Privacy Policy

Last Updated: June 2, 2026 · Effective Date: May 30, 2026

Keygraph, Inc. ("Keygraph," "we," "us," or "our") provides cybersecurity, compliance, and security automation software to businesses. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you:

visit our websites, including keygraph.io, keygraph.app, and any other website we own or operate that links to this Privacy Policy (the "Sites");
communicate with us by email, chat, phone, or web form, or attend our events, webinars, or demos;
create an account for or use our cloud-hosted software-as-a-service offering (the "Cloud Service"); or
receive marketing or transactional emails from us.

We refer to the Sites, Cloud Service, and related communications collectively as the "Services."

This Privacy Policy describes our practices with respect to personal information we handle in our role as a controller of that information, and is written with reference to applicable U.S. federal and state privacy laws.

1. Scope and How This Policy Relates to Our Customer Agreements

This Privacy Policy describes how Keygraph handles personal information in its own right with respect to:

visitors to our Sites;
prospects, leads, and recipients of our marketing communications;
attendees at our events, webinars, and demos; and
account administrators, billing contacts, and authorized users of our customers, with respect to their account, authentication, billing, and support information.

When we provide the Cloud Service to a business customer, that customer determines what personal information is uploaded to or processed in the Cloud Service tenant ("Customer Personal Data"). For Customer Personal Data, the customer is the controller and Keygraph acts as a processor (or, where applicable, a "service provider") under the applicable customer agreement and the Keygraph Data Processing Addendum (the "DPA"), unless a separately signed data processing agreement or addendum applies. This Privacy Policy does not govern Customer Personal Data. If you are an end user of a Keygraph customer and want to exercise rights with respect to Customer Personal Data, please contact that customer; we will support them in responding to your request.

Keygraph may act as a controller in its own right with respect to account, billing, support, and certain operational information about authorized users, administrators, and billing contacts. We may also process aggregated, de-identified, or otherwise non-identifying usage, telemetry, and security information for our own purposes of operating, securing, maintaining, and improving the Cloud Service, subject to our customer agreements and DPA where applicable.

2. Contact Details

Keygraph, Inc. Mailing Address: 2261 Market Street STE 22013 San Francisco, CA 94114 USA Email: privacy@keygraph.io

3. Personal Information We Collect

We collect personal information in the following ways:

3.1 Information you provide to us

Account and contact information: name, business email address, business phone number, employer, job title, and country, when you create an account, request a demo, download content, register for an event, or contact us.
Authentication identifiers: identifiers and metadata associated with how you sign in to the Cloud Service. Sign-in is performed exclusively via:
- Single sign-on (SSO): Google, Microsoft, or your organization's SAML identity provider; or
- Magic link: a one-time, time-limited sign-in link sent to your business email address.

We process information necessary to authenticate you (such as your email address, your SSO subject identifier, session tokens, sign-in timestamps, and IP address used to sign in).

Billing and commercial information: billing contact, billing address, and the last four digits of a payment card. We do not receive or store full payment card numbers; these are processed directly by our payment processor.
Support communications: the content of emails, chats, support tickets, and screenshots or attachments you provide when you contact our support team. Please do not send us passwords, private keys, access tokens, secrets, government identifiers, payment card numbers, health information, or other highly sensitive information through support channels unless we specifically request it through an approved secure channel.
Marketing preferences: subscription, unsubscribe, and consent records.

3.2 Information collected automatically

When you interact with the Sites or the Cloud Service, we and certain third parties automatically collect:

Device and connection data: IP address, browser type and version, operating system, device identifiers, language preference, and time zone.
Usage data: pages or screens viewed, links clicked, referring URL, dates and times of access, session duration, and feature interactions.
Cookies and similar technologies: see Section 6 ("Cookies, Analytics, and Advertising").

3.3 Information from third parties

Business contact databases and B2B data enrichment providers — companies that maintain databases of business professionals and business organizations, which we use to identify and qualify potential business prospects.
Referrals and shared accounts — when a colleague invites you to a Keygraph account.
Public sources — such as company websites, public registries, and professional social media profiles.

