Privacy Notice
Version: 2026-05-01 Effective date: 2026-05-01 Status: Draft — currently under legal review. Not yet ratified by external counsel.
This Privacy Notice describes how Keygum AB ("Keygum," "we," "us") processes personal data in connection with the Keygum API and dashboard (the "Service"). It addresses three audiences:
- Account holders — the person on the business-customer side who signed up for and administers the Customer Account.
- End audiences — individuals whose names, handles, pictures, or other personal data are carried inside content that a Customer publishes through the Service.
- Website visitors — anyone visiting
keygum.com,app.keygum.com, ordocs.keygum.comwithout an account.
Keygum is a business-to-business service. This Notice does not make representations about individual consumer rights under the EU Consumer Rights Directive — see the Terms of Service Section 1.
1. Controller identity
The data controller for personal data that Keygum processes on its own account is:
- Keygum AB, a Swedish aktiebolag
- Registered office: Stockholm, Sweden
- Email for privacy matters:
[email protected] - Integritetsskyddsmyndigheten (IMY) is the competent supervisory authority for Keygum.
A Data Protection Officer is not currently appointed; the GDPR threshold for mandatory DPO appointment under Article 37 has not been reached. We will reassess when our processing reaches the scale that triggers the obligation.
For Customer Content (personal data carried inside content that a Customer publishes), the Customer is the controller and Keygum acts as a processor under our Data Processing Agreement.
2. Categories of data we process
2.1 Account data (Keygum as controller)
| Category | Examples | Source |
|---|---|---|
| Identity and contact | business email, company name, optional billing contact name | you, at signup and in settings |
| Authentication | magic-link tokens, TOTP seeds, passkey public-key credentials | you, during authentication |
| Billing | Stripe customer-ID reference, plan tier, VAT-ID if provided, invoicing country | Stripe's Checkout Session; Stripe stores the rest |
| Device | IP address on sensitive operations (sign-in, step-up, API-key revoke) — salted-hashed at the writer edge, not stored in raw form | HTTP request headers |
| Usage | API-request counts, rate-limit counters, feature flags, audit-log entries | the Service |
We do not store credit-card numbers, CVVs, or bank-account numbers. Those are held by Stripe under Stripe's PCI-DSS-compliant processing.
2.2 Customer Content (Customer as controller, Keygum as processor)
| Category | Examples |
|---|---|
| Post content | text, images, video, metadata you upload for publication |
| OAuth tokens | platform access and refresh tokens, encrypted at rest with AES-256-GCM |
| Platform accounts | account IDs, account names, handles, avatar URLs |
| Analytics | impressions, reach, engagement metrics returned by the Platforms |
Keygum's processing of Customer Content is bounded by the Data Processing Agreement.
2.3 Derived, aggregated, and pseudonymised data (Keygum as controller under legitimate interest)
We compute non-identifying statistics (for example, median optimal post length per Platform) from aggregate Customer usage for the purpose of improving the Service. These aggregates do not identify you, your end-audience, or any natural person and are not personal data. Our Terms Section 4.4 describes an opt-out.
2.4 Website-visitor data
We log request method, URL, status code, IP address, and user-agent string on our public websites and API endpoints. IP addresses are salted-hashed before being written to the audit log; raw IPs are present only in short-lived web-server access logs (30-day retention).
3. Purposes and legal bases
We process personal data only where a lawful basis exists under GDPR Article 6.
| Purpose | Data | Lawful basis |
|---|---|---|
| Provide the Service under the Terms of Service | account data, Customer Content | Article 6(1)(b) — contract |
| Invoice, collect payment, remit VAT | billing data | Article 6(1)(b) — contract; Article 6(1)(c) — legal obligation (Bokföringslagen) |
| Detect and prevent fraud, abuse, DoS | request logs, IP hashes | Article 6(1)(f) — legitimate interest |
| Send transactional emails (sign-in links, billing notifications, security alerts) | email address | Article 6(1)(b) — contract |
| Send optional activity emails that can be muted from the dashboard | email address | Article 6(1)(f) — legitimate interest |
| Comply with legal process, sanctions, tax, or accounting law | as required | Article 6(1)(c) — legal obligation |
| Improve the Service via aggregated analytics | non-personal aggregates derived from usage | Article 6(1)(f) — legitimate interest |
We do not process special-category data under Article 9 and we do not rely on consent (Article 6(1)(a)) for anything other than marketing communications we do not currently send.
