Privacy Policy

KeyVault Edge (“KeyVault Edge,” “we,” “us”) operates the service at keyvaultedge.com and the associated edge proxy. The full list of company identifiers, registered jurisdiction, and contact addresses is published on the Trust Center.

For privacy questions, email privacy@keyvaultedge.com.

Account data. Email address, display name, password hash (via Supabase Auth), OAuth identifiers if you sign in with a third-party provider. Chosen organisation name.

Billing data. Tokenised payment method and invoices held by Stripe. We receive the billing email, plan, and subscription status. We do not see or store card numbers.

Customer-managed secrets. Provider API keys you register are encrypted in your browser and uploaded to us only as ciphertext. We hold the ciphertext and a key fingerprint (a non-reversible hash). We do not hold the plaintext key.

Usage metadata. For every proxied request: timestamp, token ID, status code, byte counts, and latency. We do not log request URLs beyond the host, request or response bodies, or headers beyond a hash used for anomaly detection.

Breach events. When our anomaly detection triggers (expired token, origin mismatch, rate exceeded, invalid signature), we record the event and the minimum metadata needed for you to investigate.

Cookies. Strictly necessary cookies for authentication and session management. No third-party tracking or advertising cookies.

Support data. If you email us, we retain the message and our reply for the life of your account plus 12 months.

We use personal data only to operate the service you asked for: authenticate you, authorise your requests, proxy API calls, enforce rate limits, detect breaches, send security-relevant notifications, bill you, and respond to your support messages.

We do not use your data to train machine-learning models. We do not sell data. We do not share usage data for advertising.

If you are in the EU, UK, or a jurisdiction that applies GDPR-style rules, our legal bases under GDPR Article 6 are:

• Contract performance (Art. 6(1)(b)) - providing the service you signed up for.
• Legitimate interests (Art. 6(1)(f)) - preventing abuse, detecting breaches, improving reliability. These interests are balanced against your rights and you can object at any time.
• Legal obligation (Art. 6(1)(c)) - keeping tax and accounting records for the period required by applicable law.
• Consent (Art. 6(1)(a)) - only for non-essential communications you explicitly opt in to, such as product newsletters.

We share personal data only with the sub-processors listed on the Trust Center, each strictly for the purposes described there. We do not share data with advertisers, data brokers, or marketing networks.

We may disclose data if legally compelled (subpoena, court order, binding regulatory request). When permitted by law, we will notify the affected account before complying.

Paid customers can sign our Data Processing Agreement (DPA) on request, which governs our role as a processor of personal data you transmit through KeyVault Edge on behalf of your own users.

• Account data: kept while your account is active. Deleted within 30 days of account closure, except where law requires longer retention.
• Encrypted provider keys: deleted when you delete the key, at the latest within 24 hours. Backups are purged within 30 days.
• Usage metadata and breach events: retained for 90 days by default. Paid plans can pipe metadata to their own sink and opt out of our retention entirely.
• Billing records: retained for the period required by tax and accounting law (typically 7 years).
• Support messages: life of account plus 12 months.

Regardless of where you live, you can ask us to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data (subject to law-mandated retention periods).
• Export your data in a portable format.
• Object to processing based on legitimate interests, or restrict it.
• Withdraw consent where consent is the legal basis.
• Lodge a complaint with your supervisory authority (EU/UK) or bring a claim under CCPA/CPRA (California).

To exercise any of these, email privacy@keyvaultedge.com. We respond within 30 days.

KeyVault Edge operates globally on edge infrastructure. Personal data may be processed in the United States, the European Union, and other regions where our sub-processors run. Where required, we rely on the EU Standard Contractual Clauses (2021/914) and UK International Data Transfer Addendum for transfers out of the EEA and UK.

Customer keys are encrypted using envelope encryption with AES-256-GCM. Host-bound tokens are signed by an HSM-resident key. Our full threat model is published at /security, and any security-relevant incident is recorded on the incident log.

If you believe you have found a security issue, please follow our responsible disclosure policy.

KeyVault Edge is a developer tool and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, contact us and we will delete the account.

We update this policy when our practices change or when the law changes. The date at the top of the page always reflects the current version. Material changes will be announced by email to the account owner and by a notice on the dashboard at least 14 days before they take effect.

Privacy questions, data subject requests, and DPA requests: privacy@keyvaultedge.com.

A Data Protection Officer and, where required, an EU representative will be listed here once appointed.