Privacy Policy

Last Updated: September 2, 2025

Keygraph Inc. ("we," "us," or "our") wants you to be familiar with how we collect, use, and disclose information. This Privacy Policy describes our practices in connection with information that we collect through:

  • Our websites, including keygraph.io, keygraph.app and soc2sechub.com, and any other websites we own and control that post or link to this Privacy Policy (our "Sites");
  • Software application(s) made available by us for use on or through computers and mobile devices (our "Apps"); and
  • HTML-formatted email messages that we send to you that link to this Privacy Policy.

Collectively, we refer to the Sites, Apps, social media pages, and emails as the "Services."

1. Personal Information

"Personal Information" is information that identifies you as an individual or relates to an identifiable individual. We collect Personal Information through or in connection with the Services, such as:

  • Name
  • Postal address
  • Telephone number
  • Email address
  • IP address (we may also derive your approximate location from your IP address)
  • Payment information

2. Google Workspace Data and API Use

As part of providing our Services to Google Workspace domain administrators, we request access to certain Google APIs under user authorization. Specifically, we request the following data:

  • User profile data (names, emails) via the Admin SDK Directory API
  • Organizational unit and group membership data
  • Audit log data via the Admin Reports API
  • Delegated role assignments
  • Data transfer requests (e.g., for reassignment of Drive file ownership)

How We Use This Data:

  • Enable organization administrators to manage users, groups, and organizational policies.
  • Perform administrative operations such as user suspension, password resets, or group provisioning.
  • Provide audit logs and visibility into account and resource usage.
  • Facilitate ownership transfers during user offboarding workflows.

What We Don't Do:

  • We do not access the content of any user emails, Drive files, or messages.
  • We request only the minimum necessary scopes and limit access to authorized admins.
  • We do not use raw Google Workspace API data to develop, improve, or train generalized AI and/or ML models, except as described in Section 4 of this policy.

Security:

  • All Google user data is stored securely and encrypted in transit and at rest.
  • We do not sell your Google user data or share it with third parties for their own marketing or independent business purposes. We may share this data with our trusted service providers (such as our cloud hosting provider) who act on our behalf and are bound by strict confidentiality and data protection obligations, as described in Section 6 of this policy.
  • Data is deleted upon user or domain request, subject to the data export and retention periods described in Section 12.
  • We comply with Google API Services User Data Policy, including Limited Use requirements.

3. Collection of Personal Information

We and our service providers collect Personal Information in a variety of ways, including:

Through the Services: When you sign up for a newsletter, create an account, contact customer service, or make a purchase.

From Other Sources: We may receive your Personal Information from other sources, such as publicly available databases.

If you disclose any Personal Information relating to others, you represent you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

4. Use of Personal Information

We and our service providers use Personal Information for the following purposes:

  • Providing the functionality of the Services and fulfilling your requests (e.g., providing you access to your account, processing transactions, responding to your inquiries on our marketing sites, or sending you a newsletter you requested).
  • To send you marketing communications. When you create an account, sign up for our services, or otherwise provide us with your contact information, we may use your Personal Information to send you marketing-related emails and other communications about our products, services, special offers, and events. We do this based on our legitimate business interest to market our services.
  • Analyzing Personal Information for business reporting and providing personalized services.
  • Allowing you to participate in sweepstakes, contests, or other promotions.
  • Aggregating and/or anonymizing Personal Information for analytics or other business purposes.
  • Accomplishing our business purposes (audits, fraud prevention, security, product development, maintenance, trend analysis, campaign effectiveness, and legitimate business activities).

AI Model Improvement:

To help us provide and improve our Services, we may use aggregated and anonymized Customer Data and AI Output to analyze usage and train our underlying AI models. This data will be processed in a way that does not identify you or any individual person.

5. Legal Basis for Processing Personal Information (EEA/UK Users)

If you are in the European Economic Area (EEA) or the United Kingdom (UK), we only process your Personal Information when we have a valid legal basis to do so, including:

  • Performance of a Contract: We process your Personal Information to provide the Services you subscribed to and to fulfill our obligations under our Terms of Service. This is the basis for processing your name, email, and payment information.
  • Legitimate Interest: We process your Personal Information for our legitimate business interests, including security monitoring, fraud prevention, improving our Services, and sending you marketing communications about our products and services. We do this provided that these interests are not overridden by your data protection interests or fundamental rights. You have the right to object to this processing for marketing purposes at any time.
  • Consent: We may rely on your consent for specific uses of your data where we have asked for it, such as for certain types of cookies or when you participate in a promotion. You have the right to withdraw your consent at any time.
  • Legal Obligation: We may process your Personal Information to comply with applicable laws, respond to warrants, and fulfill other legal obligations.

