Privacy Policy
Plain-language summary. MyColdKey is designed so encryption and decryption happen on your device. We do not want your seed phrases or vault passwords. For accounts, licensing, checkout, and optional Cloud+, we do process some personal information as described below. We do not sell your personal information.
This Privacy Policy describes how MyColdKey LLC (“MyColdKey,” “we,” “us”) collects, uses, discloses, and protects information in connection with our websites (including mycoldkey.com), our desktop application (“Software”), online accounts and licensing, checkout and payments, customer support, optional Cloud+ sync, and related services (collectively, the “Services”).
If you do not agree with this Policy, please do not use the Services. The Terms of Service govern use of the Services.
1. Information we collect
The categories below depend on how you interact with us. You are not required to provide all of this information, but some features (for example, checkout or Cloud+) will not work without it.
Identifiers and account data
- Email address and name when you create an account, sign in to checkout, join a waitlist or mailing list, or contact us.
- Account identifiers issued by us or our identity / authentication providers (for example, a user or subscriber ID).
- Support communications you send to info@mycoldkey.com, support@mycoldkey.com, or through contact forms, including the content of your message and metadata (such as time sent).
Commercial and licensing information
- License and entitlement records tied to your account (for example, product tier, device slots, subscription status for add-ons such as Cloud+).
- Order and payment metadata — our payment processors handle card and crypto payment details; we typically receive confirmation of payment, amount, currency, plan purchased, and related identifiers, not your full card number.
Software, sync, and technical data
- Cloud+ (optional). If you enable Cloud+, your encrypted vault or backup data may be stored or transferred using our infrastructure and third-party cloud services. We design this so we do not have your vault password and cannot decrypt your plaintext secrets. We may still process metadata such as account identifiers, file or object names, sizes, timestamps, and sync status, as needed to operate the service.
- Logs and security data — for example, server or application logs, IP address, device or app version, and diagnostic information used to secure the Services and troubleshoot issues.
Website and marketing
- Waitlist / forms. If you submit a form (for example, via our waitlist provider), we collect the fields you provide (such as name, email, and optional interests).
- Analytics. We may use cookies or similar technologies and analytics tools to understand traffic, referrers, and aggregate usage. We configure these to avoid collecting secrets or vault contents.
What we do not intend to collect
We do not ask you to send seed phrases or vault passwords to us. Do not include those in support emails unless we explicitly request a specific artifact for troubleshooting — and even then, follow instructions carefully.
2. How we use information
We use personal information to:
- Provide, operate, and improve the Services, including licensing, activation, and optional Cloud+;
- Process purchases and fulfill orders (including hardware fulfillment partners where applicable);
- Authenticate users, prevent fraud and abuse, and secure our systems;
- Communicate with you about transactions, security, and (where you have opted in) product updates or marketing;
- Comply with law, respond to lawful requests, and enforce our Terms of Service;
- Analyze aggregate usage to improve performance and user experience.
Legal bases (EEA/UK/Switzerland). Where GDPR or similar laws apply, we rely on one or more of: performance of a contract, legitimate interests (such as security and product improvement, balanced against your rights), consent where required, and legal obligation.
3. How we share information
We may share personal information with:
- Service providers who assist us under contract—for example, hosting, cloud storage, authentication, email delivery, payment processing, analytics, and customer support tools. They may process data only on our instructions and subject to appropriate safeguards.
- Professional advisers (lawyers, accountants) where required.
- Authorities when we believe disclosure is required by law, regulation, legal process, or to protect rights, safety, or security.
- Business transfers — if we merge, are acquired, or sell assets, information may transfer as part of that transaction, subject to this Policy or equivalent protections.
We do not sell your personal information and do not share it for cross-context behavioral advertising as a “sale” under U.S. state privacy laws.
A list of subprocessor categories (and representative vendors where named) is maintained at Subprocessors. That page may be updated when we add or replace material vendors.
4. International transfers
We are based in the United States. If you access the Services from other countries, your information may be processed in the U.S. or other jurisdictions where we or our providers operate. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for transfers from the EEA, UK, or Switzerland.
5. Retention
We retain personal information only as long as needed for the purposes above, including to meet legal, accounting, or reporting requirements. For example: account and licensing records are kept for the life of the account and a reasonable period afterward; marketing emails until you unsubscribe; logs for a limited period according to security needs.
6. Security
We implement administrative, technical, and organizational measures designed to protect personal information. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
7. Your rights and choices
Depending on where you live, you may have the right to access, correct, delete, or export personal information we hold about you; to object to or restrict certain processing; to withdraw consent where processing is consent-based; and to lodge a complaint with a supervisory authority.
To exercise these rights, email info@mycoldkey.com. We may need to verify your request. If you are in the EEA, UK, or Switzerland, you may also contact your local data protection authority.
8. U.S. state privacy (including California)
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA/CPRA), including to know, delete, and correct personal information, and to opt out of “sale” or “sharing” (we do not sell covered information as defined). You may designate an authorized agent as permitted by law. We will not discriminate against you for exercising privacy rights.
Residents of other U.S. states with comprehensive privacy laws may have similar rights; contact us as above.
9. Cookies and similar technologies
We and our analytics providers may use cookies, local storage, pixels, or similar technologies for functionality, preferences, and analytics. You can control cookies through your browser settings; blocking some cookies may affect Site functionality.
10. Children
The Services are not directed to children under 13 (or 16 where a higher age applies). We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will delete it.
11. Changes to this Policy
We may update this Privacy Policy from time to time. We will post the revised version here and change the “Last updated” date. For material changes, we will provide additional notice where required by law.
12. Contact
Data protection questions: info@mycoldkey.com.
Controller: MyColdKey LLC, United States.