Legal
Privacy Policy
Last updated 2026-04-25.
This is a placeholder draft. It will be replaced with a counsel-reviewed document before general availability.
What we collect
- Account data. Your email and a hashed password.
- License data. License keys, customer emails you assign, and metadata you choose to store.
- Activation data. Machine fingerprints (hashed), IP address, user-agent string, and timestamps.
- Logs. Request paths, status codes, latency. No request bodies. No Authorization headers.
What we don't collect
- Raw machine identifiers. They are hashed locally by the SDK before transit.
- Tracking cookies on the marketing site.
- Sensitive personal data. We do not need it.
How we use it
Strictly to operate the service: validate licenses, enforce activation limits, secure accounts, bill you. We do not sell or share data with advertisers or data brokers.
Subprocessors
Active sub-processors as of 2026-04-25:
- Stripe Payments Europe Ltd. (Ireland, EU subsidiary). Subscription billing for paid accounts only. Stripe is GDPR-compliant and processes card data under PCI DSS Level 1. Paperkey never sees card numbers.
- Hetzner Online GmbH (Germany). Application hosting, managed Postgres database, daily encrypted backups. ISO 27001-certified infrastructure operated entirely within the EU.
- Sentry GmbH (Germany, EU instance). Server-side error reporting. Stack traces only. No request bodies, no authorization headers.
Any new sub-processor will be announced on this page at least 30 days before it goes live, with a migration path for customers who object.
Cookies
This marketing site sets a functional cookie (light/dark
preference, locale) and the dashboard sets a session cookie
(paperkey_session, httpOnly,
Secure, SameSite=Lax) after sign-in.
No third-party trackers, no advertising pixels, no analytics
that fingerprint visitors. The dashboard's optional agent
telemetry is opt-in and never identifies the end user.
| Cookie | Purpose | Lifetime | Opt-out |
|---|---|---|---|
| paperkey_theme | Light / dark preference | 1 year | Browser settings |
| paperkey_session | Authenticated dashboard session | 7 days | Sign out |
Retention
Account and license data is retained until you delete it. Audit logs are retained for 90 days. Backups are retained per the underlying provider's policy and rotated.
Your rights
You can export your data from the dashboard at any time, edit it, or request deletion by emailing hello@paperkey.dev. We aim to honor requests within 30 days.
Data protection contact
Paperkey has not appointed a formal Data Protection Officer (DPO). The volume and nature of personal data processed (account email, hashed activation fingerprints) does not require one under Article 37 GDPR. The point of contact for any privacy question is hello@paperkey.dev. We aim to respond within 5 business days, with a hard ceiling at 30 days as required by the GDPR.
If you are not satisfied with our handling of a request, you can lodge a complaint with the French data protection authority (CNIL): cnil.fr/en/plaintes.
Security
Passwords are hashed with bcrypt (cost 12). API secret keys are hashed with scrypt + per-key salt. TLS in transit. Encrypted at rest by the managed database provider. Detailed posture is in our security backlog.
Contact
Questions: hello@paperkey.dev.