1. Introduction
Keygent ("we," "us," or "our") operates as a data processor on behalf of our customers ("data controllers"). This Privacy Policy explains how we collect, use, store, and protect information when you use our Model Context Protocol (MCP) credential management service.
By using Keygent, you acknowledge that you have read and understood this Privacy Policy. If you are using Keygent on behalf of an organization, you represent that you have the authority to bind that organization to these terms.
2. Data We Collect
We collect the following categories of information to provide and improve our service:
| Data Category | Description | Purpose |
|---|---|---|
| Connection Credentials | API keys, tokens, and authentication credentials for connected services (encrypted) | Service operation |
| Usage Metrics | API call counts, timestamps, endpoint usage patterns | Analytics, rate limiting, billing |
| Audit Logs | Actions performed, actor identifiers, request metadata, IP addresses | Security monitoring, compliance |
| Account Information | Email address, name, client ID, organization details | Account management, support |
Connection Credentials
All connection credentials are encrypted using AES-256-GCM encryption before storage. We never store credentials in plaintext, and decryption only occurs at runtime when credentials are needed to fulfill an authorized request.
Audit Logs
Audit logs capture the following information for each credential access:
- Timestamp of the access request
- Actor identifier (agent key or user ID)
- Action performed (read, write, delete)
- Target resource (connection ID, connector type)
- Request metadata (IP address, user agent)
- Success or failure status
3. How We Use Data
We use the data we collect for the following purposes:
Service Operation
- Storing and retrieving credentials for authorized MCP tool calls
- Authenticating agents and users accessing the service
- Enforcing access policies and permissions
Security Monitoring
- Detecting unauthorized access attempts
- Identifying suspicious patterns or anomalies
- Investigating security incidents
- Generating security alerts and notifications
Customer Support
- Responding to support requests
- Troubleshooting connection issues
- Communicating service updates and maintenance
4. Data Storage
Encryption
All sensitive data, including connection credentials, is encrypted at rest using AES-256-GCM with tenant-bound Additional Authenticated Data (AAD). Encryption keys are managed securely and rotated periodically.
Infrastructure
- Application Hosting: Railway (railway.app) — SOC 2 Type II compliant
- Database: Supabase (supabase.com) — PostgreSQL with row-level security
- Geographic Location: Data is stored in the United States
Backups
Database backups are performed automatically and are encrypted using the same standards as primary data. Backups are retained for disaster recovery purposes only.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Connection credentials | Duration of subscription + 30 days |
| Account information | Duration of subscription + 30 days |
| Usage metrics | 90 days rolling window |
| Audit logs | 90 days, then automatically purged |
Upon account termination, all customer data is permanently deleted within 30 days. You may request immediate deletion by contacting us at the address below.
6. Third-Party Processors
We use the following third-party service providers to operate Keygent. Each provider has been vetted for security and privacy compliance:
We maintain Data Processing Agreements (DPAs) with each sub-processor. We do not sell, rent, or share your personal data with third parties for their marketing purposes.
7. Your Rights Under GDPR (EU Users)
If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):
Right to Access
You have the right to request a copy of the personal data we hold about you.
Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data.
Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your personal data, subject to legal retention requirements.
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
Right to Object
You have the right to object to processing of your personal data for certain purposes, including direct marketing.
To exercise any of these rights, please contact us at privacy@keygent.one. We will respond to your request within 30 days.
8. Your Rights Under CCPA (California Users)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
Categories of Personal Information Collected
- Identifiers: Email address, name, client ID, IP address
- Commercial information: Service usage records, billing information
- Internet activity: API call logs, timestamps, access patterns
- Professional information: Organization name, role
No Sale of Personal Information
Keygent does not sell your personal information to third parties. We have not sold personal information in the preceding 12 months and have no intention to do so.
Right to Know
You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Delete
You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, contact us at privacy@keygent.one or use the contact information below.
9. Cookies
Keygent uses only essential session cookies required for the service to function properly.
| Cookie Name | Purpose | Duration |
|---|---|---|
session_id |
Maintains authenticated session | Session (expires on browser close) |
We do not use:
- Tracking or analytics cookies
- Third-party advertising cookies
- Cross-site tracking technologies
- Fingerprinting or similar identification methods
10. Security Measures
We implement comprehensive security measures to protect your data:
Encryption
- All credentials encrypted at rest using AES-256-GCM
- TLS 1.3 encryption for all data in transit
- Tenant-bound encryption keys with AAD
Access Controls
- Role-based access control (RBAC) for all resources
- Agent-specific key scoping and permissions
- Policy-based credential access restrictions
- Automatic session expiration
Audit Logging
- All credential access logged with full context
- Immutable audit trail for compliance
- Real-time security alerting for anomalies
Infrastructure Security
- SOC 2 Type II compliant hosting providers
- Automatic security patching
- Regular vulnerability assessments
- DDoS protection
11. Contact Information
For questions about this Privacy Policy or to exercise your data protection rights, contact us:
We aim to respond to all privacy-related inquiries within 30 days.
12. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons.
Notification of Changes
- Material changes: We will notify you via email at least 30 days before changes take effect
- Non-material changes: Updated policy will be posted with a new effective date
- Your responsibility: Review the policy periodically for any changes
Continued use of Keygent after the effective date of changes constitutes acceptance of the updated Privacy Policy.