BETAWe're in beta! If you spot a bug, let us know.

Privacy Policy

How we collect, use, and protect your data

Last updated: December 2025

Your secrets are encrypted with AES-256-GCM
We cannot read your secret values
We never sell your data
You can delete your data anytime
Analytics can be disabled
GDPR compliant

1. Information We Collect

Account Information

When you sign up using GitHub OAuth, we collect your GitHub username, user ID, email address (if public), and profile picture URL.

Secrets and Data

When you store secrets, we store encrypted versions of your environment variables. We cannot read the plaintext values as they are encrypted using AES-256-GCM before storage. We store metadata including secret key names, environment names, timestamps, and repository associations.

Usage Data

We collect anonymized usage data including CLI commands (without secret values), feature usage patterns, error logs, and performance metrics.

2. How We Use Your Information

We use your information to provide the Keyway service, authenticate you, process your secrets securely, send important updates, improve our service, detect fraud, and comply with legal obligations.

3. How We Protect Your Data

At Rest

AES-256-GCM encryption

In Transit

TLS 1.3 encryption

Key Management

Isolated crypto service

4. Data Sharing & Subprocessors

We do not sell your data. We share data only with the following service providers (subprocessors) and when required by law:

  • RailwayInfrastructure hosting (USA)
  • GitHubAuthentication & repository access
  • StripePayment processing
  • PostHogProduct analytics (can be disabled)
  • VercelSecrets sync (only when you enable it)

5. Data Retention

  • Active accounts:Data retained while active
  • Deleted secrets:Permanently deleted within 30 days
  • Deleted accounts:All data deleted within 30 days
  • Logs:Retained for 90 days

6. Your Rights

You have the right to access, correct, delete, and export your data. You can also opt-out of analytics by setting:

KEYWAY_DISABLE_TELEMETRY=1

7. Cookies

We use essential cookies only for authentication (session tokens). We do not use advertising or tracking cookies. PostHog analytics uses local storage, not cookies, and can be disabled with KEYWAY_DISABLE_TELEMETRY=1.

8. Legal Basis (GDPR)

For users in the EEA, we process data based on contract (to provide the service), legitimate interest (to improve and secure), consent (for optional analytics), and legal obligation.

9. Contact Us

For privacy questions, contact us at hello@keyway.sh

Terms of ServiceEULASecurity