Keyturn Privacy Policy

1. Information We Collect

1.1 Account Information

When a Customer creates an account, we collect the organization name, the administrator's first and last name, email address, and password. Passwords are stored as salted bcrypt hashes; we do not retain the plaintext value.

1.2 Customer Content

Customers use the Service to enter, upload, and store information relating to their business, including:

• Property data (addresses, purchase history, financials, warranties, notes)
• Tenant and applicant data (names, contact information, emergency contacts, move-in dates, lease terms, payment history, notes)
• Vendor data (company name, contact, licensing, insurance verification, job history, ratings)
• Financial transactions, rent payments, maintenance tickets, listings, deadlines, calendar events
• Documents uploaded by the Customer (leases, deeds, insurance policies, tax records, invoices, receipts, inspection reports, notices, correspondence)

1.3 Payment Information

Subscription billing is processed by Stripe, Inc. ("Stripe"). We do not receive or store Customer payment card numbers or bank account numbers. Stripe provides us with a customer identifier, a subscription identifier, plan information, and payment event status. Stripe's privacy practices are described at stripe.com/privacy.

1.4 Usage, Device, and Log Data

We and our hosting providers automatically collect certain technical information when you use the Service, including:

• IP address, browser type, browser language, device type, and operating system
• Pages or screens accessed, features used, and time spent
• Referring URL and requested URL
• Error diagnostics and performance metrics
• HTTP request and response metadata, including authentication attempts

1.5 AI Agent Interactions

The Service includes AI "agents" that operate on Customer Content at the Customer's direction. When a Customer invokes an agent, the prompt, the Customer Content supplied to that agent, and the agent's output are stored in the Service for auditability, usage metering, and display within the Customer's account. Metadata about agent runs, including token counts, model identifier, cost, and timing, is also retained.

1.6 Cookies and Similar Technologies

We use cookies and local browser storage to operate the Service. We use (a) strictly necessary cookies to keep you signed in and maintain session state, and (b) limited functional cookies to remember display preferences. We do not use the Service to display advertising, and we do not set cross-site advertising cookies. Blocking strictly necessary cookies will prevent the Service from functioning.

1.7 Information From Integrated Third Parties

If a Customer connects a third-party service to Keyturn (for example, a calendar provider or email provider), we will receive information from that third party as authorized by the Customer and limited to what is necessary to provide the integration. Customers can disconnect integrations at any time from their account settings.

2. How We Use Information

We use the information described above to:

• Provide, operate, maintain, and secure the Service and the Customer's account
• Authenticate users, manage sessions, and enforce plan limits
• Process subscription payments and issue receipts and invoices through Stripe
• Execute agent tasks requested by the Customer, including generating outputs, summarizing documents, and preparing drafts for the Customer's review
• Monitor for fraud, abuse, unauthorized access, and violations of our Terms of Service
• Respond to support requests and communicate with the Customer about the Service
• Analyze aggregate, de-identified usage to improve performance and develop new features
• Comply with legal obligations and respond to lawful requests

We do not sell Customer Content, and we do not use Customer Content to train general-purpose AI models for use by other customers. Agent outputs generated for a Customer are returned only to that Customer's account.

3. How We Share Information

3.1 Service Providers (Sub-Processors)

We share information with vendors that help us operate the Service, bound by contract to use the information only to provide services to us. Current categories include:

• Cloud hosting and infrastructure: Railway (application hosting), PostgreSQL database hosting, object storage for Customer document uploads.
• Payment processing: Stripe, Inc. for subscription billing, customer portal, and webhook delivery.
• Email delivery: a transactional email provider for password resets, invites, and notifications.
• AI model providers: OpenRouter and underlying model providers (such as Google, Anthropic, and OpenAI) for the large language models that power Keyturn agents, subject to contractual commitments that input and output are not used to train the provider's general-purpose models.
• Error monitoring and analytics: providers used solely to diagnose errors and measure aggregate performance.

3.2 At the Customer's Direction

We share information with third parties when the Customer directs us to, for example by connecting an integration, inviting a collaborator, or generating a shareable link.

