Keymio · Privacy Policy
Effective date: 2026-05-11 Last updated: 2026-05-11 Version: v1.0 (initial public release)
1. Introduction
This Privacy Policy explains how Aspen Developments LLC, an Arizona limited liability company doing business as "Keymio" ("Keymio", "we", "us", "our"), collects, uses, shares, and protects information about you when you visit keym.io or use the Keymio software service (the "Service").
This Policy is part of, and incorporated by reference into, our Terms of Service.
If you do not agree with this Policy, do not use the Service.
2. Who this policy applies to
This Policy applies to:
- Customers — anyone who creates an account and uses the Service to manage properties, tenants, or other landlord operations.
- Collaborators — anyone invited by a Customer to access that Customer's account in a defined role.
- Visitors — anyone who visits keym.io without creating an account.
This Policy does not apply to information collected by your tenants, contractors, or other third parties about you. It does not change the relationship between you (as landlord) and any tenant whose information you enter into the Service — see Section 11.
3. Information we collect
3.1 Information you provide to us
- Account information. Your name, email address, password (stored as a salted hash, never in clear text), profile picture (if uploaded), and Plan selection.
- Billing information. Billing address, country, payment-card last four digits, payment-card brand, billing email — all collected and stored by Stripe, not by Keymio. Keymio receives only a Stripe customer identifier and a record of charges.
- Property data you upload. Property addresses, purchase price, mortgage details, rent amounts, photographs, lease documents, and any notes you enter.
- Tenant data you upload. Tenant name, email, phone number, lease start/end dates, voucher status, and any notes — see Section 11 for your obligations when uploading other people's information.
- Maintenance requests. Anything submitted via the public
maintenance-request form (
/r/:token) on your behalf by your tenants, including text descriptions, photos, contact details, and timestamps. - Support communications. Messages you send to support@keym.io or via the in-product help form.
3.2 Information we collect automatically
- Device and browser data. IP address, user-agent, operating system, screen size, time zone, language, and the referring page or link you arrived from.
- Usage data. Pages and features you view in the Service, search queries you make in the Discovery feature, frequency and duration of sessions, and clicks within the Service. We use PostHog as our analytics provider; events are tied to your account identifier inside PostHog and not to any third-party advertising network.
- Cookies and similar technologies. See Section 9.
3.3 Information we collect from third parties
- Stripe — payment status, fraud signals, dispute notifications.
- Listing Providers (RentCast and others) — property listings, estimated valuations, days-on-market. This data is about properties, not about you, but we associate it with your account when you search or save it.
- Public data sources — HUD Fair Market Rent values, FBI Crime Data Explorer statistics, US Census ACS estimates. This data is not about you; we display it to you.
- Public property records (admin-aggregated) — for properties our internal team is evaluating, we may pull publicly available property records from RentCast that include ownership name, ownership entity type, mailing address, last sale date and price, tax assessment, and automated valuation estimates. This data is about properties and their owners (who are typically not Keymio users). It is sourced from public county and state records and is currently used internally only — it is not displayed to other Keymio customers in the v1 product. If you are a property owner and wish to be removed from our internal aggregation, contact support@keym.io with the property address; we will mark the record suppressed within 7 business days.
We do not purchase personal data from data brokers and we do not enrich your profile with information from third-party identity providers other than the limited Stripe and Google OAuth metadata needed to log you in and bill you.
4. How we use information
We use the information described in Section 3 to:
- Provide the Service — host your data, sync between devices, render your dashboards, deliver email alerts.
- Bill you — process subscription charges through Stripe.
- Communicate with you — send transactional email (receipts, password resets, maintenance-request confirmations, lease-expiry reminders), respond to support requests, and notify you of material changes to the Service or these policies.
- Send marketing email — only with your consent, and only from Keymio (we do not share email addresses with other marketers). You can unsubscribe at any time via the link in any marketing email or in Settings → Notifications.
- Improve the Service — analyse aggregate usage patterns, identify bugs, and prioritise features.
- Protect the Service — detect fraud, prevent abuse, secure user accounts, and enforce our Terms of Service.
