Legal

Privacy Policy

Last updated: 26 June 2026 · Version 1.0

This Privacy Policy explains how 4Keyless LTDA (“4Keyless,” “we,” “us”), a company organized under the laws of the United States, collects, uses, shares, and protects personal data when you visit 4keyless.io, create an account, or use the 4Keyless security gateway (the “Service”). We process personal data in accordance with applicable U.S. federal and state privacy laws and, where applicable, the EU General Data Protection Regulation (“GDPR”) and other local laws that apply to you.

Contents
  1. Controller & privacy contact
  2. Scope & roles
  3. Data we collect
  4. Credentials & secrets
  5. How we use data & legal bases
  6. Cookies & local storage
  7. Sharing & subprocessors
  8. International transfers
  9. Retention
  10. Security
  11. Your rights
  12. Children
  13. Changes
  14. Contact

1. Controller & privacy contact

For personal data we process about our account holders, website visitors, and prospects, 4Keyless LTDA is the controller. Privacy and data-subject requests: dpo@4keyless.io. Postal contact: 4Keyless LTDA, United States.

2. Scope & our two roles

We act in two distinct roles:

  • As controller for personal data relating to our direct relationship with you — for example, your account, billing, support, and website analytics. This Policy governs that processing.
  • As processor for personal data contained in Customer Data that flows through the Service (including Credentials and the content of requests your Agents make to Target Systems). For that data, you are the controller and we process it only on your instructions, under our Terms of Service and, where applicable, a Data Processing Agreement (DPA).

3. Personal data we collect

CategoryExamplesSource
Account & identityName, work email, organization, role, hashed password, MFA factorsYou, at registration
BillingPlan, billing contact, transaction history, partial card data and tax identifiers handled by our payment processorYou / Stripe
Usage & audit metadataAgent IDs, Target Systems accessed, policy decisions, timestamps, latencies, and the client IP address and approximate geolocation of requests (resolved on demand)Generated by the Service
Support communicationsMessages, attachments, and contact details you send usYou
Website & deviceIP address, browser/device data, pages viewed, essential cookies, language preferenceAutomatically

We do not intentionally collect special categories of personal data about you for our own purposes. We do not sell personal data.

4. Credentials & secrets (important)

Credentials you store (passwords, API keys, TOTP seeds, and digital certificates such as X.509 client certificates or smartcard-backed credentials) are encrypted at rest with AES-256-GCM in a secrets vault (HashiCorp Vault) and are decrypted only in proxy memory to be injected into the requests you direct. We do not read, mine, or use the content of your Credentials for any purpose other than operating the Service, and they are never exposed to the AI agent or written to audit logs.

Credentials and request content may contain personal data of your own end users. For that data we act as processor and you remain the controller; you are responsible for having a valid legal basis and for honoring your end users’ rights.

5. How we use personal data & legal bases

PurposeLegal basis (U.S. / GDPR)
Provide, operate, and secure the Service; authenticate and route requests; enforce policies; produce audit logsPerformance of a contract (GDPR Art. 6(1)(b); similar bases under applicable U.S. law)
Detect, investigate, and prevent abuse, fraud, and security incidents; ensure network and information securityLegitimate interests (GDPR Art. 6(1)(f); security and fraud-prevention under applicable U.S. law)
Billing, invoicing, and bookkeepingContract and legal obligation (GDPR Art. 6(1)(b),(c))
Respond to support requests and service communicationsContract / legitimate interests
Product analytics and improvement (aggregated where possible)Legitimate interests (GDPR Art. 6(1)(f))
Marketing emails to existing customers about similar featuresLegitimate interests / consent where required (you may opt out anytime)
Comply with legal obligations and respond to lawful requestsLegal obligation (GDPR Art. 6(1)(c); applicable U.S. law)

6. Cookies & local storage

Our admin panel uses strictly necessary cookies and browser storage to keep you signed in and to remember preferences (for example, your language choice is stored locally as flk_lang). Our marketing site uses Google Analytics 4 (GA4) to understand aggregate traffic and page usage; GA4 may set first-party cookies such as _ga and _ga_*. Our admin panel uses Amplitude for product analytics (page views, sessions, and usage events tied to your account ID and tenant) and may use Amplitude Session Replay to record anonymized or masked interactions for product improvement; Amplitude may use cookies or local storage for session tracking. We configure GA4 with IP anonymization and without advertising or personalization signals. Sensitive fields (such as passwords) are blocked from replay capture. We do not use third-party advertising cookies. You can control cookies through your browser settings or opt out of GA4 via Google’s browser add-on; blocking essential cookies may break the Service.

