BETAWe're in beta! If you spot a bug, let us know.

Privacy Policy

How we collect, use, and protect your data

Last updated: December 2025

Your secrets are encrypted with AES-256-GCM
We cannot read your secret values
We never sell your data
You can delete your data anytime
Analytics can be disabled
GDPR compliant

1. Data Controller

Keyway is the data controller for your personal data. For any questions regarding your personal data, contact us at hello@keyway.sh.

2. Information We Collect

Account Information

When you sign up using GitHub OAuth, we collect your GitHub username, user ID, email address (if public), and profile picture URL.

Secrets and Data

When you store secrets, we store encrypted versions of your environment variables. We cannot read the plaintext values as they are encrypted using AES-256-GCM before storage. We store metadata including secret key names, environment names, timestamps, and repository associations.

Usage Data

We collect anonymized usage data including CLI commands (without secret values), feature usage patterns, error logs, and performance metrics.

3. How We Use Your Information

We use your information to provide the Keyway service, authenticate you, process your secrets securely, send important updates, improve our service, detect fraud, and comply with legal obligations.

4. How We Protect Your Data

At Rest

AES-256-GCM encryption

In Transit

TLS 1.3 encryption

Key Management

Isolated crypto service

5. Data Sharing & Subprocessors

We do not sell your data. We share data only with the following service providers (subprocessors) and when required by law:

  • RailwayInfrastructure hosting (EU)
  • GitHubAuthentication & repository access
  • StripePayment processing
  • PostHogProduct analytics (can be disabled)
  • VercelSecrets sync (only when you enable it)

6. Data Retention

  • Active accounts:Data retained while active
  • Deleted secrets:Permanently deleted within 30 days
  • Deleted accounts:All data deleted within 30 days
  • Logs:Retained for 90 days

7. Your Rights

You have the right to access, correct, delete, and export your data. You can also opt-out of analytics by setting:

KEYWAY_DISABLE_TELEMETRY=1

8. Cookies

We use essential cookies only for authentication (session tokens). We do not use advertising or tracking cookies. PostHog analytics uses local storage, not cookies, and can be disabled with KEYWAY_DISABLE_TELEMETRY=1.

9. Legal Basis (GDPR)

Processing Basis

For users in the EEA, we process data based on: Contract (to provide the service), Legitimate interest (to improve and secure the service), Consent (for optional analytics), and Legal obligation (when required by law).

Your GDPR Rights

You have the right to access, rectify, erase, restrict processing, data portability, and object to processing. You may also lodge a complaint with a supervisory authority. For France, contact the CNIL (Commission Nationale de l'Informatique et des Libertés) at cnil.fr.

International Transfers

Some of our subprocessors are located in the United States. We ensure appropriate safeguards through Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.

10. California Privacy Rights (CCPA)

Your California Rights

If you are a California resident, you have the right to: know what personal data we collect, request deletion of your data, opt-out of the sale of your data (we do not sell data), and non-discrimination for exercising your rights.

How to Exercise Your Rights

To exercise any of these rights, contact us at hello@keyway.sh. We will respond within 45 days as required by the CCPA.

11. Children's Privacy

Keyway is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately at hello@keyway.sh.

12. Contact Us

For privacy questions, contact us at hello@keyway.sh

Terms of ServiceEULASecurity