Privacy Policy

1. Scope and Roles

1.1 Covered Services. This Privacy Policy applies to all data collected through the KeyBolt website (keybolt.tech), the KeyBolt web application, transactional emails sent via the Service, SMS messages sent via the Service, voice calls placed or received through KeyBolt + Phone, call recordings and transcripts, the customer portal, and any related APIs or integrations.

1.2 Data Controller vs. Data Processor. When a locksmith shop (“Subscriber”) uses KeyBolt to manage their customers, the Subscriber is the data controller and KeyBolt acts as the data processor on behalf of the Subscriber. When KeyBolt collects data directly from Subscribers for account management, billing, and support purposes, KeyBolt is the data controller. A Data Processing Addendum (DPA) is available upon request for GDPR compliance, as referenced in our Terms of Service.

1.3 End Customers. If you are a customer of a locksmith shop that uses KeyBolt (an “End Customer”), your data is primarily governed by the locksmith shop’s own privacy practices. KeyBolt processes your data on the shop’s behalf. For questions about how your data is used, please contact your locksmith directly. For questions about how KeyBolt processes data on behalf of locksmith shops, you may contact us at the address in Section 18.

2. Information We Collect

2.1 Information You Provide Directly. We collect information that you voluntarily provide when you register for an account, use the Service, or contact us:

• Account information: Name, email address, phone number, business name, business address, and password.
• Business data: Customer records (names, addresses, phone numbers, emails), job details, invoices, estimates, payment records, inventory items, team member information, job photos, and documents.
• Sensitive locksmith data: Key codes, bitting data, safe combinations, transponder chip information, key blank references, and vehicle access data entered into customer records.
• Identity verification data: For lockout jobs, photos of identification documents and proof of residence/ownership uploaded by technicians.
• Payment information: Credit card and billing details for your KeyBolt subscription (processed by Stripe; we do not store full card numbers). Payment details your customers provide to pay invoices are processed entirely by Stripe.
• Communications: Any messages, feedback, or support requests you send to us.
• Voice and SMS data (Pro plan only): If your shop uses KeyBolt + Phone, we process inbound and outbound call audio, call recordings, automatically generated call transcripts (English and Spanish), DTMF keypad presses (transfer codes), caller-ID numbers, call duration and routing metadata, two-way SMS message content sent and received through the platform, and auto-reply templates configured by your shop. Call recordings are stored encrypted in our object storage; transcripts are generated by Telnyx and stored alongside the call record.

2.2 Information Collected Automatically. When you access the Service, we automatically collect certain technical information:

• Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage data: Pages visited, features used, click patterns, time spent on pages, referring URLs, and navigation paths.
• Log data: Server logs including request timestamps, HTTP methods, response codes, and request durations.

2.3 Information from Third Parties. We may receive limited information from third-party services:

• Stripe: Subscription status, payment confirmation, and Connect account verification status.
• Google Places API: Address autocomplete suggestions when you type an address into the Service. Google receives the partial address text you type; we do not send any other customer data to Google.
• Cloudflare Turnstile: Bot detection signals during account signup, password recovery, contact form submission, and customer portal authentication (no personal data is shared; only a challenge token is verified).

3. How We Collect Information

3.1 Direct Collection. We collect information directly from you when you create an account, fill out forms, enter data into the Service, upload files, send us correspondence, or make a purchase.

3.2 Automated Collection. We use cookies and similar technologies to collect usage data automatically when you interact with the Service. See Section 7 for details on cookies and tracking technologies.

3.3 From Your Use of the Service. When Subscribers use KeyBolt to manage their locksmith business, the data they enter about their customers, jobs, and operations is stored and processed by us on their behalf.

4. How We Use Information

4.1 To Provide and Maintain the Service. We use your information to operate the platform, process transactions, send invoices, deliver SMS and email notifications, manage team accounts, track inventory, generate reports, and provide customer support.

4.2 To Process Payments. We use Stripe to process KeyBolt subscription payments and to process payments from End Customers on behalf of Subscribers via Stripe Connect and Stripe Invoicing. Payment data is shared with Stripe as necessary to complete transactions.

4.3 To Communicate with You. We use your contact information to send transactional emails (invoice confirmations, payment receipts, team invitations, password resets), service announcements, and responses to your inquiries.

4.4 To Improve the Service. We analyze aggregated, de-identified usage data to understand how the Service is used, identify bugs, improve features, and develop new functionality. Sensitive locksmith data (key codes, bitting, safe combinations) is never included in analytics.

