Privacy Policy
Privacy Policy
Effective date: January 2025
At Key Man Out ("we", "our", or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Business Continuity Vault service (the "Service"). Please read this Privacy Policy carefully.
By using or accessing our Service in any manner, you acknowledge that you accept the practices and policies outlined in this Privacy Policy, and you consent to our collection, use, and sharing of your information as described herein.
Your use of the Service is also subject to our Terms of Service, which incorporates this Privacy Policy by reference. Any capitalized terms not defined in this Privacy Policy have the meanings given to them in the Terms of Service.
What This Privacy Policy Covers
This Privacy Policy covers how we treat Personal Data that we gather when you access or use our Service. "Personal Data" means any information that identifies or relates to a particular individual and includes information referred to as "personally identifiable information" or "personal information" under applicable data privacy laws, rules, or regulations.
This Privacy Policy does not cover the practices of companies we do not own or control, or people we do not manage. This includes third-party services you may access through the Service, such as OAuth providers (Google, GitHub) or payment processors.
Important Note About Zero-Knowledge Encryption
Key Man Out is built on a zero-knowledge architecture. This means:
- Your asset secrets (passwords, API keys, confidential text) and file attachments are encrypted on your device before being transmitted to our servers
- We do not have access to your vault key phrases
- We cannot access, read, decrypt, or recover your encrypted secrets
- Only you and your authorized team members with the vault key phrase can access your encrypted secrets
- Asset metadata (such as titles, instructions, website URLs, and guardian assignments) is stored unencrypted and is accessible to our systems
This Privacy Policy applies to both the unencrypted metadata we can access and your encrypted secrets which remain private and inaccessible to us.
Categories of Personal Data We Collect
The following table details the categories of Personal Data that we collect and have collected over the past 12 months:
| Category | Examples | Third Parties We Share With |
|---|---|---|
| Profile/Contact Data | Name, email address, phone number, profile picture, account credentials | Service Providers, Payment Processors, Parties You Authorize |
| Authentication Data | OAuth provider tokens, passkey public keys, password hashes (never plaintext), magic link tokens | Service Providers |
| Payment Data | Payment card type, last 4 digits of payment card, billing address, billing email (processed by Polar/Stripe) | Payment Processors (Polar, Stripe) |
| Device/IP Data | IP address, device type, operating system, browser type and version | Service Providers, Analytics Partners |
| Usage Data | Login timestamps, feature usage, pages visited, actions taken within the Service | Service Providers, Analytics Partners |
| Geolocation Data | Approximate location based on IP address | Service Providers, Analytics Partners |
| Third-Party Platform Data | Information from OAuth providers (GitHub username, Google profile data) | Service Providers, Parties You Authorize |
| Communication Data | Emails and messages you send to us, support tickets, feedback | Service Providers |
Note: Your encrypted secrets (passwords, API keys, confidential text) and encrypted file attachments are NOT included in the above categories. Due to our zero-knowledge architecture, we cannot access this encrypted data and do not consider it "collected" in the traditional sense. However, asset metadata (titles, instructions, website URLs, guardian assignments) is stored unencrypted and is included in the data we process.
Sources of Personal Data
We collect Personal Data from the following sources:
Information You Provide Directly
- When you create an account or register for the Service
- When you complete forms or provide information in your profile
- When you contact us for support or send us communications
- When you respond to surveys or questionnaires
- When you participate in promotions or other activities
Information Collected Automatically
- Through cookies and similar tracking technologies when you use the Service
- Through server logs that record your interactions with the Service
- Through your browser or device, including IP address and device information
- If you use a location-enabled browser, we may receive approximate location information
Information from Third Parties
- OAuth Providers: If you sign in using Google, GitHub, or another OAuth provider, we receive profile information from that provider (such as name, email, and profile picture)
- Payment Processors: Our payment processor (Polar, which uses Stripe) may provide us with limited payment information for transaction records
- Analytics Providers: We may receive aggregated analytics data from third-party analytics services
How We Use Your Information
We use your Personal Data for the following purposes:
Providing and Maintaining the Service
- Creating and managing your account
- Authenticating your identity and securing your account
- Processing transactions and managing subscriptions
- Providing customer support and responding to inquiries
- Sending transactional communications (access request notifications, team invitations, security alerts)
Improving the Service
- Analyzing usage patterns to improve features and user experience
- Testing new features and functionality
- Identifying and fixing bugs and technical issues
- Conducting internal analytics and research
Security and Fraud Prevention
- Detecting, preventing, and responding to security incidents
- Protecting against fraudulent, unauthorized, or illegal activity
- Enforcing our Terms of Service and other policies
Communications
- Sending service-related announcements and updates
- Responding to your comments, questions, and requests
- Sending marketing communications (with your consent, where required)
Legal Compliance
- Complying with applicable laws, regulations, and legal processes
- Responding to lawful requests from public authorities
- Protecting our rights, privacy, safety, or property
We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated, or incompatible purposes without providing you notice.