We do not intentionally collect sensitive personal information through this Privacy Policy. Please do not provide such information to us through the Sites or in support communications.

4. How We Use Personal Information

We use personal information for the following purposes:

Operating the Sites and providing basic security (e.g., rate limiting, anti-abuse).
Responding to demo requests, sales inquiries, and pre-contract communications.
Creating and administering Keygraph accounts; authenticating users; providing the Cloud Service.
Billing, invoicing, collections, and tax/accounting recordkeeping.
Customer support and troubleshooting.
Direct marketing of our products and services to business contacts, including newsletters, product updates, and event invitations. You may opt out at any time (see Section 8).
Advertising and remarketing on third-party platforms, including LinkedIn.
Product analytics — understanding how the Sites and Cloud Service are used to improve features, fix bugs, and prioritize roadmap.
Security monitoring, fraud prevention, and abuse detection.
Compliance with law and enforcement of our agreements; defense of legal claims.
Corporate transactions (financing, M&A, reorganization, or asset sale).

We will not use your personal information for materially new or incompatible purposes without first providing notice and, where required by law, obtaining your consent.

A note about AI training. We do not use personal information collected under this Privacy Policy, Customer Personal Data, Customer Content, or customer-specific AI inputs, outputs, retrieved context, embeddings, or agent traces to train or fine-tune generalized large language models, foundation models, or other shared AI or machine learning models. Cloud Service AI features operate on a Bring-Your-Own-Key ("BYOK") basis against customer-designated LLM services or gateway operators, which are the customer's vendors and not Keygraph Subprocessors. Subject to our customer agreements and DPA where applicable, we may use aggregated, de-identified, or otherwise non-identifying Usage Data and operational telemetry to improve the Cloud Service without identifying the customer or users or revealing Customer Content.

5. How We Disclose Personal Information

We share personal information only with the categories of recipients described below, and only as necessary for the purposes in Section 4.

Service providers acting on our behalf, including providers of cloud hosting, content delivery, email delivery, customer support tools, CRM, marketing automation, analytics, advertising attribution, payment processing, billing, accounting, and security tools. These providers are contractually bound to process personal information only on our instructions and to maintain appropriate safeguards.
Professional advisors, such as auditors, lawyers, accountants, insurers, and bankers, where necessary for compliance, audits, or the establishment, exercise, or defense of legal claims.
Public authorities, where required by law, court order, or other valid legal process, or to protect the rights, safety, or property of Keygraph, our customers, or others.
Affected third parties, platform operators, or security contacts, where reasonably necessary to investigate, prevent, or respond to abuse, unauthorized scanning, security incidents, or misuse of the Services.
Acquirers and counterparties in corporate transactions, including in connection with a proposed or actual financing, merger, acquisition, reorganization, sale of assets, or bankruptcy. We will require recipients to honor commitments materially equivalent to this Privacy Policy with respect to personal information transferred.
With your consent or at your direction.

Except for the use of analytics, advertising, and B2B marketing technologies on our marketing Sites as described in Section 6, we do not sell or share personal information as those terms are defined under applicable privacy laws. We do not sell personal information for money. You can opt out of these tools as described in Section 6.2.

A list of our current subprocessors for the Cloud Service is available at keygraph.io/subprocessors. We can provide a current list of vendors that process personal information we control on request to privacy@keygraph.io.

6. Cookies, Analytics, and Advertising

We use cookies and similar technologies (such as pixels, SDKs, local storage, and tags) on the Sites and within the Cloud Service. We classify these technologies by purpose:

Strictly necessary cookies and technologies — required to deliver, secure, support, and maintain the Services (e.g., authenticating users, maintaining session state, load balancing, basic security, remembering cookie choices, consent-aware tag management, and customer-support chat where offered).
Functional / preference cookies — enable optional site functionality or remember your preferences (e.g., language settings or other site preferences).
Analytics / performance cookies — help us understand how the Sites are used so we can improve them.
Advertising / targeting / marketing cookies — used to deliver, measure, and attribute advertising on third-party platforms, including remarketing and business-to-business visitor identification.
Tag managers / loaders — tools used to deploy, sequence, block, and manage other tags, including enforcing consent choices. We classify Google Tag Manager itself as strictly necessary because we use it to operate consent-aware tag management. The tags loaded through it remain governed by their applicable purpose category above.

