Privacy Policy
This Privacy Policy explains how Klavex ("we", "us") collects, uses, and protects information when you use the Klavex secrets-management service, including our website, dashboard, and command-line interface (the "Service").
1. Who we are
Klavex is based in New York, NY, USA. For any privacy question — including requests to access, export, or delete your data — contact us at privacy@klavex.dev.
2. Information we collect
| Category | Examples |
|---|---|
| Account data | Name, email address, and authentication credentials, managed through our identity provider (AWS Cognito). |
| Team & workspace data | Team and repo names, environment names, member roles, and invitations. |
| Secrets you store | The environment-variable values you choose to store in your vault. These are encrypted at rest (see Section 4) and we do not access their plaintext in the ordinary course of operating the Service. |
| Billing data | Subscription plan and billing status. Card details are collected and processed by Stripe; we do not store full payment card numbers. |
| Usage & audit logs | Records of actions taken in the Service — such as variable fetches and membership changes — including actor, IP address, and timestamp. |
| Technical data | Standard request metadata (IP address, user agent) and privacy-friendly, cookieless analytics about site usage. |
3. How we use information
- To provide, maintain, and secure the Service.
- To authenticate you and enforce access controls and team roles.
- To process subscriptions and payments (via Stripe).
- To produce audit logs and detect or investigate abuse and security incidents.
- To communicate with you about your account, including service and security notices.
We do not sell your personal information, and we do not use the contents of your stored secrets for advertising or model training.
4. How your secrets are protected
Stored secret values are protected using envelope encryption. A per-secret data key encrypts each value, and that data key is itself encrypted by a master key held in a managed key-management service (AWS KMS). Every encryption and decryption operation is bound to an encryption context tied to your team and repo, so a key cannot be used to decrypt another tenant's data. Secrets are delivered to your machine only by the CLI at runtime and are injected into a child process — the Service is designed so that plaintext secrets are not written to disk on your behalf.
5. Service providers (subprocessors)
We share data with a small set of providers strictly to operate the Service:
| Provider | Purpose |
|---|---|
| Amazon Web Services | Cloud hosting, database, authentication, key management, and email. |
| Stripe | Subscription billing and payment processing. |
| Vercel | Website hosting and privacy-friendly analytics. |
We may also disclose information if required by law or to protect the rights, safety, and security of Klavex, our users, or the public.
6. Data retention
We retain account and workspace data for as long as your account is active. Audit-log retention depends on your plan (currently 7 days on Solo and 90 days on paid plans; custom retention is available on Enterprise contracts). When you delete your team or account, we delete the associated vault records; backups and logs are purged within a commercially reasonable period thereafter.
7. Your rights
Depending on where you live, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing (for example under the GDPR or CCPA). You can exercise many of these directly in the dashboard, or by emailing privacy@klavex.dev. We will respond within the timeframe required by applicable law.
8. Cookies & tracking
We aim to keep tracking minimal. Our analytics are cookieless and do not build cross-site advertising profiles. The dashboard stores authentication tokens in your browser's local storage to keep you signed in; these are not used for tracking.
9. International transfers
We operate on cloud infrastructure that may process data in the United States. Where data is transferred across borders, we rely on appropriate safeguards as required by applicable law.
10. Security
We use technical and organizational measures designed to protect your information, including encryption in transit and at rest, scoped access controls, and audit logging. No method of transmission or storage is perfectly secure, but we take the protection of secrets seriously. To report a vulnerability, contact security@klavex.dev.
11. Children
The Service is not directed to children and is intended for users who are at least 16 years old (or the age of digital consent in your country).
12. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you through the Service.
13. Contact
Questions about this policy? Email privacy@klavex.dev.