proxykey API KEY VAULT

Privacy Policy

What we collect, why we need it, how your API keys are protected, and how to delete your data. In short: we don't sell data, we never log key values, and there are no ad trackers.

Last updated: 06.07.2026 · proxykey

Who we are

The data controller is the developer and operator of proxykey (proxykey.org), acting as a private individual; once a legal entity is registered, this page will be updated with its details. proxykey is a credential proxy for API keys: the real keys of third-party providers are stored on our side in encrypted form, while your applications work with virtual pass tokens.

A contact channel for questions about this policy and the processing of your data will be published on this page shortly.

What data we process

DataWhyRetention
Account — your email (passwordless sign-in link) or your GitHub account's identifier and email (GitHub OAuth sign-in). No passwords are used or stored. Signing in to the panel, contacting you about important service matters. As long as the account exists.
Secrets — the real API keys of third-party providers that you enter yourself. Stored only in encrypted form (AES-256-GCM, envelope encryption). Injecting the real key into proxied requests — the core of the service. As long as the account exists, or until you delete the secret.
Request logs — metadata of each proxied request: method, path, HTTP status, latency, source IP of the request, provider. Authorization headers and key values are never logged. Statistics, debugging, security features. As long as the account exists; deleted on request.
Request/response body previews — up to 4 KB, with automatic redaction of secret-looking strings. Recorded only if you explicitly enable this option for a specific pass. Debugging your integrations — at your request. Same as the logs themselves (together with them).
Session cookie — the panel session identifier (SameSite=Strict). Keeping you signed in to the panel. Until the session ends.
Website visit logs — standard web-server access logs for proxykey.org: IP address, requested page, time, browser user-agent, referring page. Aggregate visit statistics (how many people visit and which pages they read) and abuse protection. The statistics are computed on our own server; nothing is shared with third-party analytics services (Google Analytics, etc.). 14 days, then deleted automatically by log rotation.

The source IP of a request is used for security features: binding a pass to an IP and notifying you about a request from a new IP. The network name (ASN) for IP addresses in the logs is resolved against a local copy of the iptoasn.com database — no external lookups; IP addresses are not shared with third parties for enrichment.

Payment data The service is free — we do not collect or process any payment data.

Why and on what legal basis

How keys are protected

Who we share data with

We do not sell your data and do not share it with third parties for advertising or profiling.

Retention periods

Account data and secrets are kept as long as the account exists; when the account is deleted, they are deleted with it. Request logs (including body previews, if you enabled them) are kept as long as the account exists; you can request earlier deletion.

Your rights

You can request access to your data, its rectification, erasure, or object to processing. You can delete secrets and revoke passes yourself in the panel at any time; the entire account — with all secrets, passes and logs — can be deleted there as well (Overview → danger zone). For other requests we will respond within the timeframe required by applicable law.

Cookies

We use a single session cookie — for signing in to the panel (SameSite=Strict). There are no ad trackers, third-party analytics, or tracking pixels on the site or in the panel.

This is also why there is no cookie-consent banner on the site: consent is only required for non-essential cookies (advertising, third-party analytics), and we use none. Our only cookie is a strictly necessary session cookie, which is exempt from consent requirements. If non-essential cookies ever appear, a consent prompt will appear first.

International data transfers

Data is processed and stored on rented servers that may be located outside your country of residence. If running the service ever requires transferring data to other jurisdictions, we will put in place the safeguards required by law for such transfers.

Children

The service is not intended for anyone under 16, and we do not knowingly collect their data. If you believe a child has provided us with their data, let us know via the contact channel in "Who we are" and we will delete it.

Changes to this policy

Updates are published on this page; the "Last updated" date at the top reflects the current version. We will additionally announce material changes by email.