7. Sharing & subprocessors

We share personal data only with service providers (subprocessors) that process it on our behalf under contract, with affiliates, in a corporate transaction, or where required by law. Current subprocessors include:

SubprocessorPurposeRegion
Amazon Web Services (AWS)Cloud hosting, storage, CDNUnited States / global
StripePayment processing and billingUnited States / global
Resend / Amazon SESTransactional email (invitations, password resets, billing notices)United States / global
Google Analytics (Google LLC)Marketing-site traffic and page analytics on 4keyless.ioUnited States / global
Amplitude (Amplitude, Inc.)Product analytics and session replay in the admin panelUnited States / global
ip-api.comOn-demand IP geolocation for audit-log enrichmentEU

An up-to-date list of subprocessors is available on request at dpo@4keyless.io. We provide advance notice of material changes to enterprise customers under a DPA.

8. International data transfers

4Keyless LTDA is based in the United States. Personal data may be processed in the United States and in other countries where we or our subprocessors operate. Where we transfer personal data from the EU/EEA, UK, or other jurisdictions that restrict cross-border transfers, we rely on appropriate safeguards — for example, the European Commission’s Standard Contractual Clauses or other mechanisms recognized under applicable law.

9. Data retention

  • Account data: retained while your account is active and for a reasonable period afterward.
  • Audit logs: retained according to your plan’s retention window (for example, 14 days on the free tier, up to 1 year on Growth, and a custom period on Enterprise), after which they are deleted or anonymized.
  • Billing records: retained for the periods required by applicable tax and commercial law in the United States.
  • Backups: retained for a limited rolling period and then overwritten.

After termination you may export Customer Data for 30 days; thereafter we delete it in accordance with these periods, except where retention is required by law.

10. Security

We apply technical and organizational measures appropriate to the risk, including: secrets stored in HashiCorp Vault and encrypted at rest with AES-256-GCM; encryption in transit (TLS) and mutual TLS for certificate-based access; tenant isolation enforced at the database level; role-based access control and multi-factor authentication; Ed25519-signed, tamper-evident audit logs; least-privilege access for our personnel; and monitoring. No method of transmission or storage is completely secure; we maintain an incident-response process and will notify affected parties and regulators where required by applicable law.

11. Your rights

Subject to applicable law, you may have the following rights regarding your personal data:

  • confirm whether we process your personal data and access it;
  • correct inaccurate or incomplete data;
  • request deletion of personal data, subject to legal exceptions;
  • request data portability where technically feasible;
  • obtain information about categories of third parties with whom we have shared your data;
  • opt out of certain processing, including marketing communications and, where applicable, targeted advertising or sale/sharing of personal information under U.S. state privacy laws;
  • withdraw consent where processing is based on consent; and
  • (GDPR / UK GDPR) restrict processing, object to processing based on legitimate interests, and lodge a complaint with your local supervisory authority.

California residents may have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of sale or sharing. To exercise any of these rights, contact dpo@4keyless.io. We may need to verify your identity and will respond within the timeframes required by applicable law. If we act as processor for data controlled by a customer, we will refer your request to that customer.

12. Children’s privacy

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us personal data, contact us so we can delete it.

13. Changes to this Policy

We may update this Policy from time to time. We will post the new version here with an updated “Last updated” date and, for material changes, provide additional notice (such as by email or an in-product message).

14. Contact

Privacy questions and rights requests: dpo@4keyless.io. Controller: 4Keyless LTDA, United States.

Read our Terms of Service →