Privacy Policy

Last updated: February 21, 2026

1. What We Collect

  • Email address — for authentication and account communication
  • Encrypted vault data — ciphertext only; we cannot read your secrets
  • Usage metadata — timestamps, project names, variable key names (not values)
  • Payment information — processed by Stripe; we never store card numbers or billing details directly
  • IP addresses — for security and audit logging purposes

2. What We Cannot See

Due to our zero-knowledge architecture, the following data never reaches our servers in readable form:

  • Your decrypted secret values
  • Your vault passphrase
  • Your project passwords

Encryption and decryption happen entirely on your device using the Web Crypto API. We only ever store AES-256-GCM encrypted ciphertext.

3. How We Use Your Data

  • Authenticating you and maintaining your session
  • Storing and serving your encrypted vault data
  • Providing audit logs of vault access and changes
  • Processing subscription billing via Stripe
  • Sending transactional emails (magic link auth, billing receipts)

4. Third-Party Services

  • Supabase — database hosting and authentication (EU/US data centers)
  • Stripe — payment processing (PCI-DSS compliant)
  • Vercel — web application hosting

Each of these providers has their own privacy policies. We do not share your data with any advertising networks, analytics providers, or data brokers.

5. Cookies

We use authentication cookies only — these are strictly necessary to keep you signed in. We do not use tracking cookies, advertising cookies, or third-party analytics. No cookie consent banner required.

6. Data Retention

Your data is stored for as long as your account exists. When you delete your account, all associated data — projects, vault entries, share links, and profile information — is permanently and irreversibly deleted. We do not retain backups of deleted accounts.

7. Data Portability

You can export all your data at any time using keyra-cli pull from the CLI or by downloading your secrets from the dashboard. You are never locked in.

8. Security

  • AES-256-GCM encryption with PBKDF2 key derivation (100,000 iterations)
  • Zero-knowledge architecture — plaintext secrets never leave your device
  • Row-Level Security (RLS) policies on all database tables
  • Supabase service role key used only server-side; never exposed to clients
  • HTTPS enforced on all connections

9. We Do Not

  • Sell your data to any third party
  • Use tracking or advertising cookies
  • Share your data with advertisers
  • Read or access your encrypted secrets
  • Train AI models on your data

10. Contact

Questions about this policy? Reach us at privacy@keyra.dev.

11. Changes

We may update this Privacy Policy from time to time. We will notify you of significant changes via email. Continued use of Keyra after changes take effect constitutes acceptance of the updated policy.