- Comply with law — respond to lawful requests from government authorities, comply with tax and accounting obligations, and meet our obligations under privacy and consumer-protection laws.
Legal bases (for users in jurisdictions that require them)
For users to whom EU/UK GDPR applies:
- Contract — we process your account and billing data because we need it to provide the Service to you.
- Legitimate interests — we process usage data to operate, secure, and improve the Service; this is balanced against your privacy interests.
- Consent — we send marketing email and set non-essential cookies only with your consent.
- Legal obligation — we keep some records (e.g. tax-relevant records) for periods set by law.
5. How we share information
We share personal information only as described below.
5.1 Service providers (data processors)
We share personal information with vendors who help us run the Service, under written contracts that restrict their use of the data to providing the contracted service.
| Vendor | What they do | Data shared |
|---|---|---|
| Supabase | Database hosting + authentication | All Customer Data |
| Stripe | Payment processing | Billing data, charge history |
| Resend | Transactional + marketing email | Email address, name, message contents |
| PostHog | Product analytics | Account ID, page views, event payloads (no raw passwords or payment data) |
| Vercel | Web hosting + CDN | Request logs (IP, user-agent, URL) |
| Cloudflare | DNS + email routing | DNS lookups, support@keym.io inbound mail headers |
| RentCast and other Listing Providers | Property listings + valuations | Search queries (ZIP, filters); we do not pass your name or email |
| Smarty (planned) | Address validation | Addresses you type; we do not pass your name or email |
| HUD User API | Fair Market Rent lookups | ZIP codes you query; we do not pass your name or email |
5.2 Other Customers and Collaborators
If you invite Collaborators to your account, they will be able to see the information you have made visible to their role. You can manage Collaborator access from Settings → Team.
5.3 Legal and safety
We may disclose information when we believe in good faith that doing so is required to (a) comply with a lawful subpoena, court order, or other legal process; (b) enforce our Terms; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Keymio, our users, or the public.
5.4 Business transfers
If Keymio is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred to the surviving or acquiring entity. We will give notice (by email and an in-app banner) before personal information becomes subject to a different privacy policy.
5.5 With your consent
We may share information for other purposes with your explicit consent.
We do not sell or "share" personal information for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA").
6. How long we keep information
- Active accounts. We keep your Customer Data for the lifetime of your account.
- Deleted accounts. When you delete your account, we mark it for deletion and retain it for 30 days (to allow you to change your mind and to satisfy any in-flight legal obligations) and then permanently delete it from our production systems. Backups are purged on a rolling 90-day schedule.
- Tax and accounting records. We retain billing history for 7 years after the last transaction to meet US tax-record retention requirements.
- Support communications. We retain support tickets for 3 years after closure for service-quality and dispute-resolution purposes.
- Aggregated and anonymised data. We may retain aggregated data (data that cannot be linked back to any individual) indefinitely.
7. Your rights
7.1 All users
Regardless of where you live, you can:
- Access — export your Customer Data at any time from Settings → Danger Zone → Export.
- Correct — edit your profile, properties, tenants, and other Customer Data in-product.
- Delete — delete individual records in-product, or delete your entire account from Settings → Danger Zone → Delete account.
- Opt out of marketing email — unsubscribe link in every marketing email, or Settings → Notifications.
- Object to analytics — opt out of PostHog tracking from Settings → Privacy.
7.2 California residents (CCPA / CPRA)
In addition to Section 7.1, if you reside in California you have the right to:
- request a copy of the categories and specific pieces of personal information we have collected about you in the last 12 months;
- request deletion of personal information we hold about you (subject to the retention obligations in Section 6);
- request correction of inaccurate personal information;
- limit the use of "sensitive personal information" (we do not intentionally collect categories that meet this definition; if you believe otherwise please contact us);
- opt out of "sale" or "sharing" of personal information for cross-context behavioural advertising — note that we do not sell or share such data as those terms are defined under the CCPA / CPRA, so there is currently nothing to opt out of; and
- not be discriminated against for exercising any of these rights.
To exercise California rights, email support@keym.io with the subject line "California Privacy Request". We will verify your identity using the email address on your account before responding.
