Kee Vault Privacy Statement

Effective date: 6th July 2023

Thanks for entrusting Kee Vault with your personal information. Holding onto your private information is a serious responsibility, and we want you to know how we’re handling it.

If you chose to not register an Account with us and instead use the free version of Kee Vault (“version 2”), you might not need to provide us with any personal data. That obviously makes some clauses below redundant, although you may wish to review the entire document anyway if you think that you might sign up for an Account one day in the future.

The short version

We only collect the information you choose to give us, and we process it with your consent, or on another legal basis; we only require the minimum amount of personal information that is necessary to fulfill the purpose of your interaction with us; we don’t sell it to third parties; and we only use it as this Privacy Statement describes.

Of course, this doesn’t tell you everything, so please read on for more details!

The medium version

Because we think this is really important, you will see this same information directly on the registration page so feel free to skip to the full version below.

Your email address is securely sent to a Kee Vault server (a computer on the internet) and immediately encrypted so that no-one can view it, even if the Kee Vault account database is illegally accessed. Our advanced personal data protection solution means that even when you next sign in to Kee Vault, your email address is not transmitted.

We will share your email address only with 3rd parties that are essential to the operation of the Kee Vault service. For example, for payment processing. We demand the highest level of security from these recipients of your personal data.

Potentially personally identifiable information is only kept for as long as is needed for us to deliver the service to you and meet our legal obligations. For example, the server logs IP addresses as part of protecting your account from unauthorised access attempts.

To improve Kee Vault for you, we may record anonymous usage data across our apps, keevault.pm and our associated websites. This never includes personally identifiable information (or passwords!) and is never shared.

The security of your information depends upon the security of the devices that you use to access Kee Vault. This is no different to every other online or offline app but we want to re-iterate that point here: any software or service that claims to protect you from a security breach on a local device is misleading you - it is your responsibility to keep your local device secure.

We and/or our essential 3rd party partners will send you emails that relate to critical service or security issues as necessary. We’ll send a handful of introductory emails with usage instructions and tips which are legitimately in your interest but you can unsubscribe any time from the emails themselves. Receiving marketing emails is optional.

The full version

Definition of “User Personal Information”

This is any information about one of our users which could, alone or together with other information, personally identify him or her. Information such as an email address is an example of “User Personal Information.” User Personal Information includes Personal Data as defined in the General Data Protection Regulation (GDPR).

User Personal Information does not include aggregated, non-personally identifying information. We may use aggregated, non-personally identifying information to operate, improve, and optimize our website and service.

What information Kee Vault collects and why

Information from website browsers and applications

If you’re just browsing the website or using an app we offer, we collect the same basic information that most websites and apps collect. We may use common technologies, such as cookies and web server logs. This is stuff we collect from everybody, whether they have an account or not.

The information we collect about all visitors/users include your browser type or device model, language preference, referring site, pages visited/features used and the date and time of each visitor request. We also collect potentially personally-identifying information like Internet Protocol (IP) addresses.

Why we collect this information

We collect this information to better understand how our website visitors use Kee Vault, and to monitor and protect the security of the website.

Information from users with accounts

If you create an account, we require some basic information at the time of account creation. We will ask you for a valid email address. Your password gives you access to your account as well as your encrypted Vault filled with your passwords.

Your password is never sent to Kee Vault (we use modern security techniques like SRP to accurately authenticate you without needing to ever see it).

Why we collect this information
  • We need your User Personal Information to create your account, and to provide the services you request, including to provide the Kee Vault service, or to respond to support requests.
  • We use your User Personal Information, specifically a pseudo-anonymous version (one-way cryptographic hash) of your email address, to identify you on Kee Vault.
  • We will use your email address to communicate with you, if you’ve said that’s okay, and only for the reasons you’ve said that’s okay. Please see our section on email communication for more information.
  • We make limited use of your User Personal Information for internal purposes, such as to maintain logs for security reasons, for training purposes, and for legal documentation.
  • We limit our use of your User Personal Information to the purposes listed in this Privacy Statement. If we need to use your User Personal Information for other purposes, we will ask your permission first.

