Privacy Policy

Keyhold (“we,” “our,” or “us”) operates an adult lifestyle platform for consenting adults. This Privacy Policy explains what personal information we collect, how we use it, and the choices you have. It applies to keyhold.app and all associated services.

By using the Platform you agree to the collection and use of information as described here. If you do not agree, please do not use the Platform.

Information you provide directly:

• Account data: username, email address, password (stored as a hashed value — we never store plaintext passwords), date of birth.
• Profile data: display name, bio, avatar, interests, experience level, and any other information you choose to add to your profile.
• User content: photos, messages, posts, comments, and other content you submit.
• Payment data: billing address and payment method details. Card numbers and sensitive payment data are handled directly by our payment processors (CCBill, Stripe) and are not stored on our servers.
• Communications: messages you send us via email or support channels.

Information collected automatically:

• Log data: IP address, browser type, operating system, pages visited, timestamps.
• Device data: device type, unique device identifiers (for push notifications with your consent).
• Usage data: features used, actions taken (lock creation, extension triggers, etc.) — used to improve the Platform.
• Cookies and similar technologies: session cookies (required for authentication), preference cookies, and analytics. See Section 8.

We use the information we collect to:

• Create and maintain your account and verify your identity.
• Provide, operate, and improve the Platform.
• Process subscription payments and send billing receipts.
• Send transactional emails (email verification, password reset, lock event notifications) — you cannot opt out of transactional emails while your account is active.
• Send optional marketing or product update emails (you may opt out at any time).
• Enforce our Terms of Service and detect/prevent fraud, abuse, and illegal activity.
• Comply with legal obligations, including mandatory reporting of CSAM to NCMEC and law enforcement.
• Respond to your support requests.

We do not sell your personal information. We share it only as described below:

• Other users: Profile information you make public (username, bio, avatar, public locks) is visible to other users. Private messages are visible only to the participants.
• Service providers: We share data with trusted third parties who assist in operating the Platform, including:
  • Resend — transactional email delivery
  • Stripe / CCBill — payment processing
  • Amazon Web Services (S3) — media storage
  • Sentry — error monitoring
  • PhotoDNA (Microsoft) — CSAM detection on uploaded media
  These providers are contractually bound to use data only to provide services to us.
• Legal requirements: We will disclose information if required by law, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Keyhold, our users, or the public. We are required by law to report CSAM to NCMEC.
• Business transfers: If Keyhold is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your information is subject to a materially different privacy policy.

We retain your personal information for as long as your account is active or as needed to provide services. When you delete your account, we will delete or anonymize your personal data within 30 days, except:

• Information we are required to retain by law (e.g., billing records for up to 7 years).
• Aggregated or anonymized data that cannot identify you.
• Records related to CSAM reports, which are retained as required by law.
• Backup copies, which are purged on a rolling 90-day cycle.

We implement industry-standard security measures including:

• Passwords hashed with Argon2id.
• All data in transit encrypted with TLS.
• Sensitive stored values (e.g., device tokens) encrypted at rest using AES-256.
• Short-lived JWT access tokens (15-minute expiry) with secure refresh token rotation.
• Access controls limiting employee access to personal data to those with a business need.

No system is 100% secure. If you believe your account has been compromised, contact us immediately at [email protected].

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data (much of this can be done directly in Settings).
• Deletion: Request deletion of your account and personal data via Settings > Delete Account.
• Data portability: Request an export of your data in a machine-readable format via Settings > Export Data.
• Opt-out of marketing emails: Use the unsubscribe link in any marketing email or update your notification preferences in Settings.
• Push notifications: Manage or revoke push notification permissions via your browser or device settings at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

We use the following types of cookies:

• Strictly necessary: Session and authentication cookies required for the Platform to function. These cannot be disabled.
• Preference: Store your settings (e.g., notification preferences).
• Analytics: Help us understand how the Platform is used so we can improve it. You may opt out via your browser settings.

Most browsers allow you to refuse or delete cookies. Doing so may affect the functionality of the Platform.

We operate an in-house age verification system. If you choose to verify your age beyond self-attestation, you may submit a government-issued ID document and optional selfie. This information is:

• Stored securely and accessible only to our internal review team.
• Used solely to confirm you are 18 or older.
• Permanently deleted from our servers once your verification is complete, regardless of outcome.
• Never shared with third parties except as required by law.

You may request deletion of a pending submission at any time by contacting us at [email protected].

The Platform is strictly for adults aged 18 and over. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a minor, we will delete it immediately. If you believe a minor has created an account, contact us at [email protected].

Keyhold is operated from the United States. If you are located outside the US, your information will be transferred to and processed in the US, where data protection laws may differ from those in your country. By using the Platform, you consent to this transfer.

For users in the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses (SCCs) for transfers to third-party service providers where required.

If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the right to object to processing, the right to restrict processing, and the right to lodge a complaint with your local data protection authority.

Our legal bases for processing your personal data are: (a) performance of our contract with you (account operation, subscriptions); (b) our legitimate interests (security, fraud prevention, platform improvement); (c) your consent (marketing emails, push notifications, optional age verification); and (d) compliance with legal obligations.

California residents have the right to know what personal information we collect and how it is used, to request deletion, and to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at [email protected].

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or in-app notification at least 14 days before they take effect. The updated policy will always be available at keyhold.app/privacy with the effective date.

If you have questions or concerns about this Privacy Policy or how we handle your data, please visit our Contact page or email us at [email protected].