Keygraph, Inc. ("Keygraph," "we," "us," or "our") is a Delaware corporation headquartered in San Francisco, California. We provide cybersecurity, compliance, and security automation software to businesses. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you:
We refer to the Sites, Cloud Service, and related communications collectively as the "Services."
This Privacy Policy describes our practices with respect to personal information we handle in our role as a controller of that information, and is written with reference to applicable U.S. federal and state privacy laws.
This Privacy Policy describes how Keygraph handles personal information in its own right with respect to:
When we provide the Cloud Service to a business customer, that customer determines what personal information is uploaded to or processed in the Cloud Service tenant ("Customer Personal Data"). For Customer Personal Data, the customer is the controller and Keygraph acts as a processor (or, where applicable, a "service provider") under a separate Data Processing Agreement ("DPA"). This Privacy Policy does not govern Customer Personal Data; that processing is governed by the applicable customer agreement and the Keygraph DPA. If you are an end user of a Keygraph customer and want to exercise rights with respect to Customer Personal Data, please contact that customer; we will support them in responding to your request.
Keygraph may act as a controller in its own right with respect to account, billing, support, and certain operational information about authorized users, administrators, and billing contacts. We may also process aggregated, de-identified, or pseudonymized usage, telemetry, and security information for our own purposes of operating, securing, maintaining, and improving the Cloud Service, subject to our customer agreements and DPA where applicable.
Keygraph, Inc.
2261 Market Street STE 22013
San Francisco, CA 94114
USA
Email: privacy@keygraph.io
We collect personal information in the following ways:
When you interact with the Sites or the Cloud Service, we and certain third parties automatically collect:
We do not intentionally collect sensitive personal information through this Privacy Policy. Please do not provide such information to us through the Sites or in support communications.
We use personal information for the following purposes:
We will not use your personal information for materially new or incompatible purposes without first providing notice and, where required by law, obtaining your consent.
A note about AI training. We do not use personal information collected under this Privacy Policy to train generalized large language models or foundation models. AI features of the Cloud Service operate strictly on a Bring-Your-Own-Key ("BYOK") basis: AI processing occurs against large language model endpoints designated by the Customer using the Customer's own credentials, with the Customer-designated AI provider acting as the Customer's own vendor (not a Keygraph Subprocessor). Keygraph does not use Customer Personal Data or Customer Content to train, fine-tune, or improve any generalized or shared AI or machine learning model. Further detail is available in the Keygraph DPA and at keygraph.io/subprocessors.
We share personal information only with the categories of recipients described below, and only as necessary for the purposes in Section 4.
We do not sell personal information for money. However, our use of certain analytics, advertising, and B2B marketing technologies on our marketing website may be considered a "sale," "sharing," or "targeted advertising" under some privacy laws. You can opt out of these tools as described in Section 6.2.
A list of our current subprocessors for the Cloud Service is available at keygraph.io/subprocessors. We can provide a current list of vendors that process personal information we control on request to privacy@keygraph.io.
We use cookies and similar technologies (such as pixels, SDKs, local storage, and tags) on the Sites and within the Cloud Service. Cookies fall into the following categories:
We use different cookies and tracking technologies on our marketing website (keygraph.io) and within the authenticated Cloud Service (keygraph.app). The two surfaces serve different functions and have different audiences, so we describe them separately below.