6.1 Tools we use today

We use different cookies and tracking technologies on our marketing website (keygraph.io) and within the authenticated Cloud Service (keygraph.app). The two surfaces serve different functions and have different audiences, so we describe them separately below.

6.1.1 On our marketing website (keygraph.io)

The following tools are deployed on the marketing website via Google Tag Manager. Non-essential tags are configured to run based on the choices available in our cookie banner:

Third-party tools and cookies on the Keygraph public website
Tool	Provider	Purpose	Category
Google Tag Manager	Google LLC	Consent-aware tag deployment and tag management, including loading, sequencing, blocking, and controlling the tags listed below based on cookie choices and site configuration.	Strictly necessary
Google Analytics 4	Google LLC	Website analytics, including pages viewed, session duration, traffic sources.	Analytics / performance
Vector	Vector (Common Room)	B2B website visitor identification for sales prospecting.	Advertising / targeting / marketing
LinkedIn Insight Tag (LinkedIn Ads Manager)	LinkedIn Corporation	Ad conversion tracking, retargeting on LinkedIn, and audience building.	Advertising / targeting / marketing
Plain (Chat Widget)	Plain Inc.	Customer-support chat on pages where chat is offered. Plain may use cookies or similar technologies, such as local/session storage or SDK identifiers, to provide support chat, session continuity, and conversation history.	Strictly necessary
Cloudflare	Cloudflare, Inc.	Content delivery, DNS, DDoS and bot protection, and edge security.	Strictly necessary

6.1.2 Within the Cloud Service (keygraph.app)

The Cloud Service is a paid, authenticated B2B product accessed by our customers' personnel. Within the Cloud Service, we use only cookies and tracking technologies that are strictly necessary to deliver, secure, support, and maintain the product. These technologies are not used for advertising or marketing:

Cookies and storage used in the Keygraph Cloud Service
Tool	Provider	Purpose	Category
Authentication and session cookies	Keygraph, Inc.	Sign-in, session maintenance, security (e.g., CSRF protection), and account-level functionality. Required to use the Cloud Service.	Strictly necessary
Cloudflare	Cloudflare, Inc.	DDoS and bot protection, and edge security for the Cloud Service.	Strictly necessary
Plain (Chat Widget)	Plain Inc.	In-product customer-support chat, including session continuity and conversation history for support and account-level service communications.	Strictly necessary

We do not load Google Analytics, the LinkedIn Insight Tag, Vector, or any other marketing, advertising, or third-party product-analytics tag within the Cloud Service. If we add any new tracking or analytics technology to the Cloud Service in the future, we will update this Privacy Policy and, where applicable, update our public subprocessor list at keygraph.io/subprocessors and provide notice to customers with a separately signed data processing agreement or addendum in accordance with that agreement or addendum.

6.2 Your choices

On our marketing website (keygraph.io): You can:

accept all non-essential cookies, reject non-essential cookies, or manage choices by category through our cookie banner, where applicable;
manage analytics / performance and advertising / targeting / marketing cookies separately, where those categories are available;
configure your browser to block or delete cookies (note that this may impair some features of the Sites);
opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on;
opt out of LinkedIn advertising through your LinkedIn ad settings;
request to opt out of disclosures to advertising partners (including LinkedIn) by emailing privacy@keygraph.io.

Within the Cloud Service (keygraph.app): As described in Section 6.1.2, the cookies used within the Cloud Service are strictly necessary to deliver, secure, support, and maintain the product, and we do not load advertising, marketing, or third-party product-analytics tags. This Privacy Policy is accessible from within the Cloud Service via the Privacy link in the user menu.

