Privacy Policy

The data controller is Keyrua (operated as an individual enterprise). For any privacy-related inquiries, contact us at info@keyrua.dev.

We collect the following categories of personal data:

• Account data — name, email address, and profile information provided during sign-up via Clerk
• Organization data — organization name and membership information
• Usage data — pages visited, features used, and interactions within the application
• Billing data — payment method details processed and stored by Stripe (we do not store card numbers)
• Technical data — IP address, browser type, and device information collected automatically
• Customer Data — environment variable keys, values (encrypted), and project configurations you store in Keyrua

We process personal data under the following legal bases (GDPR Article 6):

• Contract performance — processing necessary to provide the service you signed up for
• Legitimate interests — security monitoring, fraud prevention, and service improvement
• Legal obligation — retention of billing records as required by French tax law
• Consent — analytics tracking (Google Analytics 4), which you can opt out of at any time

• To provide, maintain, and improve the Keyrua service
• To authenticate your identity and manage your account
• To process payments and manage subscriptions
• To send transactional emails (account events, billing)
• To analyze usage patterns and improve user experience (aggregated, anonymized)
• To detect and prevent fraud and security incidents
• To comply with legal obligations

We share data with the following sub-processors, each bound by GDPR or equivalent data protection agreements:

• Clerk — authentication and user management (US, SCCs in place)
• Stripe — payment processing and billing (US/EU, SCCs in place)
• Google Cloud Platform — database hosting and KMS encryption (EU region)
• Google Analytics 4 — usage analytics with IP anonymization enabled (US, SCCs in place)

We do not sell your personal data to any third party.

We retain your data for the following periods:

• Account and Customer Data — for the duration of your account, plus 30 days after deletion
• Billing records — 10 years as required by French accounting law (Article L123-22 of the Commercial Code)
• Access logs — 12 months
• Analytics data — 14 months (Google Analytics default)

Under GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of your data
• Right to rectification — correct inaccurate data
• Right to erasure — request deletion of your data
• Right to data portability — receive your data in a machine-readable format
• Right to restrict processing — limit how we use your data
• Right to object — object to processing based on legitimate interests

To exercise any of these rights, contact us at info@keyrua.dev. You also have the right to lodge a complaint with the CNIL (www.cnil.fr).

We use Google Analytics 4 with IP anonymization. GA4 sets cookies to measure usage patterns. You can opt out by using a browser extension such as the Google Analytics Opt-out Add-on.

Authentication session cookies are strictly necessary for the service to function and cannot be disabled.

All data is transmitted over HTTPS. Secret values are encrypted at rest using Google Cloud KMS with envelope encryption. Access to production systems is restricted to authorized personnel only.

In the event of a data breach affecting your personal data, we will notify you and the CNIL within the legally required timeframe (72 hours).

We may update this policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before they take effect.

For privacy-related questions or to exercise your rights, contact us at info@keyrua.dev.