Privacy Policy

Krat13 · Effective July 4, 2026 · Last updated: July 4, 2026

Short version: Krat13 is built to be private and local-first. Your collection lives on your device and, if you enable it, in your private iCloud account. Some optional features (cover-art lookup, Premium Scan, Discogs import, and AI features) send limited data to third-party services to work. We run a small backend that helps these features and protects them from abuse. The krat13.app website is hosted by Vercel as static pages. Analytics are off unless you turn them on, and we show no ads.

Who we are (data controller)

Krat13 is provided by Iraklii Tatoshvili, an individual sole trader based in Poland ("Krat13", "we", "us"). For any privacy question, or to exercise your rights, contact us at irakliy.tatoshvili@gmail.com. We have not appointed a Data Protection Officer because one is not required for our current processing activities; this email is the privacy contact point.

This policy explains what data Krat13 processes, why, on what legal basis, who it is shared with, and the rights you have under the EU/UK General Data Protection Regulation (GDPR), the Polish data-protection law, the California Consumer Privacy Act (CCPA/CPRA), and other applicable laws.

Scope

This policy covers the Krat13 iOS app, widgets, app extensions, backend-assisted features, support communications, and the static website at krat13.app. It does not cover third-party websites or services you choose to use, which are governed by their own policies.

Data stored on your device and in your iCloud

Krat13 stores your vinyl record collection, want list, play counts, lending records (including any lender name and due date you enter), photos you add, cover-art URLs, prices, tags, and notes. This data lives on your device and, if you enable iCloud, in your own private iCloud/CloudKit container under your Apple ID.

Your iCloud container is private to you. It is stored on Apple's infrastructure and is not visible to us. We do not have a copy of your collection.

Note on other people's data: if you enter information about another person (for example, the name of someone you lent a record to), you are responsible for handling their data lawfully. That information stays on your device / your iCloud and is not sent to us.

Our backend (and what it does)

We operate a small backend service (hosted on Railway, with a PostgreSQL database) that supports certain features and protects them from abuse. It is designed so the app keeps working even if the backend is unavailable. The backend:

Verifies your device using Apple App Attest, to stop fraud and abuse of the paid third-party services we pay for. We store an anonymous device-attestation key identifier and a counter — not your identity.
Proxies Discogs requests so our API credentials are never shipped in the app, and caches public release/marketplace metadata to stay within rate limits.
Proxies image-recognition (Premium Scan) requests to Google Cloud Vision.
Proxies AI requests to our AI provider for any AI features (see "AI features" below).

We do not use the backend to build advertising profiles, and we do not sell your data.

The krat13.app website

The website is hosted by Vercel and consists of static information pages, including Support, Privacy, Terms, and Legal. We do not add advertising pixels, third-party analytics scripts, or cookie banners to these pages. Like most hosting/CDN providers, Vercel may process technical request information such as IP address, user agent, requested URL, timestamps, and diagnostic logs to deliver the site, secure it, and operate the service.

We use this website data only for security, debugging, and operation of the public pages. It is not used to track you across sites or build advertising profiles.

Cover art and metadata lookup

When you scan a barcode or search for cover art or release details, Krat13 sends the barcode number or your search terms to one or more of:

MusicBrainz (musicbrainz.org) — open music database
Cover Art Archive (coverartarchive.org) — cover-art database
Apple iTunes Search API — Apple's public metadata API
Discogs (discogs.com) — release and marketplace data, via our backend
Deezer (deezer.com) — album metadata and cover art
Setlist.fm — artist concert history, where that feature is enabled

Only the search terms / barcode are sent. These services are independent controllers subject to their own privacy policies.

Pasting a store link

If you paste a product link from a supported record shop and the shop blocks direct reads, the page address you pasted is sent to the Jina.ai reader service (r.jina.ai) to extract the album details. Only the page address is sent — no cookies, account data, or personal information are included. This only happens for retailers on a built-in supported list.

Premium Scan (image recognition)

If you use Premium Scan, photographs of the record sleeve (front and back) are sent — via our backend — to Google Cloud Vision to read text and help identify the pressing. The images are used only to perform the identification for you and are not used by us to identify you. If no cloud key is configured or the request fails, the app falls back to on-device recognition. Identification results are estimates and may be wrong.

Connecting your Discogs account (optional)

If you choose to import from Discogs, you sign in through Discogs' own OAuth screen. With your authorization, our backend retrieves the collection and want-list data you have made available on Discogs and brings it into the app. Your use of Discogs is governed by Discogs' terms and privacy policy. You can disconnect at any time.

AI features

Krat13 may offer optional AI features (for example, turning a scan into a structured release guess or summarizing your collection). Where an AI feature is used, the relevant input (such as scan text or selected collection details) is sent — via our backend — to our AI provider, Google (Gemini API), to generate the result, and is processed under Google's applicable terms. AI output is generated automatically, may be inaccurate, and should be independently verified before you rely on it. We do not use your data to train our own models.

Purchases

Paid features ("Pro") are purchased through Apple's in-app purchase. Apple processes the payment; we never receive or store your payment-card details. Apple provides us with anonymized/aggregated sales and entitlement information.

