Your data, kept minimal.
Kyouz is built so that most of the time, the business you’re queuing at never sees your name or phone number. This page explains exactly what we collect, who sees it, and what control you have.
Data controller: PROXC LLC · Contact: [email protected]
Registered office: 19800 MacArthur Blvd., 3rd Floor, Irvine, CA 92612, USA
Who we are
Kyouz is operated by PROXC LLC, a California limited liability company with its registered office at 19800 MacArthur Blvd., 3rd Floor, Irvine, CA 92612, USA. Throughout this policy, “Kyouz”, “we”, “us”, and “our” refer to PROXC LLC.
Kyouz is a queue management and business-operations platform used by businesses across many industries. When you join a queue, make a reservation, or otherwise interact with a business that uses Kyouz, you are interacting with that business — Kyouz is the infrastructure they run on.
Today, Kyouz acts as the data controller for all personal data described in this policy — the data needed to operate your Kyouz account, deliver your tickets, and notify you. If we introduce a future capability where a business collects additional information from you directly through Kyouz (see §3.4), we may act as a data processor on that business’s behalf for that specific data. We will describe any such arrangement in an updated version of this policy before it takes effect.
The principle this policy is built on
Competing waitlist and queue products treat your name and phone number as business data. You give those details to the business at every visit; the business keeps them; the business often re-uses them for marketing.
Kyouz was designed to work differently. The default is:
- —Your identity lives in your Kyouz account, not in each business’s customer list.
- —Notifications reach you through Kyouz — push, Dynamic Island, Live Activity, or SMS to a number you gave to Kyouz and not to the business.
- —The business sees a ticket, a queue position, and — if you chose to share one — a display name. They do not see your phone number or personal contact details.
We call this the PII Minimisation Principle. It is the principle we design new features against, and §3 describes how future capabilities that involve financial transactions will interact with it.
What we collect, and when
3.1 When you create a Kyouz account
To create a KyouzClient account we collect:
- —Your mobile phone number (used to verify your account via SMS).
- —A display name you choose (first name, nickname, or an alias — your choice).
- —Optional profile details: email address, profile photo, language preference.
- —Device identifiers (a push-notification token specific to your device) so we can send you push notifications.
3.2 When you join a queue or make a reservation
When you join a queue at a Kyouz-powered business, we store:
- —The ticket itself — business, service type, time joined, queue position, status.
- —A link between the ticket and your Kyouz account, so your ticket appears in your app and we can notify you.
- —Any optional note, preference, or special request you chose to share with the business.
The business sees the ticket and — if you shared one — your display name. They do not see your phone number, email, or Kyouz account details.
3.3 When you use Kyouz without an account (link or SMS)
Some businesses let you join a queue without installing the app, via a web link or by texting a short code. In that case we collect:
- —The phone number you sent the SMS from, or the display name you entered on the link page.
- —The ticket itself (same as §3.2).
We do not create a Kyouz account for you automatically. Your phone number is used to send you status updates about that specific ticket and is retained per §6.
3.4 Future capabilities
Today, Kyouz operates entirely in the minimised-by-default mode described above. No additional personal information flows to the business beyond what is listed in §4.
We are building future capabilities that might include financial transactions. When those capabilities ship, they will necessarily require more information to flow between you, Kyouz, and the business — at minimum, payment details and identity information relevant to the transaction. We will update this policy and notify you before any such capability becomes available to you, and the additional information will only be collected when you actively use the capability.
3.5 Technical data
We collect a small amount of technical data automatically when you use our apps or website: IP address, device type, operating system version, app version, and crash or error reports. We use this to keep the service working and to diagnose problems; we do not use it for advertising or profiling.