4.5 To Ensure Security. We use technical information to detect fraud, prevent abuse, enforce rate limits, maintain audit logs, and protect the integrity of the Service and your data.

4.6 To Comply with Legal Obligations. We may process your information as required by applicable law, regulation, legal process, or governmental request.

5. Sensitive Locksmith Data Handling

We recognize that key codes, bitting data, safe combinations, and related security information are extraordinarily sensitive. Unauthorized disclosure could compromise the physical security of homes, businesses, and vehicles. We apply the following enhanced protections to this data:

5.1 Encryption. All sensitive locksmith data is encrypted at rest in the database and encrypted in transit using TLS. Database backups containing this data are also encrypted.

5.2 Access Isolation. Sensitive locksmith data is protected by row-level security (RLS) policies in the database. Only authenticated users belonging to the same organization can access their organization’s data. No other Subscriber can view your data. KeyBolt employees cannot view key codes, bitting data, or safe combinations.

5.3 Exclusion from Logging and Analytics. Sensitive locksmith data is never written to application logs, error reports, analytics systems, or debugging tools. Log redaction rules are enforced at the application layer.

5.4 No Third-Party Transmission. Key codes, bitting data, and safe combinations are never transmitted to any third-party service. They are stored exclusively in our Supabase (PostgreSQL) database and are never sent to Stripe, Telnyx, Resend, Vercel, Google, or any other external provider.

6. How We Share Information

6.1 Service Providers. We share data with the following third-party service providers, strictly as needed to operate the Service:

• Supabase (database, authentication, and file storage hosting) — stores all application data including account information, business data, and encrypted sensitive locksmith data. Supabase provides the PostgreSQL database and authentication infrastructure.
• Stripe (payment processing) — receives customer names, email addresses, invoice line items, and payment amounts to process KeyBolt subscription payments and End Customer invoice payments via Stripe Invoicing and Stripe Connect. Stripe’s privacy policy governs their handling of payment card data.
• Telnyx (voice + SMS carrier) — on the KeyBolt + Phone tier, receives End Customer phone numbers, full call audio, SMS content, and DTMF keypad input. Telnyx generates call recordings (stored back into KeyBolt’s object storage) and multilingual call transcripts (English and Spanish) that are returned to KeyBolt and persisted on the call record. Telnyx is also used to send transactional SMS (appointment reminders, “On My Way” notifications, invoice links). Each shop runs through its own Telnyx subaccount; voice + SMS usage is billed by Telnyx at carrier rates without markup. Telnyx’s privacy policy governs their handling of call audio: telnyx.com/privacy-policy.
• Resend (email delivery) — receives recipient email addresses and email content for transactional email delivery (invoices, payment receipts, team invitations, overdue reminders, estimate notifications, low stock alerts).
• Vercel (application hosting and analytics) — processes HTTP requests and serves the web application. Vercel receives standard HTTP request data (IP address, headers, request path). Vercel Analytics collects anonymous page view metrics (page URL, referrer, country) without using cookies or collecting personally identifiable information.
• Google Places API (address autocomplete) — receives partial address text typed by users to provide address suggestions. No customer names, phone numbers, or other personal data is sent to Google.
• Sentry (error tracking, performance monitoring, and session replay) — receives error traces (without personally identifiable information), browser metadata, performance data, and session replay recordings (sampled at 10% of all sessions and 100% of sessions where an error occurs, with all text, form inputs, and media masked to prevent capture of readable content) for debugging and application reliability. Sentry may use cookies for session tracking during error reports and replay sessions. Full privacy policy: sentry.io/privacy.
• Cloudflare (bot detection via Turnstile) — receives IP addresses, browser fingerprint data, and challenge tokens during CAPTCHA verification on signup, login, and password reset forms. Cloudflare uses this data to distinguish human users from automated bots. Full privacy policy: cloudflare.com/privacypolicy.

6.2 No Sale of Data. We do not sell, rent, or trade your personal information or your customers’ personal information to any third party for monetary or other valuable consideration. We do not share data with advertising networks, data brokers, or marketing platforms.

6.3 Legal Requirements. We may disclose your information if required to do so by law, court order, subpoena, or other legal process, or if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or other illegal activity; (d) protect the personal safety of users or the public; or (e) protect against legal liability.