Cookie durations and specific cookie names may change as we update our tools. For the most current information, refer to this Privacy Policy and the cookie banner shown on our Sites.

7. Data Retention

We retain personal information only for as long as necessary for the purposes described in this Privacy Policy, including to satisfy our legal, accounting, tax, or reporting obligations and to establish, exercise, or defend legal claims.

Visitor, prospect, and marketing data we control: We retain marketing contact information (such as records in our customer relationship management system, marketing email lists, and signup or demo-request records) for as long as is reasonably necessary to operate our marketing program and respond to your communications with us. You may:

unsubscribe from marketing emails at any time using the unsubscribe link in any marketing email; and
request deletion of your contact record from our marketing systems at any time by emailing privacy@keygraph.io. Upon request, we will delete the record from the systems we directly control within a reasonable period, except where we need to retain limited information for legal, security, fraud-prevention, suppression-list, or recordkeeping purposes (for example, to ensure you are not re-added from third-party data sources after you opt out).

Data held by third-party analytics and advertising providers: Some information about your visit to our website is collected and processed by third-party providers identified in Section 6 (such as Google, LinkedIn, and Common Room/Vector) under their own privacy practices and retention policies. We do not control how those providers retain or delete that data. To exercise choices over data held by those providers, please use the opt-out and choice mechanisms described in Section 6.2 and the providers' own privacy controls.

Customer account information and Customer Content within the Cloud Service: Retained for the duration of the customer agreement. Upon termination, Customer Content is handled under the applicable customer agreement and DPA, including limited export rights, deletion or rendering inaccessible from active production systems, and exceptions for applicable law, legal holds, disputes, and routine backups.

Billing and transactional records: Retained for the period required to comply with applicable U.S. federal and California tax, accounting, and recordkeeping obligations and applicable statutes of limitation.

Support communications: Retained for as long as is reasonably necessary to provide support, evaluate service quality, and address related claims.

Operational records (server logs, security logs, audit logs, and backups): Retained in accordance with our internal information-security policies, applicable contractual commitments, and our backup-rotation schedule. Logs related to active security incidents or subject to legal hold are preserved until the matter is resolved.

Where personal information is no longer required, we delete it or irreversibly anonymize it within a reasonable period.

8. Marketing Communications

We may send marketing communications to business contacts who have requested information from us, use our Services, or who we reasonably believe may be interested in our business products based on their role, employer, or professional context. You can opt out of marketing emails at any time by:

clicking the "unsubscribe" link in any marketing email; or
emailing privacy@keygraph.io.

Opting out of marketing will not affect transactional or service-related communications (e.g., account, billing, security, or support messages), which are necessary for us to deliver the Services.

We comply with the federal CAN-SPAM Act and applicable U.S. state laws governing commercial email.

9. Your Privacy Choices

Several U.S. states have enacted privacy laws that grant residents certain rights regarding their personal information, including the right to know, access, correct, and delete personal information, and to opt out of certain disclosures for advertising purposes. The specific rights available to you depend on your state of residence and applicable law.

Regardless of where you reside, you may exercise the following choices by emailing privacy@keygraph.io:

Ask what information we hold about you;
Ask us to delete your information from systems we control (see Section 7 for further details on marketing data deletion);
Ask us to correct inaccurate information;
Unsubscribe from marketing communications (you may also use the unsubscribe link in any marketing email); and
Request that we not share your information with advertising partners for cross-context behavioral advertising (you may also use the third-party opt-outs described in Section 6.2).

We will review requests in good faith and respond as promptly as we reasonably can. We do not discriminate against you for exercising these choices.

If you are an end user of a Keygraph customer (i.e., your employer or another organization uses Keygraph and your personal information appears in their tenant), please direct your request to that customer in the first instance. As a processor / service provider under our customer agreements, we will support that customer in responding to you.

