KeyText Privacy Policy

Effective date: May 10, 2026
Last updated: May 10, 2026
Operator: KeyText ("we", "us", "our")
Product: The KeyText Chrome extension and the KeyText website at keytext.app
Contact: [email protected]

This Privacy Policy explains what information we collect, how we use it, how we store it, who we share it with, and the choices you have. It applies to the KeyText Chrome extension (the "Extension"), the KeyText website at keytext.app (the "Website"), and any related services we provide (collectively, the "Service"). KeyText is operated by an independent software publisher registered in the United Arab Emirates.

If you do not agree with any part of this policy, please do not install the Extension, do not create an account, and do not use the Service.

1. Plain-language summary

KeyText is a text expander. We try to collect as little as possible:

  • Account-based service: using KeyText requires a KeyText account (email + password, or Google OAuth). When you sign in, your snippets, folders, prompts, and settings are stored on our servers so they sync across your devices, with a read-through cache in your browser via chrome.storage.local so the Extension is fast and works offline. You can sign out or delete your account at any time.
  • AI features: 100% cloud-based. When you explicitly trigger a rewrite, generation, reply, suggestion, or fill, the relevant text is sent through our API to OpenAI to produce the result, then returned to you. We do not run any AI model locally on your device, and we do not log the content of those requests.
  • Payments: handled entirely by Stripe. We never see or store full card numbers.
  • What we don't do: we don't read pages you visit, we don't track your browsing, we don't collect URLs, we don't sell data, we don't share data with advertisers, and we don't use your snippets or AI requests to train any AI model.

The rest of this policy explains each point in detail.

2. Who we are and how to reach us

KeyText is operated by an independent software publisher with its principal place of business in the United Arab Emirates.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you may also contact our designated data-protection point of contact at the same email.

3. What KeyText does (so you can evaluate what data is involved)

KeyText is a text expansion utility for the Chrome browser. Its single purpose is to replace short keyboard triggers (for example, /sig) with longer pre-defined or AI-generated text in any web page text input. AI features — rewriting tone, generating snippets, drafting replies, suggesting variants, filling variables — operate only when you explicitly invoke them.

KeyText does not run an ad network, does not perform analytics on your browsing behavior, does not track you across sites, does not change your search settings, and does not modify pages outside of the inputs you actively type into.

4. Information we collect

This section lists every category of information we collect, the purpose for collecting it, and how long we keep it. We do not collect any category of information not listed below.

4.1 Snippets, folders, prompts, and settings

What it is: trigger keywords, expansion content (with {{variables}}), folders, tags, saved AI prompts, and your in-Extension preferences.

How we collect it: you enter snippets directly into the Extension's popup or options page, or import them from a file you provide (JSON, CSV, or TextBlaze export).

Where it is stored: in our database (Supabase Postgres), which is the source of truth for your library, plus a read-through cache in chrome.storage.local on your device so the Extension works fast and offline. The cache is a copy of what's already on the server — deleting a snippet removes both the cached and server copy.

How long we keep it: server copies are kept until you delete the snippet or your account. After account deletion, server-side copies are removed within 30 days; the local cache is removed when you sign out, delete the snippet, uninstall the Extension, or clear your browser's site data.

4.2 Account information

What it is: your email address, a securely hashed password (or your Google OAuth profile if you sign in with Google), your plan tier (Free / Pro / Team), your team membership where applicable, and the timestamps of your account events.

How we collect it: you provide it when you create an account on the Extension or Website. A KeyText account is required to use the Extension.

How authentication works: we use Supabase Auth as our authentication provider. Passwords are stored as a one-way hash by Supabase using industry-standard hashing (we never see your plain-text password). Session tokens are JWTs signed with asymmetric keys (ES256) that we verify against Supabase's published JWKS endpoint.

Where it is stored: in our Supabase Postgres database, encrypted at rest.