6.4 Business Transfers. If KeyBolt is involved in a merger, acquisition, asset sale, bankruptcy, or reorganization, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

7. Cookies and Tracking Technologies

7.1 Cookies We Use. KeyBolt uses cookies for authentication, session management, and error monitoring. These cookies are required for the Service to function and cannot be disabled. They include:

• Authentication cookies: Supabase session tokens that keep you logged in and identify your account.
• CSRF tokens: Security tokens that protect against cross-site request forgery attacks.
• Application interface cookie (keybolt-user): Contains your display name, role, and organization name to render the application interface without additional server requests. This cookie does not contain sensitive data and is used only for the logged-in application experience.
• Cloudflare Turnstile: Our bot detection service may set functional cookies (such as cf_clearance) during challenge verification. These are strictly necessary for security and cannot be disabled.
• Sentry session tracking: Sentry may set cookies to correlate error reports and session replay recordings for debugging purposes. These cookies do not track you across other websites.

7.2 No Tracking or Advertising Cookies. We do not use tracking cookies, third-party advertising cookies, social media pixels, retargeting tags, or any other non-essential tracking technologies. We use Vercel Analytics for anonymous page view metrics. We do not use Google Analytics, Facebook Pixel, or advertising platforms.

7.3 Cookie Consent. In addition to strictly necessary cookies, Sentry may set cookies for session tracking during error reports and session replay. Vercel Analytics does not use cookies. Because our use of cookies is limited to essential functionality and error/performance monitoring, we believe a cookie consent banner is not required under most regulations. If our cookie usage changes, we will update this policy and implement appropriate consent mechanisms.

8. SMS Messaging

8.1 Purpose. KeyBolt enables Subscribers (locksmith shops) to send transactional SMS messages to their End Customers. These messages are strictly service-related and include:

• “On My Way” notifications when a technician is en route to a job
• Appointment reminders for scheduled jobs
• Invoice payment links after job completion
• On the KeyBolt + Phone tier, two-way conversational SMS replies between shop staff and End Customers from the shared inbox

No marketing, promotional, or advertising messages are sent through the Service.

8.2 Consent. Subscribers are responsible for obtaining appropriate consent from their End Customers before sending SMS messages. KeyBolt provides tools to record consent status in each customer record. Subscribers must obtain verbal or written consent before initiating SMS communication through the platform. Subscribers on the KeyBolt + Phone tier register their brand and campaign through A2P 10DLC (handled in-app) before US carriers will deliver outbound SMS.

8.3 Opt-Out. End Customers can opt out of SMS messages at any time by replying STOP to any message received through the Service. The system will immediately cease all SMS communication to that phone number. End Customers may re-subscribe by contacting the locksmith shop directly.

8.4 Message Frequency and Content. For transactional sends, message frequency is limited to 1–3 messages per service visit. The Service enforces a rate limit of 10 SMS messages per user per hour. Message content is limited to job status updates, appointment information, invoice links, and (on KeyBolt + Phone) two-way conversation with End Customers initiated by the customer. No sensitive locksmith data (key codes, bitting, safe combinations) is ever included in SMS messages.

8.5 Carrier Disclaimer. SMS messages are delivered via Telnyx. Message and data rates may apply depending on the End Customer’s mobile carrier and plan. Carriers are not liable for delayed or undelivered messages. Delivery success may vary by carrier and geography.

8a. Voice Calls and Call Recording (KeyBolt + Phone)

8a.1 Scope. This section applies only to Subscribers on the KeyBolt + Phone tier and the End Customers who call or are called by those Subscribers’ shop phone numbers. Subscribers on the Basic tier do not place or receive calls through KeyBolt and this section does not apply to them.

8a.2 Recording & Transcription. Every call placed to or made from a KeyBolt + Phone shop number is recorded and automatically transcribed. Recording starts immediately after the call connects. An audible disclosure (“This call will be recorded for quality and training”) plays at the start of each inbound call before any tech is rung; this disclosure is built into the platform and cannot be disabled. Transcripts are generated by Telnyx in English and Spanish and stored on the call record alongside the recording URL.

8a.3 Two-Party Consent. Several US states (including California, Florida, Pennsylvania, and others) require all parties to a call to consent to recording. The platform-played disclosure is intended to satisfy the audible-notice requirement in those jurisdictions. Subscribers are responsible for confirming that their use of call recording complies with applicable law in every jurisdiction where their End Customers are located.

8a.4 Caller-ID Match. When a known End Customer calls a KeyBolt + Phone number, KeyBolt looks up that number against the Subscriber’s customer database and surfaces the matching customer name and most recent job to the shop staff before the call is answered. End Customers may opt out of this matching by removing their phone number from the Subscriber’s records.