4. Sub-processors and third-party recipients
We engage the following sub-processors to provide the Service. This list is the authoritative public version; we maintain an internal Record of Processing Activities (Article 30) for regulator inspection.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Application and database hosting (primary) | Germany (EU) | N/A (EU) |
| Cloudflare, Inc. | CDN, DDoS protection, WAF, R2 object storage | Global edge; R2 pinned EU | SCCs + DPF |
| Amazon Web Services EMEA SARL (SES) | Transactional email delivery | Ireland / EU region | N/A (EU) |
| Stripe Payments Europe, Ltd. | Payments, subscription billing, Stripe Tax | Ireland, onward US processing | SCCs + DPF (Stripe Inc.) |
| LinkedIn Ireland Unlimited Company | Publishing to LinkedIn on Customer behalf | Ireland, onward US processing | SCCs + DPF |
| Meta Platforms Ireland Ltd. | Publishing to Facebook / Instagram / Threads | Ireland, onward US processing | SCCs + DPF |
| X Corp. (Twitter) | Publishing to X on Customer behalf | United States | SCCs |
| Google Ireland Limited (YouTube) | Publishing to YouTube on Customer behalf | Ireland, onward US processing | SCCs + DPF |
| TikTok Technology Limited | Publishing to TikTok on Customer behalf | Ireland; UK / Singapore engineering support | SCCs + UK IDTA |
Data transfer safeguards. For every non-EU sub-processor we have Standard Contractual Clauses (SCCs, Implementing Decision (EU) 2021/914) in place as the primary safeguard. Where a sub-processor is certified under the EU–US Data Privacy Framework (DPF) we rely on both DPF adequacy and SCCs as belt-and-suspenders, so that the invalidation of either one does not interrupt service.
Sub-processor changes. We give at least thirty (30) days' prior notice by email to the billing contact before we add a new sub-processor. You may object during the notice period. If we cannot accommodate your objection (for example, the sub-processor is not replaceable with a reasonable alternative), you may terminate under Terms Section 6.
5. International transfers
Our primary infrastructure is in the EU (Hetzner, Germany). Customer Content is stored and processed in the EU by default. International transfers arise when:
- a Platform is US-based or routes through US-based infrastructure (see Section 4);
- Stripe Inc. (US) processes a subset of billing data on behalf of Stripe Payments Europe, Ltd. (Ireland);
- Cloudflare's global edge-cache handles requests for statically-cacheable responses from the closest edge.
In every case we rely on SCCs under the 2021/914 Implementing Decision, supplemented by DPF where the recipient is a DPF-certified organisation. A copy of our SCC templates is available on request to [email protected].
6. Retention
| Data | Retention | Reason |
|---|---|---|
| Active account metadata | duration of the Customer Account + 30 days after termination | contract |
| Customer Content (live posts and metadata) | duration of the Customer Account + 30 days after termination | contract |
| Customer Content (backups) | up to 120 days post-termination as backups rotate | technical cap on backup retention |
| Analytics snapshots | configurable per Customer (30, 60, or 90 days), default 60 | Customer configuration |
| OAuth tokens | until revoked by the Platform or by the Customer, plus 7 days for reconciliation | operational |
| Audit log | 2 years from the event date | security, fraud, regulator inspection |
| Invoicing and accounting records (Stripe + bokföringsprogram) | 7 years | Bokföringslagen, Sweden |
| Web-server access logs | 30 days | incident response |
Retention is enforced by automated jobs on daily schedules. We do not manually extend retention unless compelled by legal process, in which case the extended retention is logged and disclosed to the Customer unless a court order prohibits disclosure.
7. Data subject rights
If you are an identified natural person in our processing records, you have the following rights under the GDPR. Most rights apply to Account holders (where we are controller) and to End audiences (where the Customer is the controller and we are processor; in that case, direct your request to the Customer and we will assist).
- Right of access (Article 15): request a copy of the personal data we process about you.
- Rectification (Article 16): correct inaccurate or incomplete data.
- Erasure (Article 17): request deletion where the legal basis no longer applies; subject to retention requirements in Section 6.
- Restriction (Article 18): ask us to stop processing while a dispute is resolved.
- Portability (Article 20): receive data you provided in a machine-readable format.
- Objection (Article 21): object to legitimate-interest processing; we will re-balance the interests and respond.
- Withdraw consent (Article 7): where processing relies on consent (not the default for this Service), withdraw at any time.
- Complain to a supervisory authority: in Sweden, Integritetsskyddsmyndigheten (IMY); you may also complain to the supervisory authority in your EU country of residence or place of the alleged infringement.
