How KeyCodes.ai handles operator, vehicle, and account data.

This Privacy Policy applies to the KeyCodes.ai website, web application, mobile application, and related APIs and services (collectively, the “Service”) operated by Keycodes AI, LLC, a Delaware limited liability company (“KeyCodes.ai,” “we,” “our,” or “us”).

The Service is designed for use by licensed locksmiths, dealer service staff, and other automotive professionals. By using the Service, you acknowledge that you have read and understand this policy.

Information you provide directly. When you register or use the Service, we collect:

• Account information — name, email address, phone number, password;
• Business verification information — business name, license number, address, tax identifier, and any supporting documentation you submit;
• Billing information — billing address and last four digits of payment card; full card details are collected directly by our payment processor and are never stored by us (see Section 5);
• Lookup inputs — vehicle identification numbers (VINs), vehicle details, and other query data you submit for key code or PIN retrieval;
• Support communications — messages, attachments, and context you share when contacting us.

Information collected automatically. When you access the Service, we and our service providers automatically collect:

• Device and connection data — IP address, browser type, operating system, device identifiers, language preferences;
• Usage data — pages viewed, features used, timestamps, referral URLs, and diagnostic information;
• Cookies and similar technologies — see our Cookie Policy for details.

Information from third parties. We may receive information about you from our payment processor (Stripe), verification and fraud-prevention partners, and data sources used to confirm professional eligibility.

We use the information we collect to:

• Provide, maintain, and improve the Service, including processing VIN decodes and delivering keycodes and PINs;
• Verify professional eligibility and prevent unauthorized access to sensitive vehicle data;
• Process payments, manage wallet balances, and issue receipts;
• Communicate with you about your account, updates, and support requests;
• Detect, investigate, and prevent fraud, abuse, and security incidents;
• Comply with legal obligations, respond to lawful requests, and enforce our Terms of Service;
• Develop new features and conduct product analytics in aggregated or de-identified form.

If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR and UK GDPR:

• Contract — to provide the Service you have requested;
• Legitimate interests — to secure the Service, prevent fraud, and improve the product, balanced against your rights;
• Legal obligation — to meet tax, accounting, and regulatory requirements;
• Consent — where required, such as for certain cookies or marketing communications.

We share information only as described below. We do not sell personal information.

Service providers (sub-processors). We share information with vendors who process data on our behalf under written agreements that limit their use to the services they provide to us. Current sub-processors include:

• Supabase — database, authentication, and storage (privacy policy);
• Stripe — payment processing and fraud prevention, a PCI DSS Level 1 certified processor (privacy policy);
• Vercel — application hosting and infrastructure (privacy policy);
• Intercom — customer support and in-product messaging (privacy policy).

Legal and safety disclosures. We may disclose information when we believe in good faith that disclosure is necessary to comply with applicable law, respond to valid legal process, protect the rights, property, or safety of KeyCodes.ai, our users, or others, or investigate fraud or abuse.

Business transfers. If KeyCodes.ai is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to customary confidentiality protections.

With your consent. We may share information for other purposes disclosed to you with your consent.

We retain personal information for as long as needed to provide the Service, comply with legal obligations (including tax and anti-fraud record-keeping), resolve disputes, and enforce our agreements. Account data is retained for the life of your account; transaction and lookup records are retained for the period required by applicable financial and industry regulations, and no longer than necessary. When information is no longer needed, we delete or de-identify it.

We use administrative, technical, and physical safeguards designed to protect personal information. These include encryption in transit (TLS), encryption at rest, access controls, authentication requirements, and audit logging. No system is perfectly secure; we cannot guarantee the security of information transmitted to or stored on the Service.

California (CCPA/CPRA). California residents have the right to: (i) know the categories and specific pieces of personal information we collect, the sources, purposes, and categories of recipients; (ii) request deletion of personal information, subject to exceptions; (iii) correct inaccurate personal information; (iv) opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising; and (v) limit the use of sensitive personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. California residents may also designate an authorized agent.

Other U.S. states. If you are a resident of Colorado, Connecticut, Delaware, Iowa, Montana, Oregon, Texas, Utah, or Virginia, you may have similar rights under your state’s privacy law, including rights of access, deletion, correction, and opt-out of targeted advertising and profiling. We honor these rights to the extent required by applicable law.

EEA, UK, and Switzerland. Where GDPR or UK GDPR applies, you have the right to access, rectify, erase, restrict processing of, or port your personal data, and to object to processing based on legitimate interests. You may also withdraw consent at any time and lodge a complaint with a supervisory authority.

How to exercise your rights. Submit requests to privacy@keycodes.ai. We will verify your identity before acting on a request. We will respond within the time frames required by applicable law.

We use cookies and similar technologies to operate the Service, remember your preferences, and measure usage. For a full description, including how to control cookies, see our Cookie Policy.

KeyCodes.ai is operated from the United States, and our service providers may process data in the United States and other countries. When we transfer personal data from the EEA, UK, or Switzerland to a jurisdiction that has not been deemed adequate, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

The Service is intended for business use by adults. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA and UK). If you believe a child has provided us with personal information, please contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be indicated by updating the “Last updated” date above and, where appropriate, by providing additional notice through the Service or by email. Your continued use of the Service after an update constitutes acceptance of the revised policy.

Questions, requests, or complaints regarding this Privacy Policy can be sent to:

Keycodes AI, LLC
1111B S Governors Ave STE 97182
Dover, DE 19904
Email: privacy@keycodes.ai