6. Disclosure of Personal Information

We disclose Personal Information:

  • To our service providers, to facilitate services they provide to us (e.g., website hosting, analytics, payment processing, IT, customer service, auditing).
  • If you choose to disclose Personal Information through the Services (message boards, chat, social sharing, etc.).
  • Through your social sharing activity, subject to the privacy policy of the relevant social media provider.

7. Other Uses and Disclosures

We may also use and disclose Personal Information as necessary or appropriate:

  • To comply with applicable law, respond to warrants, and fulfill legal obligations.
  • To enforce our terms and conditions.
  • To protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others.
  • In connection with a proposed or actual reorganization, merger, sale, joint venture, or other disposition of all or part of our business or assets.

8. Information Collected Automatically

We and our service providers may automatically collect information, including:

  • Your Browser or Device: MAC address, computer type, screen resolution, OS, browser type/version.
  • Your Use of Our App(s): Usage data, such as the date and time the app accesses our servers.
  • Cookies: Cookies allow collection of browser type, time spent on Services, pages visited, and traffic data. You may decline cookies in your browser settings.
  • Pixel Tags and Similar Technologies: To track user actions and measure marketing campaign success.
  • Analytics: We use services like Google Analytics. You can learn about Google's practices and opt out.
  • Advertising: We may use third-party advertising companies to serve advertisements regarding goods and services that may be of interest to you when you access and use our Sites and other websites or online services. These companies may place or recognize a unique cookie on your browser and use information about your visits to our Sites and other sites to provide relevant advertisements.
  • Invisible reCAPTCHA: To protect against spam and abuse, subject to Google's Privacy Policy and Terms.

9. Uses and Disclosures of Information Collected Automatically

If required by law, we treat automatically collected information as Personal Information. If we combine this data with Personal Information, we treat the combined data as Personal Information.

10. Security

We use reasonable organizational, technical, and administrative measures to protect Personal Information.

Google OAuth credentials: Access tokens are encrypted and stored with restricted access.

No data transmission or storage can be guaranteed 100% secure. If you believe your interaction with us is no longer secure, please contact us immediately.

11. Your Data Protection Rights

Depending on your location and subject to applicable law, you may have certain rights regarding your Personal Information, which may include:

  • The Right to Access: In some cases, you may have the right to request copies of your personal data.
  • The Right to Rectification: In some cases, you may have the right to request that we correct or complete information you believe is inaccurate or incomplete.
  • The Right to Erasure (Right to be Forgotten): In certain circumstances and where legally required, you may request that we delete your personal data.
  • The Right to Restrict Processing: Where permitted by law, you may request that we restrict the processing of your personal data.
  • The Right to Data Portability: If legally required, you may request that we transfer the data we have collected to another organization, or directly to you.
  • The Right to Object to Processing: In some cases, and subject to applicable law, you may object to our processing of your personal data.

To exercise these rights, please contact us at legal@keygraph.io. We may need to verify your identity before processing your request.

12. Data Retention

We retain your Personal Information for as long as your account is active or as needed to provide you with the Services.

After your account is terminated or your subscription expires, we will retain your data for a period of 30 days to allow for data export, after which it will be permanently deleted from our production systems. We may retain usage data in an aggregated and anonymized form for analytical purposes indefinitely. We will also retain information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

13. Third-Party Services

This Privacy Policy does not address the privacy or information practices of any third parties, including those operating sites or services to which we link or other organizations such as social media platforms, app providers, or payment services.

14. Use of the Services by Minors

The Services are not directed to individuals under the age of sixteen (16), and we do not knowingly collect Personal Information from them.

15. Jurisdiction and Cross-Border Transfer

Your Personal Information may be stored and processed in any country where we have facilities or engage service providers, including the United States, which may have different data protection rules than your country of residence.

16. Sensitive Information

Unless we specifically request it, please do not send us or disclose any sensitive Personal Information (e.g., Social Security numbers, racial or ethnic origin, political opinions, religion, health, biometrics, or criminal background) on or through the Services.

17. Third-Party Payment Service

We may use a third-party payment service to process payments. Any information you provide to them will be subject to their privacy policy, not ours.

18. Updates to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last Updated" legend at the top of this page indicates when it was last revised. For material changes, we will provide you with at least thirty (30) days' notice, for example by sending an email or displaying a notice within our Services. For non-material changes, your continued use of the Services after the changes are posted will constitute your acceptance.

19. Contact Us

If you have any questions about this Privacy Policy, please contact us at legal@keygraph.io.

Because email communications are not always secure, please do not include credit card or other sensitive information in your emails to us.