Your data, your control.
Keychains.dev is a security product. We treat your data with the same rigor we apply to credential protection.
This Privacy Policy describes how Interagentic, Inc. ("Interagentic," "we," "us," or "our") collects, uses, and protects information when you use Keychains.dev — a credential delegation proxy for AI agents. Keychains.dev handles user API credentials (OAuth tokens, API keys) and proxies them to target APIs on behalf of AI agents.
1. What we collect
We collect only what is necessary to operate a secure credential proxy. Here's exactly what that includes:
API credentials
OAuth tokens, API keys, and other authentication material you store with Keychains for delegation to AI agents. These are the core of what we protect.
Audit logs & API call records
Every proxied API call is logged — including timestamps, target endpoints, response status codes, and which machine/agent made the request. This gives you full visibility into how your credentials are used.
Machine fingerprints
SSH public keys and stateful fingerprint data used to verify machine identity. This is how we detect stolen keys and prevent unauthorized credential use.
IP addresses
Collected as part of request metadata for security monitoring and abuse prevention.
Account information
Authentication data managed through our identity provider. For users who log in via Telegram, we store your Telegram user ID and display name — but not your email address. For users who log in via other methods, we store the email address, name, and authentication data necessary for account access and communication.
2. How we store and protect your data
Security isn't a feature we bolt on — it's the foundation of the product.
Credential encryption
All API credentials (OAuth tokens, API keys) are encrypted at rest using AES-256-GCM. Credentials are only decrypted in memory at the moment of proxying to the target API.
Ephemeral state
Session data, rate limiting, and machine fingerprint state are stored in Upstash Redis with automatic expiration. This data is ephemeral by design.
Persistent data
Account data, encrypted credentials, and permission records are stored in MongoDB Atlas with encryption at rest and in transit enabled.
Audit archival
Audit logs are archived to AWS S3 with server-side encryption and S3 Object Lock (compliance mode). The archival bucket is a read-only, append-only store with no public access. This immutability is designed to detect and prevent audit trail tampering — even by internal systems.
3. Who has access to your data
We minimize third-party access to what is operationally necessary. All infrastructure providers operate under data processing agreements.
| Provider | Purpose |
|---|---|
| Interagentic team | Service operation, security monitoring, support |
| Vercel | Application hosting and edge infrastructure |
| Upstash | Redis caching and ephemeral state management |
| MongoDB Atlas | Persistent database storage |
| AWS (S3) | Audit log archival and long-term storage |
We do not sell your data. We do not share credentials with any third party. Infrastructure providers process data solely on our behalf and under contractual obligation.
4. Data retention
API credentials
Credentials are automatically deleted 90 days after their last use. You can also remove any credential at any time from your dashboard or revoke provider access.
Audit logs
Retained for 90 days by default. You can select a longer retention period for your account from the following options: 30 days, 90 days, 180 days, 1 year, 2 years, or 3 years. Archived logs in S3 follow your configured retention period.
Machine identity data
SSH public keys and fingerprint state are retained indefinitely while the machine is active. Upon revocation, machine identity data follows your configured audit log retention period before being permanently deleted.
Account data
Retained for the lifetime of your account. Upon account deletion, all associated data is purged as fast as possible, and within a maximum of 30 days.
5. Your rights
Regardless of where you are located, we provide the following rights to all users:
- Access: Request a copy of all personal data we hold about you.
- Correction: Request correction of inaccurate personal data.
- Deletion: Request deletion of your account and all associated data, including stored credentials.
- Export: Export your data in a machine-readable format (JSON).
- Withdraw consent: Revoke any previously granted consent at any time. This includes revoking OAuth connections, machine authorizations, and agent permissions.
Most of these actions can be performed directly in the product — from your dashboard, you can export, delete, and manage your data. If you find that any access is missing or need assistance, contact us at security@interagentic.inc. We will respond within 30 days.
6. GDPR compliance
For users in the European Economic Area (EEA), we process personal data under the following legal bases:
- a
Contract performance — processing credentials and audit logs is necessary to provide the Keychains.dev service.
- b
Legitimate interest — security monitoring, fraud prevention, and service improvement.
- c
Consent — where applicable, such as optional analytics or marketing communications.
If you have an issue with any of our policies or have comments on the way they are implemented, please write to us at compliance@interagentic.inc. You also have the right to lodge a complaint with your local Data Protection Authority. For data transfer mechanisms, we rely on Standard Contractual Clauses (SCCs) where required.
7. CCPA compliance
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
The right to know what personal information we collect and how it is used.
The right to request deletion of your personal information.
The right to opt out of the sale of personal information. We do not sell personal information.
The right to non-discrimination for exercising your privacy rights.
To exercise any of these rights, contact us at privacy@interagentic.inc. Most actions can also be performed directly from your dashboard.
8. Cookies and tracking
Keychains.dev uses only essential cookies required for authentication and session management. We do not use third-party tracking cookies, advertising pixels, or analytics that profile individual users. Theme preferences are stored in local storage.
9. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We encourage you to review this page periodically. For material changes, we will make reasonable efforts to notify you through the product or other appropriate channels.
10. Contact
For privacy-related questions, data requests, or concerns:
Interagentic, Inc.
Email: privacy@interagentic.inc