10. Users in the European Economic Area, the United Kingdom, and Switzerland

Keygraph is based in the United States. Our Services are offered to global enterprise customers, including customers in the European Economic Area (EEA), the United Kingdom, and Switzerland. Customers may elect an EU Data Residency option at account setup. If elected, Customer Content stored at rest in the production tenant database and object storage of the Cloud Service is stored in Amazon Web Services regions located within the EEA; other processing is governed by our customer agreements and DPA. Further detail is available in our Keygraph Data Processing Addendum and on our Subprocessors page.

If you are located in the EEA, the United Kingdom, or Switzerland, the EU General Data Protection Regulation (GDPR) or UK GDPR may apply to our processing of your personal information.

Roles and the DPA. Where Keygraph processes Customer Personal Data within the Cloud Service tenant on behalf of a customer, the customer is the controller and Keygraph is the processor; that processing is governed by our DPA, not by this Privacy Policy. Where Keygraph processes personal information described in this Privacy Policy (such as visitor, prospect, account-administrator, billing, and operational/telemetry data), Keygraph acts as the controller.

Lawful basis. When we act as a controller and process the personal information of individuals in the EEA, UK, or Switzerland, we generally rely on the following lawful bases under Article 6 of the GDPR/UK GDPR: performance of a contract (e.g., providing the Cloud Service or responding to pre-contractual inquiries); legitimate interests (e.g., operating, securing, and improving our Sites and Cloud Service, and conducting business-to-business marketing — interests that we believe are not overridden by the rights of the affected individuals); compliance with a legal obligation (e.g., tax and accounting recordkeeping); and consent (e.g., for non-essential cookies and certain marketing communications where consent is required).

International transfers. Personal information may be transferred to and processed in the United States and other jurisdictions where Keygraph or its service providers operate. For transfers from the EEA, UK, or Switzerland to jurisdictions without an adequacy decision, we implement appropriate safeguards consistent with applicable law. Where we process personal data on behalf of a customer that is itself transferring data from the EEA, UK, or Switzerland, those transfers are governed by the Keygraph Data Processing Addendum, including the EU Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum. The EU Data Residency option stores Customer Content at rest in Amazon Web Services regions located within the EEA as described above, but administrative, operational, support, security, and troubleshooting processing and access from other jurisdictions may occur under the safeguards described in our DPA.

Your rights. Subject to applicable law, individuals in the EEA, UK, or Switzerland may have the following rights with respect to personal information for which Keygraph is the controller: the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object to processing (including processing based on legitimate interests and processing for direct marketing), and the right to withdraw consent where processing is based on consent. To exercise these rights or to ask any question about how we process your personal information, please contact privacy@keygraph.io. You also have the right to lodge a complaint with your local supervisory authority; we would, however, appreciate the opportunity to address your concerns first.

End users of customers. If you are an end user of a Keygraph customer (i.e., your employer or another organization uses Keygraph and your personal information appears in their Cloud Service tenant), the customer is the controller of that data. Please direct rights requests to that customer; we will support them in responding.

11. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized or unlawful processing and accidental loss, destruction, damage, or disclosure. These include encryption in transit and at rest where appropriate, access controls, logging and monitoring, vendor security reviews, employee training, and an incident response program. Further details for customers of the Cloud Service are available in our DPA and security documentation. No system is perfectly secure; we cannot guarantee absolute security.

12. Children

The Services are intended for use by businesses and their authorized personnel. They are not directed to, and we do not knowingly collect personal information from, anyone under the age of 16. If you believe a minor has provided personal information to us, please contact privacy@keygraph.io and we will take steps to delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top reflects the latest version. If we make material changes, we will provide additional notice (such as by email or a prominent notice on the Sites). The updated Privacy Policy will apply from its effective date. Where required by law, we will obtain your consent before applying material changes to processing activities that require consent.

14. How to Contact Us

For questions, requests, or complaints about this Privacy Policy or our handling of your personal information, contact:

Keygraph, Inc. Attn: Privacy Mailing Address: 2261 Market Street STE 22013 San Francisco, CA 94114 USA Email: privacy@keygraph.io