The operator of altvale.com and the publisher of KruxOS is Altvale, based in the United Kingdom. References to "Altvale", "we", "us", and "our" in this policy mean that operator. Altvale is not, at the date of this policy, a registered corporate entity. When Altvale is incorporated, this policy will be reissued with that entity named as controller, and your rights under it will not be reduced by that transition.
For all data-protection purposes, the operator named above is the data controller. Contact details are in Section 8.
We collect only the following:
Email correspondence. When you email [email protected], [email protected], [email protected], or [email protected], we receive and store the email content, your email address, and any other personal data you choose to include.
Server-side request logs. The web host that serves altvale.com records standard HTTP request metadata — typically the requesting IP address, timestamp, requested URL, user-agent string, and referrer. These logs are operational, not analytical, and are retained on the host's default rolling window (currently up to 30 days). We do not aggregate them, profile them, or join them to any other data.
That is the complete list. We run no analytics, no advertising trackers, no fingerprinting, no behavioural profiling, no A/B testing, no session replay, no heat-mapping, and no third-party tag managers. KruxOS itself runs locally on your machine and transmits no usage data to us. See Section 5 for what KruxOS does — and does not — do with your data.
Emails are used to reply to you, to handle the matter you raised (licensing, sales, security disclosure, general enquiry), and — where you have given us a security report — to coordinate disclosure under our advisory process.
Request logs are used to operate the site (debug errors, detect abuse, defend against denial-of-service traffic). They are not used for marketing or profiling.
We do not use any data we hold to make automated decisions that produce legal or similarly significant effects about you (Article 22 GDPR), and we do not engage in profiling.
Where GDPR or UK GDPR applies, we rely on the following bases:
Legitimate interests (Article 6(1)(f)) for reading, storing, and replying to email you have voluntarily sent to a published address, and for keeping operational server logs to run the site securely. Our legitimate interest is operating a contactable business and a secure website. We have considered your rights and consider that those interests are not overridden, given the minimal data involved and the fact that you initiated the contact.
Performance of a contract or pre-contractual steps (Article 6(1)(b)) where your email is part of negotiating or operating a licensing relationship for KruxOS.
Legal obligation (Article 6(1)(c)) where we have to retain or disclose data to comply with a binding legal request.
Consent (Article 6(1)(a)) is not relied on today because we do not run analytics or marketing automation. If that ever changes, consent will be obtained through the mechanism described in the Cookie Policy before any such processing begins.
KruxOS is a closed-source application distributed by Altvale. It runs on your machine, under your account, with access to whatever resources you grant it. The following points describe Altvale's privacy posture for KruxOS at the date of this policy — see also the KruxOS EULA for the licensing relationship.
No telemetry. KruxOS does not transmit usage data, prompts, completions, file contents, or any other operational data to Altvale's infrastructure. We do not operate any servers that receive KruxOS runtime traffic.
No account, no sign-in. KruxOS does not require an Altvale account. We do not hold credentials, identifiers, or profile information for KruxOS users.
You may direct KruxOS to talk to third parties. KruxOS can call out to APIs and services that you configure — for example, large-language-model providers, source-control hosts, or productivity tools. Any data sent to those third parties is governed by their own privacy policies, not this one. Altvale is not in the data path.
Updates. If a future version of KruxOS introduces any data transmission to Altvale, that change will be disclosed in this policy, in the release notes, and (where consent is required) gated behind an explicit opt-in.
We do not sell personal data, and we do not share personal data with third parties for those parties' own marketing or analytics purposes. We will only disclose personal data outside of Altvale in the following limited cases:
Service providers acting on our behalf. The following providers may process limited data as part of running the site and our inboxes:
altvale.com and processes request logs (Section 2).altvale.com name.The specific providers used at the date of this policy are available on request from [email protected]. We list them in this form rather than by name because providers may change without altering the substance of this policy.
Legal compulsion. We may disclose personal data where we are required to do so by a binding court order, regulatory request, or law-enforcement demand with valid authority over us. Where we are permitted to inform you of such a request, we will.
International transfers. The operator is based in the United Kingdom, and our email and hosting providers may store data in jurisdictions including the European Economic Area, the United Kingdom, the United States, and other jurisdictions where service providers operate. Where data is transferred from the EEA or the UK to a jurisdiction that is not subject to an adequacy decision, transfers rely on Standard Contractual Clauses or the UK International Data Transfer Addendum, supplemented where necessary by additional safeguards.
Emails are retained for as long as the matter they relate to remains open, and thereafter for up to 24 months for our reference, unless you ask us to delete them sooner (and we have no overriding legal obligation to keep them).
Server logs are retained on the host's default rolling window (currently up to 30 days) and then overwritten or deleted.
Security disclosures may be retained for longer where they remain operationally relevant (e.g. tracking a fix across versions), but personal identifiers within them can be redacted on request once the disclosure is closed.
Depending on where you are, you may have some or all of the following rights over the personal data we hold about you:
California residents (CCPA / CPRA). You have the right to know what categories of personal information we have collected, to delete personal information, to correct inaccurate information, and to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information in the CCPA / CPRA sense, and there is no opt-out toggle to operate. Categories collected and purposes are described in Sections 2 and 3.
To exercise any right, email [email protected] from the address you previously corresponded with us from, or otherwise identify yourself sufficiently for us to act on the request. We aim to reply within 30 days. There is no charge for routine requests.
We apply reasonable technical and organisational measures to protect personal data, proportionate to the very limited scope of data we hold. No system is perfectly secure; we will not promise otherwise.
Vulnerability reports and security correspondence: [email protected]. Coordinated disclosure is preferred. Routing is also discoverable per RFC 9116 at altvale.com/.well-known/security.txt.
Altvale's services are not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data to us, contact [email protected] and we will delete it.
Material changes will be accompanied by a revised Effective date and a bump to the version number in the header. Where changes materially expand the data we collect or how we use it, we will give prior notice through this page and, where we have a working email address for you, by email.
The canonical version is always at altvale.com/legal/privacy.html.
Data controller: Altvale, based in the United Kingdom.
Email: [email protected] for privacy matters and right-exercise requests; [email protected] for security disclosures.
If you would like the operator's full postal address for a formal request, ask by email and we will provide it.