**PRIVACY POLICY**

**Last Updated: January 13, 2026**

**1. WHO WE ARE (DATA CONTROLLER)**

**Qrystal Partners** (" **Company**", " **we**", " **us**", or " **our**") operates the **Qrystal Uplink** platform (the " **Service**" or " **Platform**").

The data controller responsible for your personal data is:

**Entity:** Mikayel Grigoryan, Individual Entrepreneur  
**Trade Name:** Qrystal Partners  
**Registration:** Republic of Armenia (Reg. No. 273.1337949/2023-08-25)  
**Location:** Yerevan, Armenia  
**Email:** support[at]qrystaluplink.io

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our Service.

**2. LEGAL BASES FOR PROCESSING (GDPR)**

We process personal data **only where permitted under applicable data protection laws**, including the EU General Data Protection Regulation (GDPR). Depending on the context, processing is based on:

- **Performance of a contract** (Art. 6(1)(b))  
- **Legal obligations** (Art. 6(1)(c))  
- **Legitimate interests** (Art. 6(1)(f))  
- **Consent**, where required (Art. 6(1)(a))

Consent is **not** used where another lawful basis applies.

**3. INFORMATION WE COLLECT**

**A. Account & Identity Information**  
**Legal basis:** Contract performance  
- Name  
- Email address  
- Authentication identifiers  
- Profile image (only if provided via third-party login)

Used to create and manage your account, authenticate access, and communicate with you.

**B. Device & Operational Data**  
**Legal basis:** Contract performance / legitimate interest  
The Service processes technical and operational data related to devices you choose to monitor, including:
- Device names, labels, and identifiers  
- Connection timestamps and heartbeat intervals  
- Device health status and diagnostic flags  
- Configuration settings (alerts, intervals)  
- Telemetry data (e.g., battery level, firmware version)  
- Optional payload data (e.g., sensor readings or location coordinates, if enabled)

Some device data **may constitute personal data** if it can be linked to an identifiable individual.

**C. Technical, Security & Log Data**  
**Legal basis:** Legitimate interest (security, abuse prevention)  
- IP address  
- Login timestamps  
- Browser and operating system metadata  
- Authentication cookies and session tokens

Used to protect accounts, detect abuse, and maintain platform security.

**D. Third-Party Authentication Data**  
**Legal basis:** Contract performance  
If you sign in using Google, GitHub, or similar providers, we store secure authentication tokens required to maintain login functionality. We do not receive your passwords.

**4. PAYMENT INFORMATION**  
We **do not store credit card or banking details**.  
All payments are processed by our authorized **Merchant of Record**, **Polar Inc. (polar.sh)**.  
We retain only:
- Subscription status  
- Plan type  
- Billing state (active, canceled, past due)

For details on payment data processing, refer to **Polar Inc.’s Privacy Policy**.

**5. HOW WE USE YOUR DATA**

We process personal data to:
- Provide and operate the Service  
- Detect device outages and send alerts  
- Authenticate users and secure accounts  
- Verify subscription status  
- Communicate service-related notices  
- Improve reliability, performance, and features  
- Prevent fraud, abuse, and security incidents  
- Comply with legal obligations

We do **not** use personal data for advertising or data resale.

**6. COOKIES & TRACKING TECHNOLOGIES**

**A. Essential Cookies (No Consent Required)**  
These cookies are strictly necessary to operate the Service, including:
- Login authentication  
- Session security  
- Platform navigation

Without these cookies, the Service cannot function.

**B. Analytics Cookies (Consent Required - EU/EEA)**  
We use analytics tools such as **Google Analytics** to understand how users interact with the Platform.

These tools may collect:
- Page views  
- Click interactions  
- Performance metrics  
- Error reports

**Analytics cookies are only activated after you provide explicit consent** via our cookie banner, where required by law.

You may withdraw consent at any time through cookie settings.

**7. DATA SHARING & DISCLOSURE**

We do **not** sell or rent personal data.  
We may share data only with:
- **Service providers** (e.g., payment processing, email delivery, hosting)  
- **Analytics providers** (only with consent where required)  
- **Public authorities**, where legally required

All service providers process data under contractual confidentiality and data protection obligations.

**8. INTERNATIONAL DATA TRANSFERS**

Some service providers may process data outside your country of residence, including outside the EU/EEA.

Where required, we rely on:
- **Standard Contractual Clauses (SCCs)** approved by the European Commission  
- Equivalent legal safeguards

You may request additional information regarding transfer safeguards.

**9. DATA RETENTION**

**A. General Retention**  
We retain personal data only as long as necessary to provide the Service or fulfill legal obligations.

**B. Account Deletion**  
Upon account deletion, we remove personal data **without undue delay**, except where retention is legally required.

**C. Mandatory Retention**  
We may retain limited data for:
- **Tax and accounting compliance** (typically 5 years)  
- **Security and fraud prevention**  
- **Legal claims and dispute resolution**  
- **Audit logs evidencing consent and acceptance**

**D. Backups**  
Deleted data may persist in encrypted backups for up to **30 days** before automatic deletion. Backup data is isolated and not actively processed.

**10. DATA SECURITY**

We apply appropriate technical and organizational measures, including:
- Encrypted data transmission (HTTPS/TLS)  
- Secure credential handling and hashing  
- Restricted internal access controls  
- Continuous monitoring for security incidents

No system is completely secure, but we take reasonable steps to protect your data.

**11. YOUR RIGHTS (GDPR)**

If you are located in the EU/EEA or UK, you have the right to:
- Access your personal data  
- Rectify inaccurate data  
- Request erasure (“right to be forgotten”)  
- Restrict processing  
- Data portability  
- Object to processing based on legitimate interests  
- Withdraw consent (where applicable)  
- Lodge a complaint with a supervisory authority

To exercise your rights, contact us at **support[at]qrystaluplink.io**.

**12. CHILDREN’S PRIVACY**

The Service is **not intended for children under 16 years of age**, or under the minimum age required by applicable law. We do not knowingly collect personal data from children. If such data is discovered, it will be deleted promptly.

**13. CHANGES TO THIS POLICY**

We may update this Privacy Policy from time to time. Material changes will be communicated through the Platform or by email, where required by law. Continued use of the Service constitutes acceptance of the updated policy.

**14. CONTACT INFORMATION**  
For privacy or data protection inquiries:

**Qrystal Partners** **Data Controller:** Mikayel Grigoryan, Individual Entrepreneur  
**Email:** support[at]qrystaluplink.io  
**Location:** Yerevan, Armenia