How We Share Your Information
We do not sell your Personal Data. We may share your information with the following categories of third parties:
Service Providers
These parties help us provide the Service or perform business functions on our behalf:
- Hosting and Infrastructure: Cloud hosting providers that store and serve our application
- Email Services: Providers that deliver transactional and marketing emails on our behalf
- Analytics: Services that help us understand how users interact with the Service
- Security: Services that help us detect and prevent security threats
- Customer Support: Tools that help us manage and respond to support requests
Payment Processors
We use Polar Software, Inc. ("Polar") as our Merchant of Record for payment processing. Polar uses Stripe, Inc. ("Stripe") as its underlying payment processor.
- Polar collects and processes payment information on our behalf
- Polar handles sales tax, VAT, and other transaction-related taxes
- Please review Polar's Terms of Service and Privacy Policy for information on how they handle your payment data
- Please also review Stripe's Privacy Policy for information on Stripe's data practices
Analytics Partners
We use analytics services to understand how users interact with our Service. These services may collect information about your use of the Service and other websites or applications.
Legal Obligations
We may disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). However, due to our zero-knowledge architecture, we cannot provide access to your encrypted secrets even if legally compelled to do so. Unencrypted asset metadata may be disclosed if legally required.
Business Transfers
If we are involved in a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your Personal Data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership or uses of your Personal Data.
With Your Consent
We may share your information with third parties when you explicitly consent to such sharing.
Aggregated or De-Identified Data
We may share aggregated or de-identified information that cannot reasonably be used to identify you. This data may be used for analytics, research, or other business purposes.
Cookies and Tracking Technologies
We use cookies and similar tracking technologies to collect and store information about your interactions with the Service.
Types of Cookies We Use
Essential Cookies: Required for the Service to function properly. These enable core functionality such as security, authentication, and session management. You cannot opt out of essential cookies.
Functional Cookies: Help us remember your preferences and settings, such as language preferences or display options.
Analytics Cookies: Help us understand how visitors interact with the Service by collecting and reporting information anonymously. We use this data to improve the Service.
Managing Cookies
Most web browsers allow you to control cookies through their settings. You can typically:
- View what cookies are stored on your device
- Delete all or specific cookies
- Block cookies from specific or all websites
- Block third-party cookies
Please note that blocking or deleting cookies may affect your ability to use certain features of the Service.
Do Not Track
Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. Because there is no consistent industry standard for responding to DNT signals, our Service does not currently respond to DNT browser signals.
Data Security
We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction.
Zero-Knowledge Architecture
Our primary security measure is our zero-knowledge encryption architecture:
- Asset secrets (passwords, API keys, confidential text) and file attachments are encrypted client-side using AES-256-GCM before transmission
- Encryption keys are derived from your team's vault key phrase, which we never receive or store
- Even if our servers were compromised, your encrypted secrets would remain protected
- Asset metadata (titles, instructions, website URLs) is stored unencrypted to enable service functionality
Additional Security Measures
- HTTPS/TLS encryption for all data in transit
- Encrypted databases at rest
- Regular security assessments and testing
- Access controls and authentication requirements for our systems
- Employee security training and access restrictions
Your Responsibilities
You are responsible for:
- Maintaining the confidentiality of your account credentials
- Safeguarding your team encryption key phrases
- Using strong, unique passwords
- Logging out of your account when using shared devices
- Notifying us immediately if you suspect unauthorized access to your account
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your Personal Data, we cannot guarantee its absolute security.
Data Retention
We retain your Personal Data for as long as your account is active or as needed to provide you with the Service. We may also retain certain information as necessary to:
- Comply with our legal obligations
- Resolve disputes
- Enforce our agreements
- Support business operations
When we no longer need Personal Data, we securely delete or anonymize it. If deletion is not possible (for example, because the information has been stored in backup archives), we will securely store it and isolate it from further processing until deletion is possible.
Retention Periods
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Transaction records | 7 years (legal/tax requirements) |
| Server logs | 90 days |
| Analytics data | 26 months |
| Support communications | 3 years after resolution |
Children's Privacy
The Service is not intended for children under 18 years of age. We do not knowingly collect Personal Data from children under 18. If you are under 18, please do not use the Service or provide any Personal Data to us.
If we learn that we have collected Personal Data from a child under 18, we will take steps to delete that information as quickly as possible. If you believe that a child under 18 may have provided Personal Data to us, please contact us at legal@keymanout.app.
Your Privacy Rights
Depending on your location, you may have certain rights regarding your Personal Data. These may include the right to:
- Access: Request information about the Personal Data we hold about you
- Correction: Request that we correct inaccurate or incomplete Personal Data
- Deletion: Request that we delete your Personal Data
- Portability: Request a copy of your Personal Data in a structured, machine-readable format
- Opt-Out: Opt out of certain data processing activities, such as marketing communications
- Withdraw Consent: Where we rely on consent for processing, withdraw that consent at any time
To exercise any of these rights, please contact us at legal@keymanout.app. We will respond to your request within the timeframe required by applicable law.
