Privacy Policy

We collect the following categories of personal data:

A. Personal data you provide to us directly

We collect personal data when you create an account to use the Service or communicate with us. This includes:

• Account information: identifiers such as your name, email address, and organization, when you sign up for a Keystroke account or to receive information about the Service.
• Payment information: billing details we need if you access any paid Keystroke products and services. Card data is processed by our payment processor (see Section 3).
• Inputs and Outputs: the Service lets you submit content (“Inputs”) — including prompts, source files, project metadata, workflow inputs, agent messages, and tool arguments — and receive generated content (“Outputs”) such as agent responses, workflow step results, and code suggestions. If your Inputs contain personal data or reference external content, we will collect that information and it may be reproduced in the Outputs we return.
• Integration data: when you connect a third-party service (for example Slack, GitHub, Linear, Notion, or an MCP server), we collect the information that integration exposes — account identifiers, channel or repository names, scoped tokens, and the data your agents and workflows read from or write to it on your behalf.
• Communication information: if you communicate with us, we collect your name, contact information, and the contents of any messages you send.
• Feedback: ideas, suggestions, ratings, or other Feedback you provide. If you provide Feedback while using the Service, we may store the entire exchange as part of your Feedback.

B. Personal data we receive from your use of the Service

When you use the Service, we also automatically receive certain technical data:

• Device information — device type, browser, operating system, and mobile network or ISP, as your device or browser sends it when you install, access, or use the Service.
• Log information — IP address, browser type and settings, error logs, agent and workflow execution traces, and other signals that describe how the Service is performing and how you interact with it.
• Usage data — dates and times of access, pages and resources viewed, links clicked, and other information about how you use the Service.
• Cookies and similar technologies — we and our service providers use cookies, pixels, scripts, or similar technologies to operate the Service, remember your preferences, and analyze and optimize your use.
• Location information — for security and performance (for example, to detect unusual login activity), we may determine the approximate geographic location your device is connecting from using information such as your IP address.

C. Information we do not collect

Keystroke does not knowingly collect sensitive or special-category personal information, such as genetic data, biometric data for uniquely identifying a natural person, health information, or religious information. We also do not knowingly collect information from, or direct any of the Service or content to, children under the age of 18. If we learn or have reason to suspect that a user is under 18, we will investigate and, if appropriate, delete the personal data and/or the account.

We may use personal data for the following purposes:

• To provide, operate, and maintain the Service, including features that execute your workflows and agents, surface results, and call connected integrations on your behalf.
• To create, manage, and administer your account, including facilitating payments and responding to inquiries.
• To improve and develop the Service and conduct research, including debugging and identifying or repairing issues that impair functionality.
• To communicate with you, including sending product updates, security notices, information about the Service, and events.
• To prevent, detect, and investigate fraud, abuse, security incidents, and violations of our Terms of Service.
• To comply with legal obligations and protect the rights, safety, privacy, and property of users, Keystroke, or third parties.
• To investigate and resolve disputes or security issues.
• To enforce our Terms of Service and other applicable agreements.

We do not use Inputs or Outputs to train our AI models, and we do not permit third parties to use them for training, unless: (1) they are flagged for security review (in which case we may analyze them to improve our ability to detect and enforce our Terms of Service), (2) you explicitly report them to us (for example, as Feedback), or (3) you've explicitly agreed to their use for such training purposes. To manage your preferences regarding the use of Inputs and Outputs for training, please contact us at team@keystroke.ai.

We may aggregate or de-identify personal data so it no longer identifies you, and use that information for the purposes described above — for example, to analyze how the Service is used, improve features, and conduct research. We will maintain de-identified information in its de-identified form and will not attempt to reidentify it, except as required by law.

We may disclose your personal data in the following circumstances:

• Service providers and business partners. We disclose personal data to third-party vendors that support our business operations and help us deliver and improve the Service — including cloud and hosting infrastructure providers, AI model providers, sandboxed code execution providers, analytics, customer support, safety monitoring, communications, payment processing, compliance services, and IT providers. These parties process personal data only as necessary to perform services on our behalf, consistent with our instructions and applicable law.
• AI model providers. To generate Outputs, we send the relevant portions of your Inputs (prompts, context, tool definitions, and similar) to third-party AI model providers. These providers process the data solely for inference and do not use it to train their models. See our Data Use & Privacy Overview for more detail.
• Connected services. When you authorize Keystroke to read from or write to a third-party service (for example via OAuth, installed apps, webhooks, or an MCP server), we exchange data with that service on your behalf. The third party's own terms and privacy policy govern its use of the data once it reaches their systems.
• Business transfers. In the event of a merger, acquisition, restructuring, bankruptcy, or other corporate transaction, personal data may be disclosed to counterparties and advisers as part of due diligence or transferred as part of the transaction.
• Legal compliance and protection of rights. We may disclose personal data to government authorities or other third parties if we believe doing so is necessary to: (i) comply with applicable laws, regulations, or legal processes; (ii) respond to lawful requests or investigations; (iii) protect the safety, rights, or property of any person; (iv) prevent fraud, security incidents, or other unlawful activity; (v) enforce our Terms of Service or other legal rights; or (vi) protect Keystroke against legal liability.
• Affiliates. We may share personal data with affiliates — entities that control, are controlled by, or are under common control with us. They may use personal data in a manner consistent with this Privacy Policy.
• Other third-party services and integrations. The Service may include integrations with or links to third-party websites, applications, or services. If you choose to interact with these third parties, your personal data may be disclosed to them directly and is governed by their own terms and privacy policies. Our linking or integrating with a third party does not imply endorsement or affiliation.
• Business account administrators. If you create an account using an email associated with an organization (for example, your employer), we may disclose account-related information — such as your email address and account status — to that organization. If you're part of a business or enterprise account, administrators may access and manage your use of the Service, including any Inputs, Outputs, and integration data you produce in that account.
• Other users and third parties you share information with. Certain features of the Service let you share Inputs, Outputs, agents, workflows, or other resources with teammates, organizations, or third-party applications. Any information you voluntarily share is subject to the recipients' respective terms and privacy practices.
• With your consent. We may disclose personal data when you give us permission to do so, including through features of the Service designed to share information.