Under certain international laws (including GDPR), Kee Vault is required to notify you about the legal basis on which we process User Personal Information. Kee Vault processes User Personal Information on the following legal bases:

  • When you create a Kee Vault account, you provide your email address. We require this for you to enter into the Terms of Service agreement with us, and we process this on the basis of performing that contract. We also process your email address on other bases such as if you opt-in to receive marketing email messages.
  • If you have an Active Kee Vault Subscription, there will be other data elements we must collect and process on the basis of performing that contract. Kee Vault does not collect or process a credit card number, but our third-party payment handlers and Subscription Providers do.
  • When you fill out the information in your support profile, you have the option to provide User Personal Information such as your full name. We process this information on the basis of consent. All of this information is entirely optional, and you have the ability to access, modify, and delete it at any time.
  • Generally, the remainder of the processing of personal information we perform is necessary for the purposes of our legitimate interests. For example, for security purposes, we must keep logs of IP addresses that access Kee Vault.

What information Kee Vault does not collect

We do not intentionally collect sensitive personal information, such as government ID numbers, genetic data, health information, or religious information. Although Kee Vault does not request or intentionally collect any sensitive personal information, we realize that you might store this kind of information in your account. If you store any sensitive personal information in your Vault, you are responsible for complying with any regulatory controls regarding that data.

If you’re a child under the age of 13, you may not have an account on Kee Vault. Kee Vault does not knowingly collect information from or direct any of our content specifically to children under 13. If we learn or have reason to suspect that you are a user who is under the age of 13, we will unfortunately have to close your account. We don’t want to discourage you from improving your online security, but those are the rules. Please see our Terms of Service for information about account termination. Other countries may have different minimum age limits, and if you are below the minimum age for providing consent for data collection in your country, you may not use Kee Vault without obtaining your parents’ or legal guardians’ consent.

How we share the information we collect

We do share User Personal Information with your permission, so we can perform services you have requested or communicate on your behalf. Additionally, you may indicate, through your actions on Kee Vault, that you are willing to share your User Personal Information. We will respect your choices.

We do not share, sell, rent, or trade User Personal Information with third parties for their commercial purposes.

We do not host advertising on Kee Vault.

We do not disclose User Personal Information outside Kee Vault, except in the situations listed in this section or in the section below on Compelled Disclosure.

We do share certain aggregated, non-personally identifying information with others about how our users, collectively, use Kee Vault, or how our users respond to our other offerings. For example, we may compile statistics on the number of active users or approximations of the quantity of stored passwords. However, we do not sell this information to advertisers or marketers.

We do share User Personal Information with a limited number of third party vendors who process it on our behalf to provide or improve our service, and who have agreed to privacy restrictions similar to our own Privacy Statement by signing data protection agreements. Our vendors perform services such as payment processing, customer support ticketing, hosting infrastructure, network data transmission, and other similar services. When we transfer your data to our vendors we remain responsible for it and always transfer the minimum amount of data possible. While Kee Vault processes all User Personal Information in the United States, EU or UK, our third party vendors may process data outside of these locations.

We may share User Personal Information if we are involved in a merger, sale, or acquisition. If any such change of ownership happens, we will ensure that it is under terms that preserve the confidentiality of User Personal Information, and we will notify you on our website or by email before any transfer of your User Personal Information. The organization receiving any User Personal Information will have to honor any promises we have made in our Privacy Statement or in our Terms of Service.

Kee Vault applications

You may also have the option of adding applications from Kee Vault, such as browser extensions, desktop or mobile apps/helpers, or other account features, to your account. These applications may have their own terms, Privacy statement and may collect different kinds of User Personal Information; however, we will always collect the minimum amount of User Personal Information necessary, and use it only for the purpose for which you have given it to us.

How you can access and control the information we collect

Access, update, alter or delete your personal information by signing in to Kee Vault and visiting your Account Settings page. Some information is managed directly through that page and in other cases you will be able to follow the links/buttons to the relevant page.

Data portability

You can save a copy of your data at any time from Kee Vault. The data format is KDBX, a standard, encrypted and widely supported format specialised for password storage.

