Privacy Policy
Last updated: 15 May 2026
KeyStack ("we", "us") helps software teams generate and manage license keys for the products they sell. This Privacy Policy explains what data we collect, why we collect it, and the choices you have.
We deliberately collect the minimum information required to operate the service. We don't sell data and we don't share it with third parties for marketing purposes.
What we collect
Account data
When you sign up we collect your name, work email address, and an Argon2id hash of your password. If you enable two-factor authentication we also store a TOTP secret encrypted at rest with AES-256-GCM.
Organization data
Each KeyStack workspace (organization) stores the configuration you provide: organization name, slug, billing email, applications, license plans, customers and license keys.
License keys & metadata
We store the license keys you generate together with any metadata you attach to them (customer ID, expiration, activation device info you choose to send).
Usage data
Anonymous usage telemetry — request volumes, error rates, p99 latency — used to operate the platform. We do not record validation payloads or PII.
Billing data
Payment processing is handled by Stripe. We store an opaque stripeCustomerId and the line items associated with your subscription. We never see your card number.
How we use it
- To run the service: authenticate you, enforce quotas, serve your dashboard and API.
- To improve the service: operational telemetry, error tracking, performance monitoring.
- To bill you: only the data Stripe needs to charge your card.
- To contact you: transactional emails (security alerts, billing receipts, important product changes).
How we protect it
- All connections use TLS 1.3.
- Passwords are hashed with Argon2id.
- Sensitive secrets (API key plaintexts, TOTP secrets) are encrypted at rest with AES-256-GCM.
- Tenant isolation is enforced at the database layer via a Prisma extension that auto-injects
organizationIdon every query. - Every mutating action is recorded in an immutable audit log.
Data residency
Production data is hosted in EU (Frankfurt) by default with read replicas as needed. Self-hosting and US residency options are on the roadmap.
Sub-processors
We use the following sub-processors. We review each one annually:
| Sub-processor | Purpose | Region |
|---|---|---|
| Neon | Managed PostgreSQL hosting | EU |
| Upstash | Managed Redis for caching and rate limits | EU |
| Vercel | Marketing site + dashboard hosting | Global edge |
| Fly.io | API hosting | EU + US regions |
| Stripe | Subscription billing | Global |
| Resend | Transactional email | EU |
Your rights
You may at any time:
- Export your data via the dashboard (Settings → Data export).
- Delete your account and all associated data (Settings → Danger zone).
- Request a copy of your data or its deletion by emailing
privacy@keystack.dev.
We will respond within 14 days.
Contact
Questions? Email privacy@keystack.dev.