KeyText Privacy Policy

Effective Date: April 21, 2026 Last Updated: April 21, 2026

PRIVACY POLICY

KeyText ("we," "us," "our") is a product of KeyText(or your actual registered company name), a company registered in Dubai, United Arab Emirates. This Privacy Policy explains how we collect, use, store, protect, and share information when you use:

  • The KeyText Chrome extension (the "Extension")
  • The KeyText website at keytext.app (the "Website")
  • Any associated services, including the KeyText API when available (together, the "Services")

By installing the Extension or using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please do not use KeyText.

We respect your privacy. We collect only what is necessary to provide the Services, and we do not sell, rent, or trade your personal information to third parties.

1. WHO WE ARE

Company: KeyText, Address: Sheik Zayed Road, Sama Tower, Office 305, Dubai, UAE. General contact: [email protected] Support contact: [email protected] Data protection contact: [email protected]

If you are in the European Economic Area (EEA) or the United Kingdom, you may also contact us regarding your data rights at the email above. For formal GDPR inquiries, we aim to respond within 30 days as required by law.

2. INFORMATION WE COLLECT

We collect only the minimum information necessary to provide and improve KeyText. The information we collect depends on whether you use the free local-only mode or create an account.

2.1 Information You Provide Directly

Account information: If you create a KeyText account (required only for Pro, Team, or cross-device sync), we collect:

  • Your email address
  • Your password (stored as a one-way hash — we never see your plain-text password)
  • Your subscription tier (Free / Pro / Team)

Payment information (Pro and Team users only): When you subscribe to a paid plan, payment is processed by our payment provider, Stripe. We do not directly collect or store your full credit card details. Stripe receives and processes your payment information in accordance with PCI-DSS standards. We receive only:

  • A subscription ID
  • The last 4 digits of your payment card
  • Billing country (for tax purposes)
  • Subscription status (active, canceled, past due)

User-generated content (your snippets): The snippets, shortcuts, folders, and variables you create inside KeyText are your content. We consider it your intellectual property.

  • In local-only mode (free, no account): Your snippets are stored exclusively in chrome.storage.sync or chrome.storage.local within your browser. They never reach our servers.
  • With a KeyText account, your snippets are synced to our servers so you can access them across your devices. Snippets are encrypted at rest and transmitted only over HTTPS.

Support communications: When you contact our support team (email, chat, forms), we retain the communication and any information you share to resolve your inquiry.

2.2 Information Collected Automatically

Extension usage data: To improve KeyText, we collect anonymized usage analytics, including:

  • Number of snippets created/expanded
  • Features used (AI generation, tone rewriting, import/export)
  • Approximate country (derived from IP address, not precise location)
  • Browser version and operating system
  • Extension version

This data is aggregated and anonymized. We cannot identify a specific user from this data alone.

Error reports: When the Extension encounters an error, we collect a diagnostic crash report via Sentry. This includes:

  • The error message and stack trace
  • The Extension version
  • The URL domain (e.g., mail.google.comnot the full URL or page contents)
  • Browser/OS information

Error reports do not include your snippet content, the text you were typing, or personally identifiable information.

Website analytics: On keytext.app, we use a privacy-respecting analytics provider (Plausible Analytics). Plausible does not use cookies or collect personal information. It aggregates page views, referrer sources, and country-level location. No individual user is tracked.

2.3 What We Do NOT Collect

We want to be explicit about what KeyText does not do:

  • ❌ We do not read the contents of any web page you visit.
  • ❌ We do not log what you type in text fields (only the trigger character / is monitored for activation — the text you type afterward is processed locally and never transmitted).
  • ❌ We do not track which websites you visit.
  • ❌ We do not collect your browsing history.
  • ❌ We do not access your passwords, autofill data, or cookies from other sites.
  • ❌ We do not use your data to train AI models.
  • ❌ We do not sell, rent, or trade your personal information.

3. HOW WE USE YOUR INFORMATION

We use the information we collect only for the following purposes:

To provide and operate KeyText:

  • Syncing your snippets across your devices (if you have an account)
  • Processing AI requests you initiate (snippet generation, tone rewriting — see Section 4 below)
  • Authenticating you when you sign in
  • Processing your subscription and payment

To communicate with you:

  • Transactional emails (sign-in links, receipts, subscription updates, critical service notices)
  • Responses to support requests
  • Product updates (only if you opt in — you can unsubscribe anytime)

To improve the Services:

  • Analyzing aggregated usage patterns to identify popular features and pain points
  • Debugging errors reported via crash reports
  • Measuring website performance and content effectiveness

To comply with legal obligations:

  • Responding to lawful government or court orders
  • Enforcing our Terms of Service
  • Preventing fraud, abuse, or violations of our acceptable use policy

4. AI PROCESSING DISCLOSURE

AI processing is central to KeyText, and we want to be transparent about how it works.

4.1 Local AI (Default for Most Tasks)

Approximately 70% of AI tasks — including tone rewriting and short AI generations — are processed entirely on your device using Chrome's built-in Gemini Nano model. In this mode:

  • Your text never leaves your browser
  • No data is sent to our servers or to Google
  • No internet connection is required for local AI tasks
  • There is no server-side record of what you asked or received

4.2 Cloud AI (Optional, for Complex Requests)

When you explicitly request complex AI generation (e.g., "generate a full onboarding email sequence") and local AI is unavailable or insufficient, the request is sent to a cloud-based AI provider:

  • Google Gemini API (Gemini Flash-Lite model) — our default cloud provider
  • Your prompt (the description you typed) is sent to Google's API over HTTPS
  • The generated snippet is returned to the Extension
  • We do not store your prompt or the generated output on our servers. Google's data handling is governed by the Google AI/Gemini API Terms — we recommend reviewing them if you use cloud AI features.

4.3 Bring Your Own Key (BYOK) Mode

Pro and Team users can connect their own OpenAI, Anthropic, or Google API key. In BYOK mode:

  • Your API key is encrypted and stored either locally in the Extension or on our servers (you choose)
  • Your AI requests go directly from the Extension to your chosen provider
  • We proxy requests only for usage tracking in the Team tier — we do not see, log, or store the content of your prompts or responses
  • You are billed directly by your AI provider based on their terms and your usage

4.4 Your AI Data and Privacy

  • Cloud AI processing is opt-in per request — you actively choose to use AI, it is never automatic
  • We do not use your prompts, snippets, or generated content to train any AI model, now or in the future
  • You can disable cloud AI entirely in the Extension settings and operate in local-only mode

5. HOW WE STORE AND PROTECT YOUR DATA

5.1 Where Your Data Lives

Local-only data (free mode, no account): All data stays within your browser in chrome.storage.sync (synced by Google across your signed-in Chrome devices) or chrome.storage.local (device-only).

Account data (Pro/Team users): Stored on servers operated by our cloud provider, Supabase, deployed on AWS (Amazon Web Services). Servers are located in the United States.

Payment data: Stored by Stripe. We never see or store your full card details.

5.2 Security Measures

We employ industry-standard security practices:

  • Encryption in transit: All data transmitted between the Extension, our servers, and third-party services uses TLS 1.2 or higher (HTTPS)
  • Encryption at rest: Data stored on our servers is encrypted using AES-256
  • Access control: Only authorized personnel have access to production systems, with two-factor authentication required
  • Monitoring: Systems are continuously monitored for unauthorized access, and we maintain audit logs
  • SOC 2 Type I compliance: In progress, with completion targeted for Q3 2026

Despite these measures, no system is 100% secure. In the unlikely event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities as required by law, typically within 72 hours of becoming aware.

5.3 Your Password and Account Security

You are responsible for keeping your account credentials confidential. We recommend:

  • Using a strong, unique password (or better, signing in with Google / Apple / Microsoft OAuth where supported)
  • Enabling two-factor authentication when available
  • Notifying us immediately at [email protected] if you suspect unauthorized access

6. THIRD-PARTY SERVICES

We use carefully selected third-party services to operate KeyText. Each is bound by its own privacy policy. We share only the minimum data necessary.

