Privacy Policy
🛡️ Our Core Privacy Principle
MyDataKey is non-custodial by design. We do not store or warehouse raw personal data. We minimize data collection and process only the limited information needed to operate the Service and support integrity and auditability.
MyDataKey is a product operated by Own Your Data Inc., a Delaware 501(c)(3) nonprofit corporation (“Company,” “we,” “us,” or “our”). This Privacy Policy explains how we handle information in connection with MyDataKey (the “Service”). By using the Service, you agree to this Privacy Policy.
1 Information We Process
Depending on how you use the Service, we may process:
- Account information: Name, email address, and authentication details when you create an account
- Verification data: During identity verification, we temporarily process selfie and ID images to verify your identity, then discard them
- Certificate metadata: Certificate IDs, timestamps, and ownership record references
- Posture settings: Your declared preferences for data usage (AI training, advertising, etc.)
- Security logs: Access events, administrative actions, and system telemetry
- Support communications: Emails, tickets, or messages you send us
- Usage data: Basic interactions and diagnostic information to improve reliability
2 Information We Do NOT Store
The Service is designed to avoid custodial storage of raw personal data content. We explicitly do not store:
❌ Not Stored
- Contents of your emails or messages
- Your files or documents
- Bulk personal datasets
- Medical or health records
- Financial account details
- Biometric data (after verification)
✓ What We Store
- Account credentials (hashed)
- Certificate metadata
- Posture declarations
- Timestamps and hashes
- Activity logs
- Your name and email
Note: Like most online services, information may appear transiently in network traffic or temporary processing buffers. This policy addresses what the Service is designed to retain and use.
3 How We Use Information
- To provide, operate, maintain, and improve the Service
- To support ownership record origination, verification, and auditability
- To process your posture declarations and generate certificates
- To secure the Service, prevent misuse, and enforce our Terms
- To communicate with you about the Service and support requests
- To comply with legal obligations and protect rights, safety, and property
4 Legal Bases (Where Applicable)
Where required by law (such as under GDPR), we rely on one or more legal bases:
- Contract: Processing necessary to provide the Service you requested
- Legitimate interests: Security, fraud prevention, and service improvement
- Consent: Where we specifically ask for your permission
- Legal obligation: Where required by applicable law
5 Sharing & Disclosure
We do not sell or broker personal data. Ever. As a 501(c)(3) nonprofit, we have no financial incentive to monetize your information.
We may share limited information in these circumstances:
- Service providers: Trusted partners who help operate the Service (hosting, email, support), under appropriate confidentiality obligations
- Legal requirements: When required by law, subpoena, or legal process
- Safety: To protect rights, safety, and the integrity of the Service
- Business transfers: In connection with a merger or acquisition (subject to applicable law and mission alignment requirements)
6 Retention
We retain information only as long as necessary for the purposes described in this policy:
- Account data: While your account is active, plus a reasonable period after deletion request
- Verification images: Discarded immediately after verification is complete
- Certificate records: Indefinitely (these are your proof of ownership)
- Security logs: Typically 90 days, longer if needed for investigation
- Support communications: As needed for support history and legal compliance
7 Your Rights
Depending on your jurisdiction, you may have rights relating to your information:
- Access: Request a copy of information we hold about you
- Correction: Request correction of inaccurate information
- Deletion: Request deletion of your account and associated data
- Portability: Receive your data in a portable format
- Objection: Object to certain processing activities
- Restriction: Request restriction of processing
To exercise your rights, contact us at privacy@mydatakey.org. We will respond within the timeframe required by applicable law.
For California residents: See our California-specific disclosures at California DROP.
8 Cookies & Analytics
We use minimal cookies and similar technologies:
- Essential cookies: Required for the Service to function (authentication, preferences)
- Theme preference: Stored locally to remember your light/dark mode choice
- Analytics: If used, configured in a privacy-conscious manner with IP anonymization
We do not use advertising cookies or tracking pixels. We do not share cookie data with third-party advertisers.
9 Security
We use reasonable administrative, technical, and organizational measures to protect the Service and the limited metadata we process. See our Security page for details.
However, no method of transmission or storage is completely secure. If you discover a vulnerability, please report it through our Responsible Disclosure program.
10 International Transfers
If information is processed outside your jurisdiction, we take steps to ensure appropriate protections consistent with applicable law, including standard contractual clauses where required.
11 Children’s Privacy
The Service is not intended for children under 18 (or the age of majority in your jurisdiction). We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
12 Changes to This Policy
We may update this policy from time to time. Material changes will be reflected by updating the “Last Updated” date and, where appropriate, providing additional notice through the Service or via email.
13 Contact Us
Questions about this Privacy Policy or your personal information: