity, email reportfraud@getkronos.io.