Data retention and deletion of data

Generally, Kee Vault will retain User Personal Information for as long as your account is active or as needed to provide you services.

We may retain certain User Personal Information indefinitely, unless you delete it or request its deletion. For example, we don’t automatically delete inactive user accounts, so unless you choose to delete your account, we will retain your account information indefinitely.

You can cancel your Subscription at any time. If your Subscription Provider is Kee Vault Ltd, you can do this by going into your Account settings. The Subscription details screen provides a simple cancellation link. If you chose a different Subscription Provider you will need to follow the steps that they explain to you.

We are not able to cancel Accounts in response to an email, a message via any medium or a phone request.

We will retain and use your information as necessary to comply with our legal obligations, protect your security, resolve disputes, and enforce our agreements.

For example, your encrypted email address will be kept for up to 5 years after Account Deletion to ensure that we can contact you in the unlikely event that this is required for security or legal reasons (such as notifying you of a historical security risk that could have affected you while your account was active). If you opt in to receiving marketing emails we will delete your email address shortly after you opt out, as long as your account has been inactive for at least 5 years.

We will delete your encrypted passwords and any payment details held at our payment partners within 180 days of cancellation or termination (though some information may remain in encrypted backups and it can then take up to a month for the process to complete). This information can not be recovered once your Account is Deleted.

This 180 day Protective Grace Period is essential to defend you against accidental and malicious threats, especially those relating to abuse of trust such as for those people trapped in abusive relationships.

If you would like an earlier end to the free Protective Grace Period after Subscription cancellation, you can request that your account is deleted as quickly as possible by using the form at https://kee.pm/keevault/delete-account/ . The earliest that we can safely destroy your data is around 3 weeks after you request it to be deleted. As with the automatic data removal procedure after 180 days, it may then take up to a month for the data to be fully destroyed and we cannot guarantee that it will not remain hidden away in some encrypted backups indefinitely.

Our use of cookies and tracking

Cookies

! This “Cookies” section is not relevant to the Kee Vault version 2 native app(s) such as the Android app or iOS app

Kee Vault avoids the use of cookies wherever possible.

Our network provider (CloudFlare CDN) uses cookies to identify a device, for security reasons.

To make interactions with our service easy and meaningful, we use local storage (such as HTML5 localStorage) to enable offline access, remember your preferences, and provide information for future development of Kee Vault.

By using our website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept cookies or local storage, the Kee Vault Service may malfunction or not work at all.

Tracking and analytics

We use an analytics system to help us evaluate our users’ use of Kee Vault; compile statistical reports on activity; and improve our content and website performance.

A unique random identifier will be created for your account and may be used on each of your devices to ensure that the anonymous data from your account is correctly associated together. Kee Vault does not store or otherwise have any access to the data that would be required to use this identifier to identify you or any of your personal information, so even security breaches of multiple Kee Vault services will have no effect on your privacy.

None of this anonymous data is ever shared, although we may share information relating to aggregations of many anonymous identifiers.

Unlike nearly all websites, this is a private analytics system (we do not share your online movements with Google via Google Analytics, for example).

We do not permit third parties other than our essential service providers to track Kee Vault users’ activity over time. We do not track your online browsing activity on other online services over time. We therefore have no need to, and do not, respond to your browser’s Do Not Track signal.

Side note: Independently from this policy, you should investigate how your chosen device’s operating system and app store track you - some may perform additional tracking and share some of this data with us. We won’t ask for it and will ignore it if forced upon us.

How Kee Vault secures your information

Kee Vault takes all measures reasonably necessary to protect User Personal Information from unauthorized access, alteration, or destruction; maintain data accuracy; and help ensure the appropriate use of User Personal Information.

In the event of a data breach that affects your User Personal Information, we will act promptly to mitigate the impact of a breach and notify any affected users without undue delay.

Transmission of data on Kee Vault is encrypted using SSH, HTTPS, and SSL/TLS. We hold your email address in an encrypted state at all times barring the transient need for access, for example when sending you a message to your email address. Stored data is encrypted using AES-256; some transmitted data is also encrypted using AES-256 before transmission over TLS (double encryption).

