Legal
Privacy Policy
Your privacy matters. Here's how we collect, use, and protect your data.
Last updated: May 26, 2026
Who We Are
- Kepto provides asset tracking software for teams that need to manage shared equipment, keys, devices, tools, vehicles, and related audit records.
- For account, billing, support, security, and product analytics data, Kepto acts as the data controller.
- For asset records, holder names, notes, locations, photos, and history that your organization enters into Kepto, your organization is the controller and Kepto acts as a processor or service provider.
- Privacy questions and data requests can be sent to info@kepto.io.
Information We Collect
- Account information, including name, email address, password hash, organization membership, role, and email verification status.
- Organization information, including organization name, site names, plan tier, billing state, invited users, and settings.
- Asset management data entered by your organization, including asset names, descriptions, sites, locations, quantities, holder names, issue/return history, notes, QR label links, photos, handoff signatures, reminders, and audit logs.
- Billing data handled through Stripe, such as customer ID, subscription ID, plan, status, billing cycle, price ID, and payment state. Kepto does not store full card numbers.
- Technical and security data, including IP address, browser/device information, session cookies, rate-limit events, request logs, and diagnostic error data.
- Product usage data, such as page views, signup, checkout, asset creation, and feature interaction events, used to improve the service.
How We Use Data
- To provide Kepto, including authentication, organization management, asset tracking, audit history, QR flows, reminders, billing, and support.
- To protect accounts and the platform, including abuse prevention, rate limiting, security monitoring, and error diagnosis.
- To send transactional emails such as verification links, password reset messages, invites, contact replies, billing notices, and service updates.
- To process subscriptions, invoices, plan changes, and payment-related events through Stripe.
- To understand and improve product quality using first-party analytics and aggregated usage patterns.
- We do not sell personal data and we do not share personal data with third parties for their own advertising.
Legal Bases
- Contract: to create accounts, provide the service, process subscriptions, and support your organization.
- Legitimate interests: to secure the service, prevent abuse, improve reliability, analyze usage, and communicate about product operations.
- Consent: where required for optional communications or features that need permission, such as camera access for QR scanning.
- Legal obligation: where we must keep tax, accounting, billing, or compliance records.
Processors and Transfers
- We use trusted service providers to run Kepto, including Vercel for hosting, Neon for Postgres database hosting, Vercel Blob for asset photos, Resend for email delivery, Stripe for payments and billing, Google for OAuth sign-in when enabled, and Sentry for error monitoring when configured.
- A public subprocessor list is available at /subprocessors and may be updated as providers change.
- These providers may process data in the European Economic Area, the United States, or other countries where they operate.
- Where data is transferred internationally, we rely on appropriate safeguards such as standard contractual clauses, data processing terms, or adequacy mechanisms where available.
- We may disclose data if required by law, to protect Kepto and its users, or as part of a business transfer subject to appropriate safeguards.
Data Security
- All passwords are hashed using industry-standard bcrypt with a cost factor of 12.
- Sessions are managed via HTTP-only, secure cookies with JWT tokens.
- All data in transit is encrypted via TLS/HTTPS.
- Multi-tenant access checks are designed so users only access data for their own organization unless they are platform superusers.
- Production health checks, audit logs, rate limiting, and error monitoring are used to detect reliability and security issues.
- No internet service can be guaranteed completely secure, but we use reasonable technical and organizational safeguards for the size and nature of the service.
Storage and Retention
- Production data is stored in managed cloud services used to operate Kepto.
- Asset history, audit logs, billing records, and account records are kept while your account or organization is active, unless deleted earlier through the service or support.
- Some records may be retained after account closure where needed for legal, tax, accounting, fraud prevention, dispute resolution, backup, or security purposes.
- Backups and restore branches may retain deleted data for a limited period until they expire under the provider restore window.
- You may export available asset and history data through Kepto export tools.
Your Rights
- Depending on where you live, you may have rights to access, correct, delete, restrict, object to processing, or receive a copy of your personal data.
- If processing is based on consent, you may withdraw consent at any time without affecting earlier lawful processing.
- You can update account information in Settings and export available asset data through the product.
- If your organization controls the data, we may direct your request to the organization administrator or assist them in responding.
- EU/EEA users may also have the right to complain to their local data protection authority.
Children and Minors
- Kepto is intended for business and organizational use, not for children.
- You must not create an account if you are under 18 or do not have authority to use Kepto for your organization.
- If you believe a minor has provided personal data to Kepto, contact info@kepto.io so we can review and remove it where appropriate.
Contact Us
- For privacy questions or requests, contact info@kepto.io or use the Contact page.
- We aim to respond to privacy-related requests within 30 days unless a different legal deadline applies.
- We may update this Privacy Policy as Kepto evolves, and material changes will be communicated through the website, email, or in-app notice where appropriate.