Legal

How Krapheno Processes Data

A plain-language explanation for agency operators and their clients.

What the SmritiTree Records

Every governed decision is recorded as an append-only ledger entry containing:

·The decision type (budget change, audience expansion, creative swap, etc.)
·Campaign parameters at the time of the decision
·The policy verdict: ALLOW, ESCALATE, or BLOCK
·MIC constraint evaluation results — which constraints fired and why
·A SHA-256 hash linking this record to the previous record in the chain
·A timestamp

What the SmritiTree Does Not Record

✕Personal data of end consumers

✕Individual user identities

✕Browsing behaviour

✕Any data that would identify a natural person

The Architectural Guarantee

This is not a policy promise. Personal data exclusion is enforced at the database trigger level.

The ledger schema contains no columns for personal identifiers. This constraint cannot be bypassed by the API layer.

All data is scoped to organization_id — enforced via Row-Level Security across 20 tables (migration 035). No row in any ledger table references a natural person.

For Legal Teams

Full documentation is available:

GDPR Position Statement — /docs/legal/gdpr-position

Record of Processing Activities (RoPA) — /docs/legal/ropa

Data Residency Statement — /docs/legal/data-residency

Retention Policy — /docs/legal/retention-policy

Pre-DPIA Risk Assessment — /docs/legal/dpia-lite

DPA or SCC queries: karthikkattemane7@gmail.com