Privacy Policy (Draft)
Last updated: 2026-02-17
Warning
This document is a draft placeholder for counsel review and is not legal advice. Do not rely on it as final policy text.
1. Scope
This Privacy Policy describes how VeliKey, Inc. ("VeliKey", "we", "us") processes information in connection with the VeliKey Aegis platform, including Axis and Aegis Agents (the "Service").
TODO(counsel): confirm the contracting entity, address, and required regional disclosures.
2. Information We Collect
Depending on deployment, we may process:
- Account and organization information (name, email, organization membership, role)
- Authentication and security events (sign-in timestamps, MFA/SSO configuration events)
- Billing and subscription metadata (plan, invoices, payment status)
- Service telemetry and diagnostics (agent status/health, aggregated metrics, error logs)
- Support information (tickets and messages you send to us)
3. Information We Do Not Intend to Collect
The Service is designed to avoid collecting application plaintext and secret keys. In typical deployments:
- Aegis enforces TLS policy in Customer infrastructure.
- Axis receives configuration and aggregated telemetry, not application payloads.
TODO(counsel): verify claims for each deployment model and define exceptions (for example, explicit debug modes).
4. How We Use Information
We use information to:
- provide and operate the Service
- secure the Service and enforce tenant isolation
- support customers (including troubleshooting)
- bill and administer subscriptions
- comply with legal obligations
5. How We Share Information
We may share information with:
- subprocessors who provide infrastructure and operational services
- service providers acting on our instructions
- law enforcement or regulators when required by law
We do not sell personal information.
TODO(counsel): add subprocessor list and required contractual statements.
6. Data Retention
Retention depends on data type and configuration:
- account records: retained while the account is active and as required for legal/compliance
- operational telemetry: retained for limited periods to provide the Service and support troubleshooting
TODO(counsel): define retention periods by category and add deletion policy details.
7. Security
We apply administrative, technical, and physical safeguards designed to protect information we process.
Customer responsibilities include:
- protecting API keys, bootstrap tokens, and other credentials
- limiting access to authorized administrators
- rotating credentials on suspected compromise
8. Your Choices and Rights
Depending on your location, you may have rights to access, correct, or delete personal information.
TODO(counsel): add GDPR/UK GDPR, CCPA/CPRA, and other jurisdiction-specific rights and request workflows.
9. International Transfers
If we process information outside your country, we implement appropriate safeguards as required by law.
TODO(counsel): add transfer mechanism language (SCCs, etc.) if applicable.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated through the Service or by other reasonable means.
11. Contact
- Privacy: privacy@velikey.com
- Security: security@velikey.com
- Support: support@velikey.com