Privacy Policy
Last updated: March 2026
This Privacy Policy explains how KeyTrace, Inc. ("KeyTrace," "we," "us") collects, uses, and protects information in connection with the KeyTrace token and identity service and the www.keytrace.net website (together, the "Service"). By joining our closed beta waitlist or using the Service, you agree to this Policy.
1. Information we collect
We collect the following categories of information:
- Beta waitlist data. When you request access, we collect your work email, company name, expected token volume, and current auth stack. We use this to evaluate fit and to contact you when your batch is admitted.
- Account data. If your realm is provisioned, we collect account and billing contact details and authentication credentials for the management dashboard.
- Token & API metadata. In the course of issuing and validating tokens on your behalf, we process metadata such as client identifiers, realm identifiers, token identifiers, scopes, issuance/expiry timestamps, and revocation events. We do not require or store your end users' passwords.
- Operational logs. We log request metadata, IP addresses, user agents, and a
request_idfor each API call for security, debugging, and abuse prevention. - Website analytics. Aggregate, privacy-preserving usage metrics for
www.keytrace.net.
2. Our role as a processor
For token and identity data processed on your behalf, KeyTrace acts as a data processor and you are the controller. We process such data only to provide the Service, in accordance with your instructions and our Data Processing Addendum. For waitlist, account, and website data, KeyTrace is the controller.
3. How we use information
- To evaluate beta applications and admit teams in batches;
- To provide, maintain, secure, and improve the Service;
- To issue, validate, rotate, and revoke tokens as directed by your configuration;
- To detect, investigate, and prevent fraud, abuse, and security incidents;
- To communicate with you about the Service, incidents, and beta status;
- To comply with legal obligations.
4. Token & credential data handling
Signing keys are generated per realm and isolated from other realms. Access-token contents (claims) are processed transiently to sign and validate tokens; we retain token metadata (identifiers, timestamps, scopes, revocation receipts) in the realm's audit stream for the retention window you configure, defaulting to 90 days. client_secret values are stored using one-way hashing and are never returned after creation.
5. Sub-processors
We use a limited set of infrastructure sub-processors (cloud hosting, edge delivery, email, and error monitoring) under contractual confidentiality and security obligations. A current list is available on request to privacy@keytrace.net.
6. Security
We encrypt data in transit (TLS 1.2+) and at rest. Realm signing keys are isolated and access-controlled. We enforce least-privilege access, audit administrative actions, and are pursuing SOC 2 Type II (in progress). No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
7. Data retention
We retain waitlist data until you ask us to delete it or for up to 24 months of inactivity. Account data is retained for the life of your account and a reasonable period afterward for legal and accounting purposes. Token metadata follows your configured retention window (default 90 days).
8. Cookies
The website uses strictly-necessary cookies and privacy-preserving analytics. We do not use third-party advertising cookies. You can control cookies through your browser settings.
9. Your rights
Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing, under the GDPR, UK GDPR, CCPA/CPRA, and similar laws. To exercise these rights, contact privacy@keytrace.net. We will respond within the timeframes required by applicable law.
10. International transfers
We may process and store information in countries other than your own. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms to protect your information.
11. Changes to this Policy
We may update this Policy from time to time. Material changes will be posted here with an updated "Last updated" date and, where appropriate, communicated by email.
12. Contact
Questions about this Policy or our data practices? Email privacy@keytrace.net.