ServicePurposeData SharedPrivacy Policy
StripePayment processing, subscription billing, tax complianceEmail, payment info, subscription statushttps://stripe.com/privacy
Google Gemini APIOptional cloud AI generationPrompt text you submit for AI generationai.google.dev/terms
CloudflareHosting, DNS, securityStandard request data (IP, user agent)cloudflare.com/privacypolicy
SupabaseDatabase and account infrastructureAccount email, encrypted snippetshttps://supabase.com/privacy
SentryError monitoringError stack traces, Extension version, domain (not URL or content)sentry.io/privacy
Plausible AnalyticsWebsite analytics (privacy-first, no cookies)Aggregated page views, no personal dataplausible.io/privacy
PostHogProduct analyticsAnonymized usage events, no snippet contentposthog.com/privacy
Google WorkspaceBusiness email, internal communicationsSupport email contentpolicies.google.com/privacy

We periodically review our third-party providers to ensure they meet our privacy standards. If we add or change providers, we will update this Privacy Policy accordingly.

7. DATA SHARING AND DISCLOSURE

We do not sell, rent, or trade your personal information.

We share data only in these limited circumstances:

With service providers: As described in Section 6, third-party services receive only the data necessary to perform their function, under contractual data-protection agreements.

Legal compliance: We may disclose your information if required by law, subpoena, court order, or valid legal process. We will notify you of such disclosures unless legally prohibited from doing so.

Protecting rights and safety: We may disclose information if we believe in good faith that disclosure is necessary to:

  • Protect the rights, property, or safety of KeyText, our users, or the public
  • Detect, prevent, or address fraud, security, or technical issues
  • Enforce our Terms of Service

Business transfers: If KeyText is acquired, merges with, or sells assets to another company, your information may be transferred as part of that transaction. You will be notified via email and/or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

With your consent: We may share your information for any purpose with your explicit consent (e.g., testimonials and case studies — always with your written permission).

8. DATA RETENTION

We retain your data only for as long as necessary to provide the Services and comply with legal obligations.

Data TypeRetention Period
Account email and password hashUntil account deletion + 30 days for backup purging
Synced snippets (with account)Until account deletion + 30 days
Payment records7 years (legal/tax requirement)
Support emails2 years after resolution
Error reports90 days
Anonymized usage analytics24 months
Website analytics12 months
Inactive account dataDeleted after 24 months of inactivity, with 30 days' email notice

Upon account deletion, your snippets are immediately removed from active systems. Backups containing your data are purged within 30 days.

9. YOUR RIGHTS

Depending on your location, you have specific rights regarding your personal information. We honor these rights for all users regardless of where you live.

9.1 Rights for All Users

You can, at any time:

  • Access the personal data we hold about you
  • Update inaccurate information via your account settings
  • Export your snippets as JSON, CSV, or Text Blaze format from the Extension
  • Delete your account and all associated data from the Extension's options page or by emailing [email protected]
  • Opt out of product marketing emails via the unsubscribe link in any email (transactional emails, such as receipts, cannot be opted out of)

9.2 Additional Rights for EU/UK Users (GDPR)

Under the General Data Protection Regulation, you have:

  • Right to access: Receive a copy of the personal data we hold about you
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten"): Request deletion of your data
  • Right to restrict processing: Limit how we process your data
  • Right to data portability: Receive your data in a machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time
  • Right to lodge a complaint: File a complaint with your local data protection authority

To exercise any of these rights, email [email protected]. We will respond within 30 days.

Legal basis for processing (GDPR): We process your data under the following legal bases:

  • Contract performance — to provide the Services you've signed up for
  • Legitimate interests — to improve the Services, prevent fraud, and ensure security
  • Legal obligation — to comply with tax, accounting, and legal requirements
  • Consent — for optional features like marketing emails (withdrawable anytime)

9.3 Additional Rights for California Users (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have:

  • The right to know what personal information is collected, used, shared, or sold
  • The right to delete personal information we hold
  • The right to opt out of the sale or sharing of personal information (Note: we do not sell personal information, so this is automatic)
  • The right to correct inaccurate personal information
  • The right to limit the use and disclosure of sensitive personal information
  • The right to non-discrimination for exercising these rights

To exercise these rights, email [email protected]. We will not discriminate against you for exercising your rights.

