Legal

Privacy Policy

Effective date: May 26, 2026

1. Who we are

Keyes AI, Inc. (“Keyes AI,” “we,” “us,” or “our”) provides AI infrastructure products including GitDB (code-native database), Memory (long-term recall for AI agents), and Vector (full-fidelity semantic search). This Privacy Policy describes how we collect, use, and protect information when you use the keyes.ai website, APIs, and related services (collectively, the “Service”).

This Privacy Policy does not apply to information we process on behalf of enterprise customers under a signed Data Processing Addendum (DPA). If you are an end user of an enterprise customer’s deployment, please direct privacy inquiries to that organization.

2. Information we collect

2.1 Account information

Name, email address, and password when you create an account.
Organization name, role, and team size for enterprise accounts.
Billing and payment information (processed by our payment processor; we do not store full card numbers).

2.2 Content you store

GitDB: Source code, repositories, branches, commit history, and related metadata.
Memory: Memories extracted or derived from interactions (e.g., user preferences, goals, past actions, contextual facts), auto-generated vector embeddings, collections, metadata, and associated text content submitted through the API.
Vector: Vector embeddings, payload metadata, and index configurations submitted through the API.

2.3 Information collected automatically

Log data (IP address, browser type, pages visited, timestamps).
Device information (operating system, device identifiers).
API usage data (endpoints called, request volume, latency metrics).
Cookies and similar technologies for authentication and preferences.

2.4 Information we do not collect

We do not use third-party advertising trackers or data brokers.
We do not sell, rent, or trade your personal information.

3. How we use your information

To provide, operate, and maintain the Service across all products.
To process transactions and send billing-related communications.
To send technical notices, security alerts, and product updates.
To respond to your support requests and communications.
To monitor and analyze usage trends, enforce rate limits, and improve the Service.
To detect, prevent, and address fraud, abuse, and security incidents.
To comply with legal obligations.

4. Your data is yours

4.1 Ownership

You retain all rights to the content you store in the Service — your source code in GitDB, your memories in Memory, and your vectors in Vector. We do not claim ownership of any content you upload.

4.2 Third-party AI processing

To generate vector embeddings for the Memory and GitDB services, we send text or code snippets to third-party embedding providers. Our primary provider is Microsoft Azure OpenAI Service, with OpenAI, Inc. as a fallback. These providers process your content solely to return embeddings and do not retain or train on your data under our contractual agreements. Enterprise self-hosted customers may configure their own embedding provider to avoid third-party processing entirely.

If you have concerns about your content being processed by third-party embedding providers, you must discontinue use of the Service immediately and contact us at [email protected]. By continuing to use the Service, you acknowledge and consent to the embedding processing described above.

4.3 No training on your data

We do not use your private content (source code, memories, vectors, or metadata) to train our own or third-party machine learning models. This applies to all plan tiers — free and paid. Embeddings generated by the Service are created solely for your use and are not shared with other customers or used for any purpose beyond providing the Service to you.

4.4 Tenant isolation

Each customer’s data is logically isolated at the engine level. Your vectors, memories, and code are never accessible to other tenants, even in multi-tenant deployments. Enterprise self-hosted deployments provide full physical isolation.

5. Data sharing and disclosure

We do not sell your personal information. We may share information only in these circumstances:

Service providers: Infrastructure hosting, payment processing, and transactional email — each bound by contractual obligations to protect your data.
AI sub-processors: Microsoft Azure OpenAI Service (primary) and OpenAI, Inc. (fallback) for vector embedding generation. These providers process text/code solely to return embeddings and do not retain or train on your data under our agreements.
Legal requirements: When required by law, valid subpoena, or government request.
Safety: To protect the rights, property, or safety of Keyes AI, our users, or the public.
Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to you.

6. Data security

We implement industry-standard technical and organizational measures to protect your data:

Encryption in transit (TLS 1.2+) and at rest (AES-256).
Per-tenant access controls and audit logging for all operations.
API authentication via scoped API keys with per-key permissions.
Regular security assessments and vulnerability scanning.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly addressing any vulnerabilities discovered.

7. Data retention

We retain your account information for as long as your account is active.
When you delete specific content (vectors, memories, repositories), it is removed from active systems within 24 hours and from backups within 30 days.
When you close your account, we delete or anonymize all personal information within 30 days and all stored content within 90 days, except where retention is required by law.
API usage logs are retained for 90 days for operational purposes and then aggregated into anonymous metrics.

8. Legal basis for processing (GDPR)

If you are in the European Economic Area, our legal bases for processing are:

Contract: Processing necessary to provide the Service you signed up for.
Consent: Where you explicitly opt in (e.g., marketing communications).
Legitimate interest: Operating, securing, and improving the Service.
Legal obligation: Compliance with applicable law.

9. International data transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including Standard Contractual Clauses where required. Enterprise customers with data residency requirements may use self-hosted deployments to keep all data within their chosen jurisdiction.

10. Your rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Delete your personal data and stored content.
Export your data in a portable format (available via API for all products).
Object to or restrict certain processing.
Withdraw consent at any time.
Lodge a complaint with a supervisory authority.

To exercise any of these rights, email [email protected].

11. Cookies

We use essential cookies to operate the Service (authentication, session management, preferences). We use optional analytics to understand usage patterns. We do not use third-party advertising cookies. You can control cookie preferences through your browser settings.

12. Children’s privacy

The Service is not directed at individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the effective date. For material changes, we will provide at least 30 days’ notice via email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact

For privacy-related questions or requests, contact us at: [email protected]