We respond to verified requests within thirty (30) days and may extend by a further sixty (60) days under Article 12(3) where the request is complex; we will notify you of any extension.
To exercise a right, email [email protected] from the email address associated with the Customer Account. We may ask for additional information to verify identity. We do not charge for a first request within a 12-month period; excessive or manifestly unfounded requests may incur a reasonable fee or be refused under Article 12(5).
8. Security
We maintain technical and organisational measures appropriate to the risk of our processing. Current measures include:
- Encryption at rest of sensitive fields (OAuth tokens, internal secrets) with AES-256-GCM using per-field random IVs; encryption keys managed through server-side secrets injection (not stored alongside the data).
- Encryption in transit via TLS 1.3 with modern cipher suites; HSTS enforced on public hostnames.
- Authentication via magic-link, optional TOTP second factor, and passkey (WebAuthn) enrolment; step-up challenges required for sensitive operations.
- Authorization via customer isolation enforced at the application layer and defence-in-depth PostgreSQL row-level-security policies.
- Rate limiting per API key and per IP to deflect brute-force and credential-stuffing attempts.
- Logging and audit of security-relevant events with salted-hashed IPs (no raw-IP archival).
- Least privilege access for Keygum personnel; production access limited to a minimum of named individuals, logged, and reviewed quarterly.
- Dependency scanning and secrets-leak scanning in CI with gates that block merges on high-severity findings.
- Backups rotated on a daily and weekly schedule; restore tests performed at least annually.
We will detail these in the Data Processing Agreement (Annex II — Technical and Organisational Measures). We treat this section as a commitment to maintain at least the measures enumerated; we may add to them.
9. Incidents and breach notification
If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Swedish supervisory authority (IMY) without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware, as required by Article 33.
Where the Customer is the controller and the breach affects Customer Content, we will notify the Customer without undue delay under Article 33(2) so the Customer can make its own notification assessment.
We maintain an incident-response runbook that covers detection, triage, containment, eradication, recovery, and post-incident review.
10. Cookies and similar technologies
The Service itself (dashboard and API) uses only strictly necessary cookies to keep you signed in:
__Secure-*session cookies set by our authentication library,SameSite=Lax,Secure,HttpOnly.- An opaque CSRF-protection token for form submissions.
We do not use advertising cookies, cross-site tracking pixels, or third-party analytics cookies on the Service. Our public website (keygum.com) may use a first-party, privacy-friendly analytics provider in the future; we will publish a cookie banner before deploying anything that requires consent.
11. Children
The Service is a business-to-business service and not directed to children. We do not knowingly collect personal data from children under 16.
12. California, Virginia, Colorado, and other US states
The Service is currently marketed to EU customers. If you are a California, Virginia, Colorado, or other US-state resident accessing the Service, you have rights under the applicable state privacy law (CCPA/CPRA, VCDPA, CPA, and similar) that overlap substantially with the GDPR rights in Section 7. We do not sell personal information and do not "share" personal information for cross-context behavioural advertising, as those terms are defined by the CCPA/CPRA. To exercise US-state-law rights, email [email protected].
13. Changes to this Notice
We may revise this Notice. The version and effective date at the top identify the current version. For material changes we will give at least thirty (30) days' prior notice by email to the billing contact. The previous version remains available on the dashboard archive for reference.
14. Contact
For privacy questions, data-subject requests, or to request a copy of our SCC templates or sub-processor list:
- Email:
[email protected] - Postal: Keygum AB, Stockholm, Sweden
Supervisory authority: Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm — [email protected], +46 8 657 61 00.
Open items pending legal review
- Whether the IP-address hashing scheme under Section 2 qualifies for true pseudonymisation under Article 4(5), or whether it should be classified as personal data subject to the full Article 30 obligations.
- Whether the 2-year audit-log retention under Section 6 is defensible against an Article 5(1)(e) storage-limitation challenge, given that most entries become forensically uninteresting after 6 months.
- Whether the "legitimate interest" basis claimed for sub-processor transfers in Section 3 should instead be anchored in contract performance (Article 6(1)(b)) to reduce the Article 21 objection surface.
- Whether the Stripe US-parent onward-transfer mention in Sections 4 and 5 should be elaborated, given the post-Schrems II sensitivity of US transfers.
- Whether Section 10's "only strictly necessary cookies" representation holds once we deploy the first-party analytics provider; if so, the banner plan needs to be in the Notice.
Keygum AB, Sweden — [email protected]