Keystone.
Early Access

Privacy Policy

Last updated: March 27, 2026

Keystone ("we", "us", or "our") is committed to protecting your privacy. This policy explains what information we collect, how we use it, and your rights regarding that data when you use the Keystone platform, including our web application and CLI tool.

1. Information We Collect

Account Information

When you sign in with GitHub, we receive your GitHub username, display name, email address, and profile avatar. This information is used to create and manage your Keystone account.

GitHub Repository Data

To provide our core service, we access GitHub data from repositories you explicitly connect, including pull requests, commits, code reviews, and issue references. We do not access repositories you have not authorized.

Usage Data

We collect anonymized usage information such as feature interactions, API request logs, and error reports to improve the product and diagnose issues.

CLI Authentication Tokens

When you authenticate through our CLI tool, we issue a session token stored locally on your machine. This token is used to authenticate requests on your behalf and can be revoked at any time from your account settings.

2. How We Use Your Information

  • Provide, operate, and improve the Keystone service.
  • Synthesize technical decisions and context from your connected repositories using AI.
  • Generate and store semantic embeddings for search and retrieval purposes.
  • Send transactional emails (e.g., onboarding, notifications) through our email provider.
  • Respond to support requests and communicate service updates.
  • Comply with legal obligations.

3. AI Processing of Your Data

Keystone uses large language models (LLMs) to analyze and synthesize content from your connected repositories. This content may be sent to third-party AI providers to generate summaries, embeddings, and answers. We do not use your data to train external AI models. Where possible, we use privacy-preserving configurations offered by our AI providers.

4. Data Sharing and Third Parties

We do not sell your personal data. We share data only with the following categories of trusted service providers, strictly to operate the service:

  • Supabase — Authentication and database hosting.
  • GitHub — Repository data access via OAuth and GitHub Apps.
  • AI providers — Processing text for synthesis and semantic search.
  • Resend — Transactional email delivery.

All providers are contractually bound to handle your data securely and only as instructed.

5. Cookies and Session Storage

We use strictly necessary cookies to manage your authentication session. We do not use advertising or tracking cookies. You can clear cookies at any time through your browser settings, which will sign you out of the application.

6. Data Retention

We retain your account data for as long as your account is active. Repository data and embeddings are retained as long as the project connection exists. You may delete your account at any time, which will trigger deletion of your personal data within 30 days, except where retention is required by law.

7. Security

We implement industry-standard security measures including encrypted data transmission (TLS), encrypted storage, and access controls. However, no system is completely immune to security risks, and we encourage you to use strong, unique credentials.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — Request a copy of the data we hold about you.
  • Correction — Request correction of inaccurate data.
  • Deletion — Request deletion of your account and associated data.
  • Portability — Request an export of your data in a machine-readable format.
  • Objection — Object to processing based on legitimate interests.

To exercise any of these rights, contact us at the address below.

9. Contact

If you have questions or concerns about this policy or your data, please contact us at privacy@keystone.dev .

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a prominent notice in the application. Your continued use of Keystone after changes take effect constitutes acceptance of the updated policy.