The following tools are deployed on the marketing website via Google Tag Manager:
| Tool | Provider | Purpose | Category |
|---|---|---|---|
| Google Tag Manager | Google LLC | Tag deployment and management. GTM itself does not set tracking cookies but loads the tags listed below. | Loader |
| Google Analytics 4 | Google LLC | Website analytics, including pages viewed, session duration, traffic sources. | Analytics |
| Vector | Vector (Common Room) | B2B website visitor identification for sales prospecting. | Advertising / marketing |
| LinkedIn Insight Tag (LinkedIn Ads Manager) | LinkedIn Corporation | Ad conversion tracking, retargeting on LinkedIn, and audience building. | Advertising |
| Plain (Chat Widget) | Plain Inc. | Customer-support chat widget. Uses cookies and similar technologies (including local storage) to load the chat interface, maintain session state during a conversation, recognize returning users, and persist conversation history. Only loaded on pages where chat support is offered. | Functional |
| Cloudflare | Cloudflare, Inc. | Content delivery, DNS, DDoS protection, bot management, and edge security. Sets cookies (e.g., __cf_bm, cf_clearance) to distinguish humans from automated traffic, mitigate abuse, and ensure site availability and security. |
Strictly necessary |
The Cloud Service is a paid, authenticated B2B product accessed by our customers' personnel. Within the Cloud Service, we use only the following cookies and tracking technologies, which are operational to delivering the product and are not used for advertising or marketing:
| Tool | Provider | Purpose | Category |
|---|---|---|---|
| Authentication and session cookies | Keygraph, Inc. | Sign-in, session maintenance, security (e.g., CSRF protection), and account-level functionality. Required to use the Cloud Service. | Strictly necessary |
| Cloudflare | Cloudflare, Inc. | DDoS protection, bot management, and edge security for the Cloud Service. | Strictly necessary |
| Plain (Chat Widget) | Plain Inc. | In-product customer-support chat widget. Uses cookies and similar technologies (including local storage) to load the chat interface, maintain session state during a conversation, recognize returning users, and persist conversation history. Available only in the cloud-hosted Cloud Service and not deployed in self-hosted deployments of Keygraph software. | Functional / strictly necessary |
We do not load Google Analytics, the LinkedIn Insight Tag, Vector, or any other marketing, advertising, or third-party product-analytics tag within the Cloud Service. If we add any new tracking or analytics technology to the Cloud Service in the future, we will update this Privacy Policy and, where applicable, update our public subprocessor list at keygraph.io/subprocessors and provide notice to customers with a signed Data Processing Agreement in accordance with that agreement.
On our marketing website (keygraph.io): You can:
Within the Cloud Service (keygraph.app): As described in Section 6.1.2, the cookies used within the Cloud Service are limited to authentication, session, and security cookies necessary to deliver the product, and we do not load advertising, marketing, or third-party product-analytics tags. This Privacy Policy is accessible from within the Cloud Service via the Privacy link in the user menu.
Cookie durations and specific cookie names may change as we update our tools. For the most current information, refer to this Privacy Policy and the cookie banner shown on our Sites.
We retain personal information only for as long as necessary for the purposes described in this Privacy Policy, including to satisfy our legal, accounting, tax, or reporting obligations and to establish, exercise, or defend legal claims.
Visitor, prospect, and marketing data we control: We retain marketing contact information (such as records in our customer relationship management system, marketing email lists, and signup or demo-request records) for as long as is reasonably necessary to operate our marketing program and respond to your communications with us. You may:
Data held by third-party analytics and advertising providers: Some information about your visit to our website is collected and processed by third-party providers identified in Section 6 (such as Google, LinkedIn, and Common Room/Vector) under their own privacy practices and retention policies. We do not control how those providers retain or delete that data. To exercise choices over data held by those providers, please use the opt-out and choice mechanisms described in Section 6.2 and the providers' own privacy controls.
Customer account information and Customer Content within the Cloud Service: Retained for the duration of the customer agreement. Upon termination, Customer Content is handled per the applicable customer agreement (typically: on the customer's written request made within 30 days of termination, we make Customer Content available for export, and we delete Customer Content from the Cloud Service within 60 days thereafter, subject to retention required by applicable law or maintained in routine backups in the ordinary course of business).
Billing and transactional records: Retained for the period required to comply with applicable U.S. federal and California tax, accounting, and recordkeeping obligations and applicable statutes of limitation.
Support communications: Retained for as long as is reasonably necessary to provide support, evaluate service quality, and address related claims.
Operational records (server logs, security logs, audit logs, and backups): Retained in accordance with our internal information-security policies, applicable contractual commitments, and our backup-rotation schedule. Logs related to active security incidents or subject to legal hold are preserved until the matter is resolved.
Where personal information is no longer required, we delete it or irreversibly anonymize it within a reasonable period.
We may send marketing communications to business contacts who have requested information from us, use our Services, or who we reasonably believe may be interested in our business products based on their role, employer, or professional context. You can opt out of marketing emails at any time by:
Opting out of marketing will not affect transactional or service-related communications (e.g., account, billing, security, or support messages), which are necessary for us to deliver the Services.
We comply with the federal CAN-SPAM Act and applicable U.S. state laws governing commercial email.
Several U.S. states have enacted privacy laws that grant residents certain rights regarding their personal information, including the right to know, access, correct, and delete personal information, and to opt out of certain disclosures for advertising purposes. The specific rights available to you depend on your state of residence and applicable law.