Analytics (opt-in only)

Krat13 includes optional, anonymised analytics, disabled by default. You can enable it in Settings. If you opt in, a randomly generated device ID (never your name or email) is used to count aggregate events like "record added" via PostHog. You can opt out at any time in the same screen.

Crash reporting

Krat13 may use crash reporting (via Sentry) to diagnose technical issues. Crash reports contain device type, OS version, and a stack trace. They do not contain your collection content.

Advertising

Krat13 contains no advertising. We do not use ad networks, tracking pixels, or third-party advertising SDKs, and we do not sell or "share" your personal information for cross-context behavioural advertising.

Camera, photos, and notifications

Camera access is used only to scan barcodes and photograph covers; it is never used in the background. Photos you add stay on your device / iCloud, except sleeve images you submit to Premium Scan as described above. Daily reminders are scheduled as local notifications on your device.

Who we share data with (subprocessors)

We use the following service providers to deliver the features above. Each acts under its own privacy terms:

ProviderPurposeRegion
AppleApp Store, in-app purchase, iCloud/CloudKit, App AttestEU / US
VercelStatic website hosting and CDNGlobal / US / EU
RailwayBackend hosting + databaseUS
Google Cloud VisionPremium Scan image recognitionUS / EU
Google (Gemini API)AI featuresUS / EU
DiscogsRelease / marketplace data, optional importUS
MusicBrainz · Cover Art Archive · Deezer · Setlist.fm · Apple iTunes SearchMetadata and cover-art lookupEU / US
Jina.ai (r.jina.ai)Store-link reader for supported shops that block direct readsUS
PostHogOpt-in, anonymised analyticsUS (or EU)
SentryCrash reportingUS

We may update this list as the Service evolves. We do not sell your personal data.

International transfers

Some providers above are located in the United States or other countries outside the EEA/UK. Where personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent mechanisms.

Legal bases for processing (GDPR)

Performance of a contract — to provide the features you request (e.g., scanning, lookup, import, purchases).
Consent — for opt-in analytics; you may withdraw it at any time.
Legitimate interests — to secure the Service and prevent abuse (e.g., device attestation), and to diagnose crashes, balanced against your rights.
Legal obligation — where we must process data to comply with the law.

Processing summary

DataPurposeLegal basisRetention
Collection, want list, photos, notes, tags, lending detailsProvide your personal record libraryPerformance of contractUntil you delete it from your device / iCloud
Device attestation key id and counterProtect paid upstream services from fraud and abuseLegitimate interestsWhile the device uses backend-assisted features, then deleted or anonymised when no longer needed
Search terms, barcodes, pasted store URLsFind metadata, cover art, marketplace data, or store-page detailsPerformance of contractTransiently processed; cached public metadata may be kept briefly to reduce provider load
Sleeve images and scan textPremium Scan and AI-assisted identificationPerformance of contractProcessed to return your result; not retained by us beyond what is needed to complete the request
Random analytics device id and event namesUnderstand app usageConsentOnly if enabled; kept for a limited period then deleted or aggregated
Crash diagnosticsFind and fix technical issuesLegitimate interestsKept for a limited period needed for debugging
Website request logsDeliver and secure krat13.appLegitimate interestsKept by the hosting provider for operational/security periods
Support emailsAnswer your requestPerformance of contract or legitimate interestsAs long as needed to handle the request and maintain records

Data retention

Collection data is retained on your device / iCloud until you delete it. Backend records are kept only as long as needed for their purpose: device-attestation keys for as long as the device uses the Service; cached public metadata for a short period (e.g., marketplace stats up to ~24 hours); proxied AI/scan requests are not retained by us beyond what is needed to return the result. Crash and opt-in analytics data are retained for a limited period and then deleted or aggregated.

Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict, and port your personal data, to object to certain processing, and to withdraw consent. EU/EEA and UK users may lodge a complaint with a supervisory authority (in Poland, the President of the Personal Data Protection Office, UODO). California residents have the rights to know, delete, correct, and opt out of "sale"/"sharing" (we do neither), without discrimination.

Most data is under your direct control in the app. To exercise rights regarding any backend data, email irakliy.tatoshvili@gmail.com and we will respond within the time required by law.

Deleting your data

You can permanently delete your in-app data using Settings → Clear All Data, and uninstalling Krat13 removes locally stored data. To delete iCloud data: Settings.app → [Your Name] → iCloud → Manage Storage → Krat13 → Delete Data. To request deletion of any backend data associated with your device, contact us.

Children

Krat13 is not directed to children and is intended for users aged 16 and over (or the higher age of digital consent in your country). We do not knowingly collect personal data from children below that age. If you believe a child has provided us data, contact us and we will delete it.

Changes to this policy

If we make material changes, we will update the "Last updated" date above and describe the changes in the app's What's New sheet at the next update. Prior versions are retained.

Contact

Questions or requests about this policy or your data? Email irakliy.tatoshvili@gmail.com (general support: support@krat13.app).