How long we keep it: until you delete your account. After deletion, account records are removed within 30 days, except where we are required by law to retain billing records (we keep tax-relevant invoice metadata for the period required by applicable tax law, typically up to 7 years; those records do not contain passwords).

4.3 Payment information

What it is: credit-card numbers, billing addresses, and similar payment details.

How we collect it: we don't. Payments are processed entirely by Stripe, Inc. Stripe collects your payment details directly through their hosted payment fields (PCI-DSS compliant). From Stripe we receive only a customer/subscription identifier, your billing country, the last four digits of your card, the card brand, and your subscription status — for receipts, billing reconciliation, and tax compliance.

Where it is stored: with Stripe. Stripe's privacy policy applies: stripe.com/privacy.

How long we keep it: we do not store full payment information at any time. The non-card metadata Stripe returns to us is kept for the life of your account plus the legally required tax-record retention period.

4.4 Cloud AI request content (only when you opt in and invoke an AI action)

What it is: the specific text you select, type, or compose when you trigger an AI feature (rewrite tone, generate snippet, draft reply, suggest variants, fill variables), plus a short system prompt we add to instruct the model.

How we collect it: only when (a) you are signed in, (b) you have explicitly invoked an AI action in the Extension, and (c) you have acknowledged the in-Extension cloud-AI disclosure that appears the first time you use one of these features.

How it is processed:

  • The Extension sends the selected text and the system prompt to our API at api.keytext.app over HTTPS (TLS 1.2 or higher).
  • Our API forwards the request to OpenAI via OpenAI's Chat Completions API. The specific model is configured at deploy time (currently gpt-4o-mini, set via an environment variable, and we may swap to a different OpenAI model for performance or cost reasons; this never changes who processes your data).
  • OpenAI returns the rewritten / generated text. We pass it back to the Extension and stream it into the page.
  • Our API does not log the content of your requests or responses. We log only an anonymous request identifier, a timestamp, your account ID, the task name (e.g. rewrite), and a usage count for billing and quota enforcement.
  • OpenAI's processing of API content is governed by OpenAI's API Data Usage Policy: openai.com/policies/api-data-usage-policies. Per OpenAI's policy, content sent to the API is not used to train OpenAI's models and is retained by OpenAI for up to 30 days for abuse and misuse monitoring before being deleted.

How long we keep it: we do not retain the content of your AI requests or responses. The anonymous billing/quota counters (no content) are retained for the life of your account.

Your control: the Extension shows you a one-time disclosure the first time you trigger a cloud-AI action and asks you to confirm before any data is sent. You can simply not use the AI features — snippet expansion works entirely without invoking the model.

We do not run any AI model on your device. Some browsers ship with on-device AI APIs; KeyText does not use them. All AI features in this Extension run via OpenAI's cloud API as described above.

4.5 Communications you send us

If you email us for support, reply to a survey, fill in our contact form, or otherwise communicate with us, we keep those communications and any information you choose to include in them. We use this information only to respond and to improve KeyText.

4.6 Post-uninstall feedback (optional)

When you install the Extension, we generate a random opaque token in your browser and register it with our API as the redirect target Chrome opens after an uninstall. If you choose to fill in the optional uninstall feedback form on our Website, that token allows us to associate your reasons with your account so we can act on them. The token is not used for any other purpose, and you can simply close the page without submitting the form.

4.7 Usage events (signed-in users)

What it is: a small set of per-user usage events stored on our backend so the Extension can power the in-product Analytics view (time saved, top snippets, weekly trend), enforce AI quotas, and let us understand product reliability in aggregate.

How we collect it: when you are signed in, the Extension records the following:

  • Per-snippet counters: a use_count and a last_used timestamp on each of your snippets, updated when you expand the snippet.
  • Per-user AI counters: monthly and daily AI-action counters on your user record, used for quota enforcement.
  • Event log: a row in our internal events table for each of these actions: login, sign_up, snippet_insert, ai_call (with the AI task name — e.g. rewrite — but not the prompt or response content), and account/plan transitions such as plan_upgraded. Each row includes your user ID and a UTC timestamp.