Regardless of where you reside, you may exercise the following choices by emailing privacy@keygraph.io:
We will review requests in good faith and respond as promptly as we reasonably can. We do not discriminate against you for exercising these choices.
If you are an end user of a Keygraph customer (i.e., your employer or another organization uses Keygraph and your personal information appears in their tenant), please direct your request to that customer in the first instance. As a processor / service provider under our customer agreements, we will support that customer in responding to you.
Keygraph is headquartered in the United States. Our Services are offered to global enterprise customers, including customers in the European Economic Area (EEA), the United Kingdom, and Switzerland. We offer an EU Data Residency option that customers may elect at account setup. The election is permanent for the life of the tenant; if elected, the customer's Cloud Service tenant data is stored and processed in European AWS regions. Further detail is available in our Data Processing Agreement and on our Subprocessors page.
If you are located in the EEA, the United Kingdom, or Switzerland, the EU General Data Protection Regulation (GDPR) or UK GDPR may apply to our processing of your personal information.
Roles and the DPA. Where Keygraph processes Customer Personal Data within the Cloud Service tenant on behalf of a customer, the customer is the controller and Keygraph is the processor; that processing is governed by our DPA, not by this Privacy Policy. Where Keygraph processes personal information described in this Privacy Policy (such as visitor, prospect, account-administrator, billing, and operational/telemetry data), Keygraph acts as the controller.
Lawful basis. When we act as a controller and process the personal information of individuals in the EEA, UK, or Switzerland, we generally rely on the following lawful bases under Article 6 of the GDPR/UK GDPR: performance of a contract (e.g., providing the Cloud Service or responding to pre-contractual inquiries); legitimate interests (e.g., operating, securing, and improving our Sites and Cloud Service, and conducting business-to-business marketing — interests that we believe are not overridden by the rights of the affected individuals); compliance with a legal obligation (e.g., tax and accounting recordkeeping); and consent (e.g., for non-essential cookies and certain marketing communications where consent is required).
International transfers. Personal information may be transferred to and processed in the United States and other jurisdictions where Keygraph or its service providers operate. For transfers from the EEA, UK, or Switzerland to jurisdictions that have not received an adequacy decision, we implement appropriate safeguards consistent with applicable law. Where we process personal data on behalf of a customer that is itself transferring data from the EEA, UK, or Switzerland, those transfers are governed by the Keygraph DPA and incorporate the EU Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum. Customers who elect the EU Data Residency option have their tenant data stored in European AWS regions; certain administrative and support access to that data from Keygraph personnel in the United States may occur and is governed by the safeguards described in our DPA.
Your rights. Subject to applicable law, individuals in the EEA, UK, or Switzerland may have the following rights with respect to personal information for which Keygraph is the controller: the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object to processing (including processing based on legitimate interests and processing for direct marketing), and the right to withdraw consent where processing is based on consent. To exercise these rights or to ask any question about how we process your personal information, please contact privacy@keygraph.io. You also have the right to lodge a complaint with your local supervisory authority; we would, however, appreciate the opportunity to address your concerns first.
End users of customers. If you are an end user of a Keygraph customer (i.e., your employer or another organization uses Keygraph and your personal information appears in their Cloud Service tenant), the customer is the controller of that data. Please direct rights requests to that customer; we will support them in responding.
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized or unlawful processing and accidental loss, destruction, damage, or disclosure. These include encryption in transit and at rest where appropriate, access controls, logging and monitoring, vendor security reviews, employee training, and an incident response program. Further details for customers of the Cloud Service are available in our DPA and security documentation. No system is perfectly secure; we cannot guarantee absolute security.
The Services are intended for use by businesses and their authorized personnel. They are not directed to, and we do not knowingly collect personal information from, anyone under the age of 16. If you believe a minor has provided personal information to us, please contact privacy@keygraph.io and we will take steps to delete it.
We may update this Privacy Policy from time to time. The "Last Updated" date at the top reflects the latest version. If we make material changes, we will provide additional notice (such as by email or a prominent notice on the Sites). The updated Privacy Policy will apply from its effective date. Where required by law, we will obtain your consent before applying material changes to processing activities that require consent.
For questions, requests, or complaints about this Privacy Policy or our handling of your personal information, contact:
Keygraph, Inc.
Attn: Privacy
2261 Market Street STE 22013
San Francisco, CA 94114
USA
Email: privacy@keygraph.io
Keygraph, Inc. | © 2026 All rights reserved.