Legal

Privacy Policy

Last Updated: March 1, 2026

Kyber Systems LLC ("KyberAccess," "we," "us," or "our") operates the KyberAccess visitor management platform, including the web application at app.kyberaccess.com, the KyberAccess Kiosk iPad application, mobile applications, and the marketing website at kyberaccess.com (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name, email address, phone number
  • Organization name and address
  • Billing information (processed securely via Stripe)
  • Role and permissions within your organization

1.2 Visitor Information

When visitors check in through the Service, we may collect:

  • Full name, email address, phone number
  • Photograph (selfie) captured during check-in for visual identification
  • Government-issued ID information (driver's license number, ID type, expiration date) obtained through ID scanning
  • Company or organization affiliation
  • Purpose of visit, host name, and destination
  • Vehicle information (if applicable)
  • Signature on agreements, NDAs, or health screenings
  • Check-in and check-out timestamps
  • Badge information and QR code identifiers

1.2.1 Face Data & Visitor Photographs

During the check-in process, the Service may capture a front-facing selfie photograph of visitors using the device camera. This section explains how face data is collected, used, stored, and retained.

  • What we collect — A single selfie photograph of the visitor. We do not generate, store, or process facial geometry, biometric templates, faceprints, facial feature vectors, or any derived biometric identifiers. Only the raw photograph is captured.
  • How we use it — The photograph is used for (1) visual identification — displaying the visitor's photo alongside their name in host notifications, visitor logs, and badges so staff can visually confirm the visitor's identity, and (2) optional returning visitor recognition — if enabled by the organization, previously stored photos may be compared to streamline repeat check-ins.
  • Third-party sharing — Visitor photographs and face data are not shared with any third parties. Photos are accessible only to the subscribing organization's authorized administrators and designated hosts.
  • Storage & security — Photos are stored securely within the subscribing organization's account on Google Cloud Platform (Firebase Cloud Storage), encrypted at rest using AES-256 and in transit using TLS 1.2+. Access is governed by role-based access controls.
  • Retention & deletion — Visitor photographs are retained according to the organization's configured data retention policy. Organizations can set custom retention periods (e.g., 30, 60, 90 days) or delete visitor records — including associated photographs — at any time from the KyberAccess dashboard. When a visitor record is deleted, the associated photograph is permanently removed from storage. If no custom retention policy is configured, photos are retained for the duration of the organization's active subscription and deleted upon account termination. Visitors may also request deletion of their photograph by contacting the organization directly or by emailing privacy@kyberaccess.com.
  • No advertising or analytics use — Face data and visitor photographs are never used for advertising, marketing, user profiling, analytics, or any purpose beyond visitor identification within the subscribing organization's account.

1.3 Background Check Information

If your organization enables background screening, visitor names and identifying information may be checked against publicly available sex offender registries and custom watchlists maintained by your organization. Results are stored as part of the visitor record.

1.4 Automatically Collected Information

  • Device type, operating system, browser type
  • IP address and approximate geolocation
  • Usage data (pages visited, features used, session duration)
  • Crash reports and performance data

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process visitor check-ins, generate badges, and send notifications
  • Display visitor photographs for visual identification and optional returning visitor recognition (see Section 1.2.1)
  • Conduct background checks and watchlist screenings when enabled
  • Process payments and manage billing
  • Send transactional emails (visitor arrivals, account updates)
  • Improve, personalize, and expand the Service
  • Respond to support requests and communicate with you
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

3. Data Storage & Security

All data is stored on Google Cloud Platform (GCP) infrastructure using Firebase services. We implement industry-standard security measures including:

  • Encryption in transit — All data transmitted between your devices and our servers is encrypted using TLS 1.3
  • Encryption at rest — All stored data is encrypted using AES-256 encryption
  • Access controls — Role-based access controls limit data access to authorized personnel
  • Regular audits — We perform regular security audits and vulnerability assessments
  • SOC 2 readiness — Our infrastructure and processes are designed to meet SOC 2 Type II requirements

Visitor photographs and scanned ID images are stored in encrypted cloud storage. ID images are processed for data extraction and may be automatically deleted after a configurable retention period set by your organization's administrator.

4. Data Retention

We retain visitor data for as long as your organization's account is active, unless a shorter retention period is configured by your administrator. Organizations can configure automatic data purging (e.g., delete visitor records after 30, 90, or 365 days). Account data is retained for 30 days after account deletion, after which it is permanently removed.

Visitor photographs and ID scans may be subject to shorter retention periods as configured by your organization. For specific details on face data retention and deletion, see Section 1.2.1 above.

5. Third-Party Services

We use the following third-party services to operate the platform:

  • Google Firebase — Authentication, database (Firestore), cloud storage, hosting, and cloud functions
  • Google Cloud Platform — Infrastructure, computing, and data processing
  • Stripe — Payment processing. We do not store credit card numbers on our servers. Payment information is handled entirely by Stripe in accordance with PCI DSS standards.
  • Email delivery services — For transactional email notifications

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We only share data with third parties as described in this policy or with your explicit consent.

6. COPPA Compliance (Children's Privacy)

The KyberAccess Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. In school environments, the Service is used by authorized school staff and adult visitors — not by students.

If student information is processed as part of student pickup or tardy management features, it is done so under the direction and authority of the educational institution, which acts as the data controller. We process such data solely as a data processor on behalf of the school.

If you believe we have inadvertently collected personal information from a child under 13, please contact us immediately so we can delete it.

7. FERPA Compliance

For educational institutions, KyberAccess operates as a "school official" under FERPA (Family Educational Rights and Privacy Act). We access student education records only as necessary to provide the Service under the direction of the educational institution. We do not use student data for any purpose other than providing the contracted Service. We do not disclose student information to third parties except as directed by the school or as required by law.

Educational institutions maintain full control over student data and may request deletion at any time.

8. HIPAA Compliance

For healthcare organizations and covered entities, KyberAccess is prepared to enter into a Business Associate Agreement (BAA) to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). Under a BAA, we will:

  • Use and disclose protected health information (PHI) only as permitted by the BAA and HIPAA regulations
  • Implement appropriate safeguards to protect PHI
  • Report any security incidents or breaches as required
  • Ensure any subcontractors who access PHI agree to the same obligations

To request a BAA, please contact us at info@kyberaccess.com.

9. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal basis for processing — We process personal data based on contractual necessity (to provide the Service), legitimate interests (to improve and secure the Service), and consent (where required)
  • Data transfers — Data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and other approved transfer mechanisms
  • Data Protection Officer — You may contact our data protection team at info@kyberaccess.com

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — Request a copy of the personal data we hold about you
  • Correction — Request correction of inaccurate or incomplete data
  • Deletion — Request deletion of your personal data
  • Portability — Request a machine-readable copy of your data
  • Restriction — Request that we limit processing of your data
  • Objection — Object to processing based on legitimate interests
  • Withdraw consent — Where processing is based on consent, you may withdraw it at any time

Organization administrators can export visitor data, delete records, and manage retention policies directly from the KyberAccess dashboard. For individual requests, please contact us using the information below.

11. Cookies & Tracking

Our website uses essential cookies for authentication and session management. We may use analytics cookies to understand how visitors use our website. You can control cookie preferences through your browser settings.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last Updated" date. For significant changes, we may also send an email notification to account holders.

13. Contact Us

If you have questions or concerns about this Privacy Policy, your data, or your rights, please contact us:

Kyber Systems LLC

Email: info@kyberaccess.com

Phone: (646) 462-4132

Website: kyberaccess.com