Subprocessors. For commercial uses of the Service where Keystroke acts as a data processor, a current list of the third parties we engage as subprocessors is available on request at team@keystroke.ai.

Keystroke retains your personal data only for as long as necessary to operate the Service effectively and to support legitimate business needs such as legal compliance, safety, dispute resolution, and enforcement of our agreements. The appropriate retention period varies depending on the purpose for which the personal data was collected, its sensitivity, potential risks associated with its use or exposure, and any applicable legal requirements.

Your settings may also influence how long we keep certain types of data. For instance, some temporary interactions with the Service may not appear in your run history and could be stored for a limited duration for purposes related to safety and system monitoring.

When personal data is no longer needed, Keystroke and its service providers follow procedures to delete, erase, de-identify, or anonymize it in compliance with applicable laws.

We implement commercially reasonable technical and organizational measures designed to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Where appropriate, these may include practices such as encrypting sensitive material, isolating code-execution environments, and limiting access to internal systems. We update these measures over time as the Service evolves.

However, please remember that no method of transmission over the Internet or method of electronic storage is completely secure. You should use caution when deciding what information to share with the Service. We are not responsible for any circumvention of privacy settings or security features on the Service or on third-party websites linked through the Service.

Depending on where you live and the laws that apply in your country of residence, you may have certain rights in relation to your personal data. These may include the right to access, delete, correct, or transfer your personal data; to object to or restrict how we process it; or to withdraw your consent where processing is based on consent. You may also have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, you or your authorized agent may contact us at team@keystroke.ai. We may request information to verify your identity before processing your request. If we deny your request, you may appeal by emailing the same address. Keystroke will not discriminate against you for exercising any privacy rights available under applicable law.

The rights available to you may include:

• Right to know what categories of personal data we collect, the purposes for which we use it, and the types of third parties with whom we share it.
• Access and portability — request a copy of the personal data we hold about you and, where applicable, ask us to provide it in a portable format.
• Deletion of personal data collected from you in connection with your use of the Service, subject to certain exceptions.
• Correction of inaccurate personal data we maintain about you. Please note that while we'll make reasonable efforts to address correction requests, due to the nature of AI models we cannot guarantee the accuracy of Outputs generated by the Service.
• Objection to certain types of processing. Where applicable, we will stop processing unless we have legitimate legal grounds to continue.
• Restriction of our processing of your personal data in limited circumstances, such as while a correction request is pending.
• Withdrawal of consent, where the legal basis for our processing is based on your consent. Withdrawal does not affect the lawfulness of prior processing.
• No automated decisions: Keystroke does not make decisions based solely on automated processing that produce legal or similarly significant effects on you (for example, your healthcare or financial circumstances).
• No sale or targeted advertising: we do not “sell” or “share” personal data for cross-contextual behavioral advertising, and we do not process personal data for “targeted advertising” purposes (as those terms are defined under applicable U.S. state privacy laws). We also do not process sensitive personal data for the purposes of inferring characteristics about a consumer.

Keystroke processes your personal data for the purposes described in this Privacy Policy on servers located in various jurisdictions, including in the United States. While data protection laws vary by country, we apply the protections outlined in this policy to your personal data regardless of where it is processed, and we only transfer data in accordance with legally valid transfer mechanisms.

For users in the European Economic Area (“EEA”), when you access the Service, your personal data may be transferred to our United States servers or to other countries outside the EEA and the UK. Where information is transferred outside the EEA or the UK, we require an adequate level of data protection.

Some jurisdictions require specific disclosures regarding how we handle your personal data. For more information, see “Personal data we collect,” “How we use personal data,” and “Retention” above.

We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date at the top of this page, unless another type of notice is legally required. Your continued use of this site after any change in this Privacy Policy will constitute your acceptance of the change.

We encourage you to contact us at team@keystroke.ai if you have any questions about this Privacy Policy. You can also reach us at our mailing address:

Sprint Labs, Inc (d/b/a Keystroke)
356 S 2000 W
Pleasant Grove, UT 84062