Legal

Privacy Policy

Last updated: March 2026

This Privacy Policy explains how KeyTrace, Inc. ("KeyTrace," "we," "us") collects, uses, and protects information in connection with the KeyTrace token and identity service and the www.keytrace.net website (together, the "Service"). By joining our closed beta waitlist or using the Service, you agree to this Policy.

1. Information we collect

We collect the following categories of information:

2. Our role as a processor

For token and identity data processed on your behalf, KeyTrace acts as a data processor and you are the controller. We process such data only to provide the Service, in accordance with your instructions and our Data Processing Addendum. For waitlist, account, and website data, KeyTrace is the controller.

3. How we use information

4. Token & credential data handling

Signing keys are generated per realm and isolated from other realms. Access-token contents (claims) are processed transiently to sign and validate tokens; we retain token metadata (identifiers, timestamps, scopes, revocation receipts) in the realm's audit stream for the retention window you configure, defaulting to 90 days. client_secret values are stored using one-way hashing and are never returned after creation.

5. Sub-processors

We use a limited set of infrastructure sub-processors (cloud hosting, edge delivery, email, and error monitoring) under contractual confidentiality and security obligations. A current list is available on request to privacy@keytrace.net.

6. Security

We encrypt data in transit (TLS 1.2+) and at rest. Realm signing keys are isolated and access-controlled. We enforce least-privilege access, audit administrative actions, and are pursuing SOC 2 Type II (in progress). No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

7. Data retention

We retain waitlist data until you ask us to delete it or for up to 24 months of inactivity. Account data is retained for the life of your account and a reasonable period afterward for legal and accounting purposes. Token metadata follows your configured retention window (default 90 days).

8. Cookies

The website uses strictly-necessary cookies and privacy-preserving analytics. We do not use third-party advertising cookies. You can control cookies through your browser settings.

9. Your rights

Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing, under the GDPR, UK GDPR, CCPA/CPRA, and similar laws. To exercise these rights, contact privacy@keytrace.net. We will respond within the timeframes required by applicable law.

10. International transfers

We may process and store information in countries other than your own. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms to protect your information.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be posted here with an updated "Last updated" date and, where appropriate, communicated by email.

12. Contact

Questions about this Policy or our data practices? Email privacy@keytrace.net.