What it is not: these events do not include the content of your snippets, the content or response of any AI request, the URL of the page you were on, the contents of any web page, or your browsing history.

How we use it: to render your in-product Analytics card, to enforce AI plan caps, to investigate bugs, and — in aggregated form — to understand feature usage at the product level. We do not share this data with any third party for analytics or advertising purposes.

How long we keep it: for the life of your account. Deleted with your account on request (see Section 10.3).

If you are not signed in, none of the above is sent — there is no server to send it to. The Extension does not include any third-party analytics SDK (Google Analytics, Mixpanel, Segment, Amplitude, Sentry, etc.).

4.8 Information we do not collect

To be explicit:

  • Web browsing activity: we do not collect, store, or transmit the URLs you visit, the contents of pages you view, or your browsing history. The Extension's host permission exists solely to enable the user-facing feature of expanding snippets in text inputs on those pages.
  • Form data outside snippet triggers: the Extension reads what you are typing only to detect snippet triggers. When no trigger is matched, no data leaves the buffer that holds the last few characters you typed (which is purged within seconds and never transmitted).
  • Password fields: Chrome blocks extensions from password input fields by design, and we additionally check field types to skip them.
  • Other extensions or your file system: KeyText has no permission to read other extensions' data or files outside the browser.
  • Crash reports or third-party diagnostic SDKs: the Extension does not include Sentry, Bugsnag, Datadog RUM, or any equivalent third-party crash/diagnostics SDK. If we add one in the future, we will update this policy first.

5. How we use the information

We use the information described in Section 4 only for the purposes listed here:

  1. To provide the Service: to expand snippets, sync your library across your devices when you are signed in, authenticate your account, enforce plan caps, and process payments.
  2. To support cloud AI features: to forward your explicit AI request to OpenAI and return the result.
  3. To support and improve the Service: to investigate bugs and crashes you report to us, and to plan product improvements based on aggregated, non-content metrics (number of AI calls, plan distribution, etc.).
  4. To communicate with you: to send transactional emails (account confirmations, payment receipts, password resets, security notices, team invitations) and, with your separate opt-in consent, occasional product updates. You can unsubscribe from product updates at any time using the link in any such email.
  5. To comply with law: to meet our legal obligations and respond to lawful requests from public authorities.
  6. To protect the Service and its users: to detect, prevent, and respond to fraud, abuse, security incidents, and violations of our terms.

We do not use any information for personalized advertising, ad targeting, profiling for marketing, or any other purpose not described in this policy.

6. How we store and protect the information

6.1 Storage locations

  • Account data, snippets, billing metadata, support tickets: in our database hosted on Supabase Inc. (United States), and on the application servers we operate on a virtual private server hosted by Contabo GmbH in Germany.
  • Local cache: a read-through copy of your library in your browser via chrome.storage.local, refreshed from the server when you open the Extension. The server is the source of truth.
  • Backups: encrypted database backups managed by Supabase on a rolling retention window (typically up to 30 days for the active project, with longer retention available on Supabase's higher tiers).

6.2 Security measures

We use commercially reasonable technical and organizational measures to protect your information, including:

  • Encryption in transit: all data exchanged between the Extension, our API, our database, our payment processor, and OpenAI uses TLS 1.2 or higher (HTTPS).
  • Encryption at rest: account data and synced snippets are stored in our Postgres database with encryption at rest provided by Supabase.
  • Hashed passwords: passwords are hashed by Supabase Auth using industry-standard one-way hashing — we never store passwords in plaintext, and we cannot recover a forgotten password (only reset it).
  • Asymmetric session tokens: session tokens are JWTs verified against Supabase's published JWKS endpoint (ES256), so a leaked shared secret cannot forge sessions.
  • Quota and abuse controls: per-user request rate limiting and concurrency caps to mitigate runaway costs and denial-of-service.
  • Access controls: production database and application access is limited to authorized administrators with multi-factor authentication.
  • Dependency review: we keep our dependencies up to date and review the Extension's code on every release.

