Legal

Privacy Policy

Last updated: April 2026  ·  Effective: April 2026

KASTLR ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights in relation to it. By using KASTLR — including the desktop application and website at kastlr.com — you agree to this policy.

1. Who We Are

KASTLR is a Windows 11 desktop customisation platform. The service is operated by KASTLR (South Africa). For privacy enquiries, contact us at privacy@kastlr.com.

2. Information We Collect

Account information: When you create an account, we collect your email address and a hashed password. You may optionally provide a display name.

Usage data: With your explicit consent only, we may collect anonymised information about how you use the app (e.g. which features are used most). This is opt-in and can be disabled at any time in Settings.

Payment information: Payments are handled by PayFast. We do not store your card details. PayFast handles all PCI DSS compliance. We receive only a payment confirmation and subscription status.

Locally stored data: Your Modes, Loadouts, wallpaper preferences, and settings are stored locally on your device. If you enable cloud sync (premium feature), this data is encrypted and stored on our servers to enable sync across devices.

Technical data: When you use the app or visit the website, we may receive standard technical data such as your IP address, operating system version, and app version number. This is used for diagnostics and security only.

3. How We Use Your Information

• To provide, operate, and improve the KASTLR service
• To authenticate your account and maintain your session
• To sync your settings across devices (premium subscribers only)
• To process subscription payments via PayFast
• To send transactional emails (account confirmation, password reset, subscription receipts)
• To diagnose technical issues and improve app stability
• To comply with our legal obligations

We do not sell your personal data. We do not use your data for advertising. We do not share your data with third parties except as described in Section 4.

4. Third Parties We Use

• Supabase — Authentication and database hosting. Data is stored in the EU (Frankfurt). Supabase is GDPR-compliant.
• PayFast — Payment processing for South African subscribers. PayFast is PCI DSS compliant.
• Railway — Backend API hosting. Servers are located in the United States.
• Cloudflare — Content delivery and asset storage. Used for wallpaper assets.
• Axxess — Website hosting for kastlr.com. South Africa.

We only share data with these providers as necessary to operate the service. We do not permit them to use your data for their own purposes.

5. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required by law to retain it longer.

Anonymised usage statistics may be retained indefinitely.

6. Your Rights

Depending on your location, you may have the following rights:

• Access — request a copy of the personal data we hold about you
• Correction — request that inaccurate data be corrected
• Deletion — request that your personal data be deleted ("right to be forgotten")
• Portability — request your data in a portable format
• Objection — object to certain uses of your data
• Withdrawal of consent — withdraw consent for analytics at any time in app Settings

To exercise any of these rights, email privacy@kastlr.com. We will respond within 30 days.

7. GDPR (European Users)

If you are located in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR). Our lawful bases for processing your data are: contract performance (to provide the service you signed up for), legitimate interests (to operate and improve the service), and consent (for optional analytics).

You also have the right to lodge a complaint with your local data protection authority.

8. POPIA (South African Users)

If you are located in South Africa, we process your personal information in accordance with the Protection of Personal Information Act (POPIA). You have the right to access, correct, and request deletion of your personal information. You may also object to the processing of your information. Contact our Information Officer at privacy@kastlr.com.

9. Children

KASTLR is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. Security

We use industry-standard security measures including encrypted connections (HTTPS/TLS), hashed passwords, and access controls. However, no system is completely secure. We encourage you to use a strong, unique password for your KASTLR account.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email (if you have an account) or by posting a notice on the website. The "Last updated" date at the top of this page will always reflect the most recent version.

12. Contact

For any privacy-related questions or requests, contact us at privacy@kastlr.com.