3.3 Within a Customer's Organization

Customer Content and account information are visible to other authorized users within the same Customer organization, based on role (owner, admin, member, viewer). Customers are responsible for managing role assignments.

3.4 Legal Process and Protection

We may disclose information if we have a good-faith belief that disclosure is necessary to (a) comply with a valid legal process (such as a subpoena or court order), (b) enforce our Terms of Service, (c) protect the rights, property, or safety of Keyturn, our Customers, or others, or (d) investigate suspected fraud or abuse. Where not legally prohibited, we will use commercially reasonable efforts to notify the affected Customer before disclosing Customer Content.

3.5 Business Transfers

If Keyturn is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will require the successor entity to honor this Privacy Policy, or we will notify Customers of material changes and provide an opportunity to export and delete Customer Content before the change takes effect.

3.6 Aggregate or De-Identified Information

We may share aggregate or de-identified information that cannot reasonably be used to identify any individual or Customer, for example, industry usage benchmarks or aggregate agent performance statistics.

4. Data Retention and Deletion

We retain Customer Content for as long as the Customer's account is active. When a Customer terminates their account, we will provide a reasonable opportunity (generally 30 days) to export Customer Content. After that period, we will delete or anonymize Customer Content within a commercially reasonable time, except where retention is required by law, necessary to resolve disputes, or required to enforce our agreements.

Backups are retained on a rolling schedule and purged according to our backup retention policy. Log data and security records may be retained for a longer period for auditing, fraud prevention, and legal compliance, but are kept separately from active Customer Content.

5. Data Security

We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, and destruction. These include encryption of data in transit (TLS), encryption of passwords at rest (bcrypt), role-based access controls, multi-tenant row-level data isolation (each row scoped by organization identifier), short-lived access tokens, rotating refresh tokens, rate limiting on authentication endpoints, and signed Stripe webhook verification.

No security program is perfect. If we become aware of a breach affecting Customer Content, we will notify affected Customers without undue delay and in accordance with applicable law. Customers are responsible for maintaining the confidentiality of their account credentials and for access they grant to users within their organization.

6. Your Choices and Rights

6.1 Access, Correction, Export, and Deletion

Customers can access, update, export, and delete most Customer Content directly through the Service. If you are a tenant, applicant, or other third party and want to exercise a right with respect to information a Customer stores about you in Keyturn, please contact that Customer in the first instance; Keyturn will assist the Customer in responding as required by applicable law.

6.2 California Residents (CCPA / CPRA)

Subject to verification and the exceptions in the statute, California residents have the right to (a) know what personal information we have collected, used, disclosed, and sold or shared; (b) request deletion of personal information; (c) correct inaccurate personal information; (d) limit the use of sensitive personal information; and (e) not be discriminated against for exercising these rights.

We do not "sell" or "share" personal information as those terms are defined under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act. We do not process personal information for cross-context behavioral advertising.

To exercise California rights, email privacy@keyturnpm.com from the email address associated with the account or record.

6.3 Other U.S. State Rights

Residents of other U.S. states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, and Texas) may have similar rights. We handle these requests under the same intake process described above.

6.4 Communications

We send account and service-related messages (such as password resets, billing notices, and security alerts) that are necessary for using the Service and that you cannot opt out of while an account is active. Any marketing communications will include an unsubscribe link.

7. International Users

Keyturn is operated from the United States. Information collected through the Service is processed and stored in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those of your jurisdiction. We do not currently market the Service to individuals located in the European Economic Area, the United Kingdom, or Switzerland.

8. Children

The Service is intended for use by businesses and their authorized personnel, not by children. We do not knowingly collect personal information from anyone under the age of 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. Third-Party Links and Content

The Service may contain links to third-party websites, integrations, or services that we do not own or control. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third party before providing information to it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date above and provide notice through the Service or by email to the administrator on file, at least 14 days before the change takes effect unless a shorter period is required by law. Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

11. How to Contact Us

If you have questions about this Privacy Policy or how we handle information, contact us at:

KeyTurn LLC
Privacy inquiries: privacy@keyturnpm.com
Legal notices: legal@keyturnpm.com
Organized under the laws of the State of Texas.