No system is perfectly secure. If we become aware of a security incident affecting your data, we will notify you in accordance with applicable law.

6.3 Data retention summary

DataRetention
Snippets and settings (in our database)Until you delete them or your account; removed from active systems immediately, purged from backups within 30 days
Local cache (in your browser via chrome.storage.local)Until you sign out, delete the snippet, uninstall the Extension, or clear your browser's site data
Account recordsUntil account deletion + up to 30 days for backup purging
Tax-relevant billing metadataAs required by applicable tax law (typically up to 7 years)
Cloud AI request and response contentNot retained by us. OpenAI retains for up to 30 days for abuse monitoring per their API policy.
AI usage counters (no content)For the life of the account
Per-snippet use_count + last_used (signed-in users)For the life of the snippet (deleted with the snippet or the account)
Internal events log (login, sign_up, snippet_insert, ai_call task name, plan_upgraded — never content)For the life of the account
Support email correspondenceUp to 2 years after resolution
Website analytics (Google Analytics 4)14 months (default GA4 retention with IP anonymization)

7. How we share the information

We share information only as described below. We do not sell your data and we do not share it for advertising purposes.

7.1 Service providers ("processors")

We share certain information with vendors that help us operate the Service. Each is bound by a written contract that limits how they can use the data and requires appropriate security.

ProviderPurposeWhat they receivePrivacy policy
Supabase, Inc. (United States) Authentication and database (Postgres) for accounts, snippets, folders, prompts, and team membership Account email, password hash, server-stored snippet/folder/prompt content, plan and team metadata supabase.com/privacy
Contabo GmbH (Germany) Virtual private server hosting for our API and admin dashboard (the application layer in front of Supabase) HTTPS request metadata; no content is logged for AI requests contabo.com/en/legal/privacy
OpenAI, L.L.C. (United States) AI inference for cloud-AI features (rewrite, generate, reply, suggest, fill) The text you submit for an AI action and our system prompt — only at the moment of an AI action you have triggered openai.com/policies/privacy-policy
Stripe, Inc. (United States) Payment processing, subscription billing, tax compliance for Pro and Team subscriptions Payment-card details (collected directly by Stripe), billing email, billing country stripe.com/privacy
Resend (United States) Transactional email from keytext.app (sign-in links, receipts, security notices, contact-form notices) Account email, message body resend.com/legal/privacy-policy
Brevo (European Union) Transactional and opt-in newsletter email from our marketing domain (subscription welcome, plan-change notices, team invites, newsletter confirmations, opt-in product updates) Account email, message body, subscription status brevo.com/legal/privacypolicy
Cloudflare, Inc. (United States) DNS resolution for our domains (DNS-only, no proxy) Standard DNS resolution data cloudflare.com/privacypolicy
Google Analytics 4 (United States) Aggregate analytics for keytext.app only (the Extension does not call Google Analytics). Configured with IP anonymization on, advertising-data sharing off, and Google Consent Mode v2 — analytics tags do not set cookies until you give consent through our cookie banner in regions where consent is required Page views, country, session metrics — no individual identification policies.google.com/privacy
Google Workspace (United States) Business email and internal communications Support and business email content policies.google.com/privacy

If we change service providers in any of these categories, we will update this list within 30 days. The categories themselves will not expand without notice to you.

7.2 Legal compliance and protection

We may disclose information if we are required to do so by applicable law, valid legal process (such as a subpoena, warrant, or court order), or a government request, or if we believe in good faith that disclosure is reasonably necessary to (a) comply with a legal obligation, (b) protect the rights, property, or safety of KeyText, our users, or the public, (c) detect, prevent, or address fraud, security, or technical issues, or (d) enforce our terms.

Where we believe a request is overbroad or unlawful, we will challenge it. Where law permits, we will notify the affected user before disclosing.