7.3 Residents of other US states (CO, CT, VA, UT, TX, OR, MT, IA, DE, NH, NJ, others)
If you reside in a US state with its own privacy law, you have rights substantially similar to those in Section 7.2, including the right to access, delete, and correct your personal information. To exercise these rights, follow the same process as 7.2.
7.4 Residents of the EU, UK, EEA, or Switzerland
If you reside in the EU, UK, EEA, or Switzerland and GDPR applies to our processing, you also have the right to data portability, to withdraw consent, to lodge a complaint with your local supervisory authority, and (in some circumstances) to object to processing or to ask for a restriction. To exercise these rights, follow the process in 7.2.
7.5 Appeals
If we decline a privacy request, we will explain why. You may appeal that decision by replying to our email response, and we will give you a written reasoned decision within 60 days. After that you may contact the relevant state Attorney General or supervisory authority.
8. Security
We protect personal information with reasonable administrative, technical, and physical safeguards, including:
- TLS 1.2+ encryption in transit;
- AES-256 encryption at rest (provided by Supabase + Vercel);
- least-privilege access controls for Keymio personnel, audited via Supabase logs;
- single-sign-on with two-factor authentication available for Customers and required for Keymio staff;
- automated backups with versioned, encrypted storage.
No system is perfectly secure. If we become aware of a personal-data breach that creates a likely risk to your rights, we will notify you and any required regulator as required by applicable law (typically within 72 hours under GDPR, and per state law in the US).
9. Cookies and similar technologies
We use cookies and similar technologies to operate, secure, and analyse the Service. We sort cookies into four categories:
- Essential cookies — needed for the Service to work, including the authentication session cookie set by Supabase and a CSRF token. These cookies cannot be disabled.
- Functional storage — your theme preference, sidebar collapse
state, saved filter selections, and similar UI choices. Stored in
your browser's
localStorage, not sent to our servers. You can clear it via Settings → Privacy → Reset interface preferences. - Analytics cookies — PostHog sets cookies to count visits, link events to your account, and identify return visitors. You can opt out from Settings → Privacy, or by enabling Do-Not-Track in your browser (PostHog respects DNT for new sessions).
- Advertising cookies — none. We do not run third-party ad networks.
If you are visiting from an EU/UK IP address, you will see a cookie banner at first visit that lets you accept or reject non-essential cookies. Your choice is remembered for 12 months.
A more detailed list — including specific cookies set, durations, and how to opt out per provider — lives at Cookie Policy.
10. Children
The Service is not directed to people under the age of 18 and we do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has provided us with personal information, please contact support@keym.io and we will delete it.
11. Tenant and contractor data you upload
When you enter information about a tenant, prospective tenant, contractor, or other third party into the Service, you do so as the controller of that information — Keymio acts as your processor in respect of it.
You are responsible for:
- ensuring you have a lawful basis (and any required consent) to enter that information into a third-party software service;
- providing privacy notices to that person as required by your local law (federal Fair Housing-related disclosures, state landlord/tenant law, and any local privacy regulation);
- responding to access, deletion, and correction requests from that person;
- using tenant-supplied contact information only for the purpose for which it was provided (rent collection, maintenance, lease administration) and not for unrelated marketing.
We will assist you in responding to a tenant's request relating to data you hold in your account where reasonably required by law, subject to your direction and verification of the requester's identity.
12. International data transfers
Keymio is operated from the United States. Our service providers may process data in the United States, the European Union, and other jurisdictions where they operate data centres. If you access the Service from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States.
For transfers of EU/UK personal data to the United States, we rely on the Standard Contractual Clauses adopted by the European Commission and the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office. Where applicable to our service providers, we additionally rely on the EU-US Data Privacy Framework.
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified to your account email at least 30 days before they take effect. Your continued use of the Service after the change takes effect constitutes acceptance of the updated Policy. Prior versions will be archived at keym.io/privacy/archive.
14. Contact
To exercise any privacy right, ask a question, or make a complaint, email support@keym.io.
Mailing address (via registered agent): Aspen Developments LLC · c/o Northwest Registered Agent LLC 4539 N 22nd St Ste N Phoenix, Maricopa County, AZ 85016 USA
End of Privacy Policy v1.0.