arrow_backBack
Privacy Policy
Last updated: 18 April 2026
K2K is privacy-first. We collect the minimum data necessary and use zero-knowledge proofs wherever possible.
What We Collect
- Email — to authenticate your account
- Wallet Address — a public Base address generated for you
- Transaction metadata — order amounts, timestamps, counterparty addresses
- Device data — IP, browser, OS for security and fraud prevention
What We Don't Collect
- Government ID numbers (verified via zk-proofs; the issuer signs, we never see the number)
- UPI / bank account numbers (these move peer-to-peer between you and the merchant)
- Biometric data
Zero-Knowledge KYC
When you verify identity, we use Reclaim Protocol zk-TLS. Your government ID is hashed on your device and proven against the issuer in zero-knowledge. K2K never sees the underlying data.
How We Use Data
- Provide and improve the Service
- Prevent fraud and comply with AML obligations
- Send transactional notifications (you can disable)
Data Sharing
We share data only: with law enforcement under valid legal process, with your explicit consent, or with service providers (analytics, error monitoring) under strict DPAs.
Your Rights (GDPR / DPDP)
- Access, export, and delete your data
- Withdraw consent
- Object to processing
- Lodge a complaint with your data authority
Requests: privacy@k2k.cardfi.online
Retention
Transaction records are retained for 5 years to meet AML requirements, then deleted.
Children
K2K is not for anyone under 18.