7.3 Business transfers

If KeyText is involved in a merger, acquisition, asset sale, financing, or bankruptcy, your information may be part of the assets transferred. We will require the receiving party to honor this Privacy Policy, and we will notify you (by email and in the Extension) before any such transfer takes effect, so you can choose to delete your account first.

7.4 With your consent

We may share information for purposes other than those described above if you explicitly direct us to do so (for example, sharing your snippet library with a teammate via a Team plan).

7.5 What we do not do

  • We do not sell, rent, or lease your data to third parties for any purpose.
  • We do not share your data with data brokers, advertising platforms, or analytics companies for cross-site tracking.
  • We do not use your snippets, your AI requests, or your usage to train any AI model — ours or anyone else's.
  • We do not allow OpenAI or any other vendor to use the data we share with them for any purpose other than providing the requested service back to us.

8. Chrome Extension permissions and why we request each one

KeyText follows the principle of least privilege: we request only the permissions necessary to deliver the features described in our Chrome Web Store listing. The list below corresponds exactly to the Extension's manifest.json.

PermissionWhy we request it
storage To save your snippets, folders, AI prompts, and settings in chrome.storage.local and chrome.storage.sync so the Extension works offline and your library persists across sessions.
identity To allow you to sign in with Google directly from the Extension popup using Chrome's built-in OAuth flow, without redirecting you off-page. We receive only your Google email and basic profile from this flow; we do not read any other Google data.
host_permissions: <all_urls> To allow snippet expansion in text inputs on any website you choose to use KeyText on. We do not read page content. We attach event listeners to text inputs only to detect triggers. Without this permission, KeyText would only work on a fixed list of sites — which would defeat its purpose as a universal text expander.

The Extension does not request any of the following permissions because we do not need them: tabs (we do not read URLs of arbitrary tabs), webNavigation, cookies, history, bookmarks, downloads, topSites, webRequest, nativeMessaging, scripting, contextMenus, activeTab, offscreen, or alarms.

If we add a new permission in a future version, we will update this section before that version is submitted to the Chrome Web Store, and the Extension will display an in-product disclosure describing the new permission and its purpose.

9. Limited Use disclosure (Chrome Web Store User Data Policy)

KeyText's use of information received from Chrome APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. Specifically:

  • We use Chrome user data only to provide and improve the Extension's user-facing features described in this policy and on the Chrome Web Store listing.
  • We do not transfer user data except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to the user.
  • We do not use user data for personalized advertising or any other purpose unrelated to the Extension's single purpose.
  • We do not sell user data to third parties.
  • We do not use or transfer user data to determine creditworthiness or for lending purposes.
  • We do not allow humans to read user data, except (a) with the user's explicit affirmative consent, (b) to investigate abuse or security incidents under appropriate access controls, or (c) where required by law.

10. Your rights and choices

You have the following rights regarding your information. We honor these rights for all KeyText users worldwide, regardless of where you live.

10.1 Access and portability

You can export your full snippet library at any time from the Extension's options page (Export → JSON / CSV / TextBlaze). For account information held server-side, email [email protected] and we will provide an export within 30 days.

10.2 Correction

You can edit any snippet, folder, prompt, or account detail directly in the Extension or your account settings. To correct other information, email us.

10.3 Deletion

  • Snippets: delete them directly in the Extension. Local copies are removed immediately. Server copies, if any, are removed immediately and purged from backups within 30 days.
  • Account: delete your account from the Extension's options page, your account settings on keytext.app, or by emailing [email protected]. Account deletion removes all server-side data within 30 days, except records we are required by law to retain.
  • Uninstalling the Extension: removes all locally stored snippets and settings from that browser. If you also have an account, the server copy of your data is unaffected unless you delete your account too.

10.4 Opt out

  • Cloud AI: simply do not invoke an AI feature, or sign out. The Extension does not invoke AI automatically.
  • Server-side sync: sign out of the Extension; the local cache stops refreshing from the server. Delete your account to remove the server copy.
  • Marketing emails: use the unsubscribe link in any product-update email. Transactional emails (receipts, security notices) cannot be opted out of while you maintain an account.