Important: Due to our zero-knowledge architecture, we cannot access, provide, correct, or delete your encrypted secrets. You maintain full control over your encrypted secrets through your vault key phrase. Unencrypted asset metadata can be accessed and managed through your account.
United States State-Specific Privacy Rights
California Residents (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know: You have the right to request that we disclose what Personal Data we collect, use, disclose, and sell about you.
Right to Delete: You have the right to request deletion of Personal Data we collected from you, subject to certain exceptions.
Right to Correct: You have the right to request that we correct inaccurate Personal Data we maintain about you.
Right to Opt-Out of Sale/Sharing: We do not sell or share (for cross-context behavioral advertising) your Personal Data.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Categories of Personal Information: In the preceding 12 months, we have collected the categories of Personal Data described in the "Categories of Personal Data We Collect" section above.
Sources: We collect Personal Data from the sources described in the "Sources of Personal Data" section above.
Business Purposes: We use Personal Data for the purposes described in the "How We Use Your Information" section above.
Disclosure for Business Purposes: We disclose Personal Data to the categories of third parties described in the "How We Share Your Information" section above.
Sale of Personal Information: We do not sell your Personal Data as defined under the CCPA/CPRA.
To exercise your California privacy rights, please contact us at legal@keymanout.app. We may need to verify your identity before processing your request.
Authorized Agents: You may designate an authorized agent to make requests on your behalf. We may require verification that you authorized the agent to act on your behalf.
Shine the Light: Under California Civil Code Section 1798.83, California residents may request information regarding the disclosure of Personal Data to third parties for their direct marketing purposes. We do not disclose Personal Data to third parties for their direct marketing purposes.
Nevada Residents
Nevada residents have the right to opt out of the sale of certain Personal Data to third parties. We do not sell your Personal Data as defined under Nevada law. If you are a Nevada resident and have questions, please contact us at legal@keymanout.app.
Virginia, Colorado, Connecticut, and Utah Residents
If you reside in Virginia, Colorado, Connecticut, or Utah, you may have similar rights to access, correct, delete, and opt out of certain processing of your Personal Data. To exercise these rights, please contact us at legal@keymanout.app.
European Union and United Kingdom Data Subject Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and similar laws.
Data Controller
KeyManOut LLC (to be incorporated in Tennessee, USA) is the data controller responsible for your Personal Data.
Legal Bases for Processing
We process your Personal Data only when we have a valid legal basis to do so:
Contractual Necessity: We process certain Personal Data to perform our contract with you (the Terms of Service) and to provide the Service. This includes account creation, authentication, and service delivery.
Legitimate Interests: We process certain Personal Data based on our legitimate interests, provided those interests do not override your fundamental rights. Our legitimate interests include:
- Improving and developing the Service
- Marketing the Service
- Detecting and preventing fraud and abuse
- Ensuring network and information security
Consent: In some cases, we process Personal Data based on your explicit consent. Where we rely on consent, you have the right to withdraw it at any time.
Legal Obligation: We may process Personal Data to comply with legal obligations, such as tax reporting or responding to valid legal requests.
Your GDPR Rights
Under the GDPR, you have the following rights:
Right of Access: You can request a copy of the Personal Data we hold about you.
Right to Rectification: You can request that we correct any inaccurate or incomplete Personal Data.
Right to Erasure ("Right to be Forgotten"): You can request that we delete your Personal Data in certain circumstances.
Right to Restriction of Processing: You can request that we restrict the processing of your Personal Data in certain circumstances.
Right to Data Portability: You can request a copy of your Personal Data in a structured, commonly used, machine-readable format.
Right to Object: You can object to our processing of your Personal Data based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent: Where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU Member State where you reside, work, or where the alleged infringement occurred. A list of supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
To exercise any of these rights, please contact us at legal@keymanout.app. We will respond within one month of receiving your request, as required by the GDPR.
International Data Transfers
The Service is hosted in the United States. If you are located outside the United States, please be aware that your Personal Data will be transferred to and processed in the United States, where data protection laws may differ from those in your country.
When we transfer Personal Data from the EEA, UK, or Switzerland to the United States, we rely on:
- Standard Contractual Clauses approved by the European Commission
- Other lawful transfer mechanisms as appropriate
By using the Service, you consent to the transfer of your Personal Data to the United States.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
If we make material changes, we will notify you by:
- Posting the updated Privacy Policy on this page with a new "Effective date"
- Sending you an email notification (if we have your email address)
- Displaying a prominent notice within the Service
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:
Email: legal@keymanout.app
Mailing Address: KeyManOut LLC Tennessee, USA
We will respond to your inquiry as soon as reasonably practicable.
This Privacy Policy was last updated in January 2025.