What the business sees
For a standard queue or reservation, a Kyouz-powered business sees:
| Field | Visible to the business |
|---|---|
| Ticket ID / queue position / join time | Yes — required to run the queue. |
| Display name you chose | Yes — if you set one. Otherwise the ticket shows “Customer #XXXX”. |
| Service requested, preferences, special request notes | Yes — these are what you asked them to provide. |
| Phone number | No — not in any workflow currently available. |
| Email address | No — ever. Email is for your Kyouz account and notifications only. |
| Your Kyouz account ID, device IDs, IP address | No — these live with Kyouz. |
| Visit history across other businesses | No — each business only sees their own queue. |
How we use the data
We use your data only to run the service you asked for:
- —To run the queue. Store tickets, compute wait times, notify you when it’s your turn, keep a history of your visits in your own account.
- —To send you notifications. Push notifications, Dynamic Island, Live Activity on iOS, and SMS (as a fallback when you cannot receive push). Delivery relies on the sub-processor categories listed in §7.
- —To keep the service secure. Rate limiting, fraud detection, abuse prevention, account recovery, and logging. Logs are retained per §6.
- —To meet legal obligations. Tax, accounting, and — when legally compelled by a valid order — response to law enforcement requests.
We do not sell your data. We do not share your data with advertisers. We do not build profiles of you across businesses for marketing. These are not fine-print exceptions; they are not things Kyouz does.
How long we keep it
| Data | Retention |
|---|---|
| Active account profile (name, phone, email) | For as long as your account is active. Deleted on your request (§9, §10). |
| Individual ticket / reservation record | Retained until the ticket closes, plus 90 days for dispute and customer-service purposes. |
| Technical logs (IP, device, crash) | Thirty (30) days for operational logs; twelve (12) months for security-relevant logs. |
| Account deletion residue | Deleted from active systems within 30 days. Backup retention up to 90 further days. |
Where law requires us to retain specific data for longer (for example, tax records if we process any payment), we will retain only what is strictly required, for the minimum period required, and delete the rest on the schedule above.
Who else processes it
We use a limited number of trusted service providers (“sub-processors”) to operate Kyouz. Each is bound by a data-processing agreement and processes your data only on our instructions.
The categories of sub-processors we engage are:
| Category | What they do |
|---|---|
| Cloud application hosting | Runs the Kyouz backend services. |
| Managed database hosting | Stores accounts, tickets, and business data. |
| Network, DNS, and DDoS protection | Delivers the Kyouz websites and apps and protects them from attack. |
| Identity and authentication | Handles secure login for the business console. |
| Payment processing | Processes business subscription payments and (in the future) transaction capabilities. |
| SMS delivery and phone verification | Sends one-time verification codes and ticket status updates by SMS. |
| Mobile push notification delivery | Delivers push notifications to iOS and Android devices. |
| Operational analytics and error monitoring | Helps us detect crashes and operational problems. |
Each sub-processor is located in the United States or operates a global network with data-residency controls we have configured. We select providers that offer contractual commitments on security, confidentiality, and — where applicable — international data transfer safeguards.
A detailed list naming the specific sub-processor in each category, their processing region, and the relevant security certifications is available to current and prospective business customers under a mutual non-disclosure agreement. Request it from [email protected].
We will notify affected users before adding a new sub-processor category, or before a change to an existing arrangement, that could materially affect how your personal data is processed.
International transfers
Kyouz is operated from the United States and your data is primarily stored in the United States. If you are in the European Economic Area, the United Kingdom, or another region with data-transfer restrictions, your data will be transferred to the United States for processing.
For transfers from the EEA and the UK, we rely on the European Commission’s Standard Contractual Clauses (2021 module, as applicable) and, where required, the UK International Data Transfer Addendum. Copies of the clauses we rely on are available at [email protected].
Your rights under CCPA (California residents)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights:
- —Right to know. A copy of the specific pieces of personal information we hold about you, the categories of sources, the business purposes, and any third parties we shared it with.
- —Right to delete. Deletion of personal information we hold about you, subject to the retention obligations in §6.