8a.5 DTMF (Keypad) Input. Keypad presses during a call — including IVR menu selections (e.g., “press 1”) and internal transfer codes (e.g., **11) — are processed by Telnyx and KeyBolt to route the call. Keypad input is not stored beyond the call routing record.

8a.6 Retention. Call recordings, transcripts, and call metadata are retained as part of the customer’s record per Section 10. Telephony webhook diagnostic events from Telnyx (call-progress events used for routing) are retained for 30 days, then deleted.

8a.7 Access. Call recordings and transcripts are visible only to authenticated users belonging to the Subscriber’s organization, protected by the same row-level security policies as the rest of the customer record. KeyBolt employees cannot access call audio or transcripts.

9. Email Messaging

9.1 Transactional Emails. KeyBolt sends transactional emails on behalf of Subscribers to their End Customers. These include invoices, payment receipts, estimate notifications, appointment confirmations, and overdue payment reminders. KeyBolt also sends transactional emails directly to Subscribers, including team invitations, password resets, subscription confirmations, low stock alerts, and job completion notifications. All transactional emails are delivered via Resend. The Service enforces a rate limit of 50 emails per hour per organization and a monthly quota of 750 emails per organization.

9.2 No Marketing Emails to End Customers. KeyBolt does not send marketing or promotional emails to End Customers. All emails sent through the Service are transactional in nature and directly related to a service interaction. Subscribers may receive occasional product updates or service announcements from KeyBolt, from which they can unsubscribe at any time.

10. Data Retention

10.1 Active Accounts. Your data is retained for as long as your KeyBolt account is active and your subscription is in good standing. You may access, export, or delete your data at any time while your account is active.

10.2 After Account Deletion. When you delete your account, data is handled in three categories:

• Immediately deleted: Non-financial data including job photos, identity verification documents, uploaded documents, communication logs, inventory items, and job templates are permanently deleted at the time of account deletion. All files in cloud storage buckets are removed. Auth credentials are deleted immediately.
• Soft-deleted and retained: Financial records (invoices, payments, and credit memos) and customer records are soft-deleted and retained for up to 7 years to comply with tax and legal record-keeping requirements. Estimates are retained for 90 days after deletion.
• Retained indefinitely: Audit logs containing anonymized activity references are retained indefinitely for legal compliance. After account deletion and expiration of financial record retention periods, these logs cannot be linked back to individual users.

10.3 Soft-Deleted Records and Retention Periods. When you delete a customer record within the Service, the record is soft-deleted and retained while linked financial records exist. Soft-deleted financial records (invoices, payments, and credit memos) are permanently removed after 7 years per tax compliance requirements. Customer records are retained while linked financial records exist. Estimates are retained for 90 days after deletion. Notifications are retained for 15 days. Communication logs (email and SMS records) are retained for 90 days, then deleted. Telephony webhook diagnostic events from carriers (call-progress events used for debugging routing) are retained for 30 days, then deleted; the durable summary of each call (caller, duration, recording, transcript, status) lives on the call record itself and follows the customer-record retention rules above. Identity verification photos are retained for the same period as the associated job record. Expired estimate approval tokens and processed webhook events are cleaned up weekly.

11. Data Security Measures

We implement industry-standard technical and organizational security measures to protect your data, including but not limited to:

• Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database connections use TLS. Backups are encrypted.
• Row-level security: Every database table is protected by PostgreSQL row-level security policies that restrict data access to the owning organization.
• Authentication security: Support for multi-factor authentication (TOTP), configurable account lockout after failed login attempts, configurable session timeouts, and Turnstile CAPTCHA on signup.
• Rate limiting: Sensitive endpoints (SMS, email, authentication) are rate-limited to prevent abuse.
• Audit logging: All significant actions are recorded in an append-only, immutable audit log. Database triggers prevent modification or deletion of audit records.
• Webhook security: Stripe webhook signatures are verified on every request. Processed events are deduplicated via a persistent tracking table to prevent replay attacks.
• Input validation: All user inputs are validated server-side using Zod schemas to prevent injection attacks and data corruption.
• Least privilege: Service role keys are never exposed to client code. Browser clients use only anon keys with RLS enforcement.

No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

12. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will notify affected Subscribers via email without unreasonable delay and no later than 72 hours after becoming aware of the breach. The notification will include: (a) the nature of the breach; (b) the categories of data affected; (c) the approximate number of records affected; (d) the likely consequences of the breach; and (e) the measures taken or proposed to address the breach. We will also notify applicable regulatory authorities as required by law.

