Beta (Apple Silicon only) See roadmap →

Privacy

Last updated: 2026-04-30

We try to write our privacy policy the way we'd want to read one. Plain language. Honest about what we do and don't collect.

Privacy that scales with your tier

Most tools give the vendor more visibility as you pay more. krate goes the other way — sovereignty grows with the tier:

  • Solo (free): Everything runs on your Mac. We receive nothing about your activity.
  • Team (paid): Audit events, policy decisions, build records, and pushed artifacts live on your hosted krate server. We never sell, share, or use this data for our own analytics.
  • Enterprise (paid): Everything in Team, but on your own self-hosted krate server. Data never leaves your perimeter.

Across every tier: no third-party trackers, no advertising, no selling. Your workloads always run on your Mac — what we receive is metadata about activity, never the activity contents.

What we collect

  • Your email, when you sign up for the beta waitlist or create an account.
  • Your name and company, if you give them (both are optional).
  • Your IP address, attached to your signup record. Used to detect spam and abuse, not for tracking or marketing.
  • Anonymous page-view counts via self-hosted Umami. No cookies, no fingerprinting, no third parties. How Umami works.

What we don't

  • We do not use Google Analytics, Facebook Pixel, or any third-party tracker.
  • We do not set advertising or tracking cookies. The session cookie our portal uses is HTTP-only and scoped to your account login.
  • We do not sell or share your email with anyone.
  • The krate CLI does not send telemetry.

Your rights

How you delete your data depends on your tier — for the same reason sovereignty grows with the tier:

  • Solo: delete your account at any time from Settings → Delete Account in the portal. No email, no support ticket. We hold the record for seven days in case you change your mind, then permanently purge it.
  • Team: ask your team admin to remove you from the org, or email privacy@krate.sh to delete your personal data while leaving org-anonymized history intact. Account-lifecycle authority sits with your org admin because shared resources (API keys, audit history, policies) belong to the org, not to you individually.
  • Enterprise: your krate server is self-hosted in your own infrastructure — your internal admin handles deletion. We never had your data to begin with.

EU residents have the same rights under GDPR Article 17 regardless of tier.

Where data lives

Our database runs on a Vultr VM in the United States. Email is sent via Resend; their privacy policy applies to email addresses we hand to them for delivery.

Changes

If we change this policy in a way that affects you, we will email anyone who has an account with us and post a notice at the top of this page for 30 days.