- —Right to correct. Correction of inaccurate personal information.
- —Right to opt out of sale or sharing. Kyouz does not sell your personal information and does not share it for cross-context behavioural advertising. There is nothing to opt out of, but the right is yours regardless.
- —Right to limit use of sensitive personal information. We do not use sensitive personal information to infer characteristics about you.
- —Right to non-discrimination. We will not deny you service or charge you more for exercising any of these rights.
How to exercise these rights. Email [email protected] with the subject line “CCPA request”. We will verify your identity using the phone number or email on your Kyouz account, then respond within 45 days (extendable once by another 45 days with notice). You may authorise an agent to submit a request on your behalf; we will ask for proof of authorisation.
California Shine the Light. California residents may also request a list of the third parties to whom we have disclosed personal information for those third parties’ direct marketing purposes. We do not make such disclosures; the answer to any Shine the Light request is “none”.
Your rights under GDPR (EEA, UK, Switzerland residents)
If the General Data Protection Regulation or the UK GDPR applies to you, you have the following rights with respect to your personal data:
- —Right of access (Art. 15) — a copy of the personal data we hold about you.
- —Right to rectification (Art. 16) — correction of inaccurate or incomplete data.
- —Right to erasure (Art. 17) — deletion of your data, subject to legal retention obligations.
- —Right to restrict processing (Art. 18) — ask us to pause processing in specific cases.
- —Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- —Right to object (Art. 21) — object to processing based on our legitimate interests.
- —Right to withdraw consent (Art. 7(3)) — where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
- —Right to lodge a complaint with a supervisory authority in your country of residence.
Lawful bases we rely on
| Processing | Lawful basis |
|---|---|
| Running your account and your tickets | Performance of a contract (Art. 6(1)(b)). |
| Payment processing for business subscriptions | Performance of a contract (Art. 6(1)(b)). |
| Sending you service notifications (push, SMS, Dynamic Island) | Performance of a contract (Art. 6(1)(b)). |
| Security, fraud prevention, logging | Legitimate interests (Art. 6(1)(f)) — operating a safe service. |
| Legal and tax obligations | Legal obligation (Art. 6(1)(c)). |
How to exercise these rights
Email [email protected] with the subject line “GDPR request”. We will verify your identity and respond within one month (extendable by two further months for complex requests, with notice). There is no fee for exercising your rights, except for manifestly unfounded or excessive requests.
Kyouz does not specifically target the European Economic Area or the United Kingdom as markets. Because our offering is not directed at EU or UK residents, we have not appointed a representative under Article 27 GDPR or Article 27 UK GDPR. If you are an EU or UK resident whose data we process, you can still exercise the rights above by contacting [email protected]; we will respond on the same timelines described here.
Children
Kyouz is not directed at children under 13 (United States) or under 16 (most of the EEA), and we do not knowingly collect data from children in those age groups. If you believe a child has created a Kyouz account, please contact [email protected] and we will delete the account.
Security
We protect your data with encryption in transit (TLS 1.2+) and at rest, access controls and audit logging on the backend, vendor-security review of each sub-processor, and incident-response procedures if something does go wrong. No system is perfectly secure, but we are serious about this and treat a security issue as the highest category of engineering priority.
If you discover a vulnerability in Kyouz, please report it to [email protected]. We welcome responsible disclosure.
Changes to this policy
We will update this page when our practices change. The “Last updated” date at the top always reflects the current version. For material changes — expanded collection, new sub-processor categories, or changed retention — we will notify you by email (if you have an account) or via an in-app notice before the change takes effect.
How to contact us
For any question about this policy, a request under CCPA or GDPR, or any other privacy concern:
- —Email: [email protected]
- —Mail: PROXC LLC, 19800 MacArthur Blvd., 3rd Floor, Irvine, CA 92612, USA
We will acknowledge your message within 5 business days and respond substantively within the windows set by CCPA (§9) and GDPR (§10).