13. Children’s Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at the address in Section 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

14. International Data Transfers

KeyBolt is based in the United States. Our service providers (Supabase, Stripe, Telnyx, Resend, Vercel) may process and store data in the United States and other countries. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other jurisdictions where our service providers maintain facilities. These jurisdictions may have data protection laws that differ from those in your country. By using the Service, you consent to the transfer of your information to the United States and other jurisdictions as described in this policy.

15. Your Rights and Choices

15.1 General Rights. Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right of access: Request a copy of all personal data we hold about you.
• Right of correction: Request that we correct inaccurate or incomplete personal data.
• Right of deletion: Request that we permanently delete your personal data, subject to legal retention requirements.
• Right of portability: Request your data in a structured, commonly used, machine-readable format (CSV).
• Right to restrict processing: Request that we limit how we process your data in certain circumstances.
• Right to object: Object to the processing of your personal data for certain purposes.

15.2 Exercising Your Rights. To exercise any of these rights, email us at privacy@keybolt.tech with the subject line “Privacy Rights Request.” We will verify your identity before processing your request and respond within 30 days. If we need additional time, we will inform you of the extension and the reasons within the initial 30-day period.

15.3 Account Controls. You can manage much of your data directly through the Service:

• Update your profile and business information in Settings.
• Export your data (customers, jobs, invoices, inventory) via CSV export in the QuickBooks integration page.
• Delete your account from Settings, which initiates the data deletion process described in Section 10.2.
• Manage notification preferences (email toggles) in Settings.
• Enable or disable multi-factor authentication in Security settings.

16. CCPA/CPRA Notice and California Rights

This section applies to California residents and supplements the information in the rest of this Privacy Policy, as required by the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”).

16.1 Categories of Personal Information Collected. In the preceding 12 months, we have collected the following categories of personal information:

1. Identifiers: Name, email address, phone number, IP address, account ID.
2. Commercial information: Subscription records, payment history, invoice records, transaction details.
3. Internet or electronic network activity: Browser type, pages visited, features used, device type.
4. Professional or employment-related information: Business name, business address, team member roles.
5. Geolocation data: Approximate location derived from IP address; job site addresses entered by Subscribers.

16.2 Sources of Personal Information. Personal information is collected from: (a) directly from you when you create an account or use the Service; (b) automatically through cookies and server logs; and (c) from third-party services (Stripe, Google Places API, Cloudflare Turnstile) as described in Section 2.3.

16.3 Business or Commercial Purpose for Collection. We collect personal information for the purposes described in Section 4, including providing the Service, processing payments, communicating with you, improving the Service, ensuring security, and complying with legal obligations.

16.4 Categories of Third Parties. We share personal information with the service providers listed in Section 6.1 (Supabase, Stripe, Telnyx, Resend, Vercel, Google Places API, Sentry) for the business purposes described in this policy.

16.5 No Sale or Sharing of Personal Information. We do not sell personal information. We do not “share” personal information for cross-context behavioral advertising as defined by the CCPA. We have not sold or shared personal information in the preceding 12 months.

16.6 California Consumer Rights. As a California resident, you have the following rights under the CCPA:

• Right to know: You may request the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request that we delete your personal information, subject to certain exceptions provided by law.
• Right to correct: You may request that we correct inaccurate personal information.
• Right to opt-out of sale/sharing: Because we do not sell or share personal information, this right is not applicable but is acknowledged.
• Right to limit use of sensitive personal information: We only use sensitive personal information as necessary to provide the Service. You may request that we limit its use to what is necessary.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge different prices, provide a different quality of service, or retaliate in any way.

16.7 Exercising CCPA Rights. To exercise your California rights, email us at privacy@keybolt.tech with the subject line “CCPA Request.” We will verify your identity by matching information you provide against information we have on file. You may also designate an authorized agent to submit a request on your behalf by providing written authorization. We will respond to verifiable requests within 45 days. If we need additional time (up to 45 more days), we will inform you in writing.

16.8 Retention of Personal Information. We retain personal information for as long as described in Section 10. We do not retain personal information for longer than is reasonably necessary for the disclosed purposes.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make material changes, we will notify you by email at least 30 days before the changes take effect and will update the “Last updated” date at the top of this page. Non-material changes (such as formatting or clarification) may be made without advance notice. Continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

18. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your data is handled, please contact us:

• Email: privacy@keybolt.tech
• Support email: support@keybolt.tech
• Website: keybolt.tech

We aim to respond to all privacy-related inquiries within 30 days.