9.4 Rights for Users in Other Jurisdictions

If you reside in another jurisdiction (such as the UAE, Canada, Brazil, Australia, or elsewhere) with specific data protection laws, please contact us at [email protected]. We aim to honor data rights under applicable local law.

10. CHILDREN'S PRIVACY

KeyText is not intended for children under 13 years of age (or under 16 in the European Economic Area). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected]. We will promptly delete such information.

11. INTERNATIONAL DATA TRANSFERS

KeyText is operated from the United Arab Emirates, and we use service providers located in the United States, the European Union, and other jurisdictions. By using KeyText, you understand that your information may be transferred to, stored in, and processed in countries other than your own.

For EU/UK users: When we transfer personal data outside the EEA or UK, we rely on appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for transfers to jurisdictions deemed to provide adequate protection
  • Explicit consent where other bases are not available

12. COOKIES AND SIMILAR TECHNOLOGIES

12.1 On the KeyText Website (keytext.app)

We use minimal cookies and tracking technologies:

Essential cookies: Required for basic website functionality (e.g., remembering your cookie-consent preference, maintaining your session while logged in). These cannot be disabled.

Analytics: We use Plausible Analytics, which does not use cookies and does not collect personal information. No cookie banner is required because no tracking cookies are set.

We do not use advertising cookies, retargeting pixels, or third-party marketing trackers on our website.

12.2 In the Chrome Extension

The Extension does not use cookies. Data storage uses chrome.storage APIs that are local to your browser and governed by Chrome's data policies.

13. DO NOT TRACK SIGNALS

Some browsers include a "Do Not Track" (DNT) feature. Because there is no industry standard for interpreting DNT signals and because our website does not engage in cross-site tracking for advertising, our response is the same regardless of DNT settings — we do not track you across websites.

14. THIRD-PARTY LINKS

The KeyText website and help documentation may contain links to third-party websites, services, or products (e.g., Chrome Web Store, Product Hunt, our blog contributors). This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies before providing them with personal information.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes:

  • We will update the "Last Updated" date at the top of this page
  • For material changes, we will notify you via email (if you have an account) and/or a prominent notice in the Extension and on the website
  • We will give you at least 30 days' notice before material changes take effect, where feasible

Your continued use of KeyText after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the changes, you can delete your account and uninstall the Extension before the changes take effect.

We maintain an archive of previous versions of this Privacy Policy at keytext.app/privacy/archive for your reference.

16. CONTACT US

We welcome your questions, comments, and concerns about this Privacy Policy or our data practices.

For general privacy inquiries: 📧 [email protected]

For data subject requests (access, deletion, correction): 📧 [email protected] (Please include the word "Data Request" in the subject line for fastest routing)

For security concerns or vulnerability reports: 📧 [email protected]

For general support: 📧 [email protected]

Postal address: KeyText App, Sheik Zayed Road, Sama Tower, Office 305, Dubai, United Arab Emirates

Data Protection Officer (when applicable): we are below the GDPR threshold requiring a formal DPO, but you can reach our privacy team at [email protected]"]

17. SUPERVISORY AUTHORITY (FOR EU/UK USERS)

If you are in the European Economic Area or the United Kingdom and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority. You can find your local authority here:

We would appreciate the opportunity to address your concerns directly before you contact the authority — please email [email protected] first.

18. SPECIAL NOTICE FOR UAE USERS

As a UAE-based company, KeyText complies with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). UAE residents have rights similar to those described in Section 9, including the right to access, correct, and delete their personal data. To exercise these rights, please contact [email protected].

Effective Date: April 20, 2026 Document Version: 1.0

By using KeyText, you acknowledge that you have read, understood, and agreed to this Privacy Policy.

Privacy is a feature, not an afterthought. If you have ideas on how we can do better, we genuinely want to hear them: [email protected]