Capture & Monitoring Policy

Last updated: July 10, 2026

SkyKoi is designed for transparent, purpose-limited automation. It must not be deployed as covert surveillance.

STEP 1

Purpose

State the specific personal or work outcome. “Monitor everything” is not a sufficient purpose.

STEP 2

Sources

Select files, processes, browser, messages, audio, or input independently. Unselected sources remain unavailable.

STEP 3

People and devices

Identify whose data and which devices are in scope, including whether a device is personal or organization-managed.

STEP 4

Visibility

Choose the individual users or roles that may view metadata, content, previews, or audit records.

STEP 5

Storage

Choose local-only or hosted synchronization, persistence, encryption mode, and a retention period.

STEP 6

Review

Show a plain-language summary before activation and record who approved it, when, and under which policy version.

Required safeguards

  • Capture remains off until the approval summary is accepted; onboarding can be skipped.
  • A visible status and private-mode control must remain available while capture is active.
  • Secure password fields, authentication tokens, secret keys, health data, biometrics, government identifiers, and legally privileged material require exclusion or a separately reviewed workflow.
  • Raw keylogging and “capture everything” presets are prohibited. Prefer semantic events, diffs, hashes, and minimum necessary metadata.
  • Administrators must periodically review grants, delete stale data, and immediately revoke access when a role or employment relationship changes.

Workplace use

Before monitoring workers, the organization must obtain jurisdiction-specific legal advice, document necessity and proportionality, consult worker representatives where required, provide notice before collection, and offer a channel to ask questions or challenge an access decision. Consent may not be a valid legal basis where an employment power imbalance prevents a freely given choice.

Support access

Support access is time-bounded, purpose-specific, attributable, and revocable. A support person does not receive standing access to customer content. Emergency access must be logged and reviewed. Customer administrators can share selected records without sharing an entire device or graph.

Revocation and deletion

Revoking a source stops future capture and invalidates its active access path. Revoking a viewer removes future visibility. Deletion creates a durable tombstone so an offline device cannot silently recreate deleted data on reconnect. Backup and legal-hold exceptions must be disclosed in the applicable retention terms.

Administrator acknowledgement

Product controls do not by themselves make monitoring lawful. The deploying organization is responsible for its instructions, notices, legal basis, labor obligations, recipient list, retention schedule, and response to individual rights.

See also the Privacy Policy, Security page, and Terms of Service.