Your Vault data is AES-256 encrypted on your local machine before being transmitted for synchronisation to your other devices. It is then encrypted again while stored in our cloud where it awaits your next sign-in request.

Private communication network

To protect against malicious attempts to deanonymise information and to enhance your security, your device may participate in a private communication network that includes other Kee Vault or Kee browser extension users.

Messages sent on this network will be encrypted using techniques to ensure the contents of the messages can only be read by their intended recipient, even if those messages pass through multiple intermediate recipients on the way to their destination.

By virtue of joining this network, your device will probably send and receive additional data than would otherwise be required for the delivery of the application itself and direct communication with the Kee Vault cloud.

The precise technical details of the form and purpose of these messages may vary but we will always ensure that they serve these broad purposes such that they are justified legally and morally under the basis of being essential to our contract for the supply of a password management service:

  1. Improves your security or privacy - We see this encrypted network as an innovative way to enhance your security and privacy beyond what is possible without the use of the network. We will only ever utilise the network if we are able to justify that such utilisation improves your security or privacy.
  2. Minimal data usage - We will only send what is required and will always ensure that in comparison to the data usage of the rest of the Kee Vault service, the data usage will be negligible both in terms of bandwidth usage and any metered costs you incur from your network supplier; if technically feasible we will use best efforts to deliver data when an unmetered internet connection is available.

As of July 2023 there are no active uses of this communication network. To determine if, when and precisely why Kee Vault utilises these messages, you can of course inspect the completely open source code of Kee Vault at any time.

Kee Vault’s global privacy practices

We store and process the information in several locations in accordance with this Privacy Statement (our subprocessors may store and process data elsewhere).

We work hard to comply with the applicable data privacy laws wherever we do business and strive to go beyond the minimum standards required by even the strictest international policies.

Kee Vault’s primary storage and processing location is the United Kingdom. In future, we may store and process data elsewhere in the EU. We may also store, but not process, encrypted data in the United States. In all cases, this storage and processing adheres to the EU GDPR requirements or the UK equivalent.

How we respond to compelled disclosure

Kee Vault may disclose personally-identifying information or other information we collect about you to law enforcement in response to a valid subpoena, court order, warrant, or similar government order, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties or the public at large.

In complying with court orders and similar legal processes, Kee Vault strives for transparency. When permitted, we will make a reasonable effort to notify users of any disclosure of their information, unless we are prohibited by law or court order from doing so, or in rare, urgent circumstances.

For the avoidance of doubt, we never have access to your password data, nor your master password that can reveal this data. Compelled disclosure is therefore most likely to relate to Personal Information such as your email address or payment details.

How we, and others, communicate with you

We will use your email address to communicate with you, if you’ve said that’s okay, and only for the reasons you’ve said that’s okay. For example, if you contact our Support team with a request, we will notify you with a response via email.

Kee Vault may occasionally send notification emails about new features, requests for feedback, important policy changes, or to offer customer support. We also send marketing emails, but only with your consent, if you opt in to our list. There’s an unsubscribe link located at the bottom of each of the marketing emails we send you. Please note that you can not opt out of receiving important communications from us, such as mails from our Support team, Billing team or system emails.

Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email.

Dispute resolution process

In the unlikely event that a dispute arises between you and Kee Vault regarding our handling of your User Personal Information, we will do our best to resolve it - please contact us.

Additionally, if you are a resident of an EU member state, you may have the right to file a complaint with your local supervisory authority.

Changes to our Privacy Statement

Although most changes are likely to be minor, Kee Vault may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the email address specified in your Kee Vault account.

We will also update our website repository, which tracks all changes to this policy. For changes to this Privacy Statement that do not materially affect your rights, we encourage visitors to check that location frequently.

Your GDPR rights

Kee Vault respects privacy rights under Regulation (EU) 2016 / 679 (GDPR). Information that GDPR requires us to give can be found throughout this privacy statement. So can information about specific rights, like access, rectification, erasure and data portability.

Contacting Kee Vault

If you have questions regarding Kee Vault’s Privacy Statement or information practices, please feel free to contact us.