10.5 Specific rights for residents of certain regions

European Economic Area, United Kingdom, Switzerland (GDPR / UK GDPR): you have the right to access, correct, delete, restrict processing of, port, and object to processing of your personal data. The lawful bases on which we process your data are: (a) performance of a contract (providing the Service you signed up for), (b) legitimate interests (security, fraud prevention, service improvement), and (c) consent (cloud AI features and marketing emails). You have the right to withdraw consent at any time. You may lodge a complaint with your local supervisory authority.

California (CCPA / CPRA): you have the right to know what personal information we collect, the right to delete it, the right to correct it, the right to opt out of "sale" or "sharing" (we do not sell or share personal information as those terms are defined under California law), and the right not to be discriminated against for exercising these rights. To exercise any of these rights, email [email protected].

Other US states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, etc.): you have substantially similar rights to access, delete, correct, and opt out. The same email address handles all such requests.

UAE residents: KeyText complies with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). You have the right to access, correct, and delete your personal data; contact [email protected].

To exercise any of these rights, email [email protected] from the email address associated with your account. We will respond within the timeframe required by applicable law (typically 30 to 45 days). We may need to verify your identity before fulfilling certain requests.

11. Children's privacy

KeyText is not directed to children under 13 (or under 16 in the EEA / UK), and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact [email protected] and we will delete it.

12. International data transfers

KeyText is operated from the United Arab Emirates and uses service providers in the United States, the European Union, and other jurisdictions. By using the Service, you understand that your information will be transferred to, stored in, and processed in countries other than your own.

For EEA / UK / Swiss users: when we transfer personal data outside the EEA, UK, or Switzerland, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK / Swiss instruments, and/or adequacy decisions where applicable.

13. Cookies and similar technologies

13.1 On the KeyText Website (keytext.app)

We use a small set of cookies and similar technologies:

  • Strictly necessary cookies: required for the site to work — for example, remembering your cookie-banner choice and keeping you signed in to /account. These cannot be disabled through the consent banner.
  • Functional cookies: remember small preferences (such as the monthly/yearly toggle on the pricing page).
  • Analytics cookies: set by Google Analytics 4 to understand site usage in aggregate. These are blocked until you give consent through our cookie banner in regions where consent is required, via Google Consent Mode v2.

We do not use advertising cookies, retargeting pixels, social-media share trackers, or third-party marketing trackers on our Website. The full list of cookies, their purpose, and their duration is in our Cookies Policy. You can change your consent at any time using the "Cookie preferences" link in the footer.

13.2 In the Chrome Extension

The Extension does not use cookies. Storage is handled via the chrome.storage.local and chrome.storage.sync APIs, governed by Chrome's data policies.

14. Do Not Track signals

Some browsers include a "Do Not Track" (DNT) feature. Because there is no industry standard for interpreting DNT signals and because we do not engage in cross-site tracking for advertising, our response is the same regardless of DNT settings — we do not track you across websites.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will:

  • Update the "Last updated" date at the top of this page.
  • For material changes (changes that would expand how we use your data or add a new category of recipient), give you advance notice — at least 30 days — by email (if you have an account) and via an in-product banner.
  • Continued use of the Service after a change takes effect indicates your acceptance of the updated policy. If you do not agree with a change, your remedy is to stop using the Service and, if you have an account, delete it.

16. Supervisory authority (for EEA / UK users)

If you are in the European Economic Area or the United Kingdom and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

We would appreciate the opportunity to address your concerns directly first — please email [email protected].

17. How to contact us

We aim to respond to privacy emails within 5 business days, and to formal data subject requests within the timeframe required by applicable law.

This policy is the complete and exclusive statement of how KeyText handles user data in connection with the Service. It supersedes any prior privacy notice we have published.