Privacy Policy

    Last updated: May 18, 2026

    1. Scope

    This Privacy Policy describes how Keel API, Inc., a Delaware corporation doing business as Keel ("Keel," "we," "our," or "us"), collects, uses, discloses, and retains personal data in connection with our website, documentation, dashboards, APIs, support channels, and related services.

    Keel API, Inc. is the controller for personal data we collect about website visitors, prospective customers, account users, billing contacts, and support contacts. If you use Keel through an organization, that organization may separately control some account, workspace, and customer data. Where we process customer data on behalf of a customer under a separate agreement, that agreement and any applicable data processing addendum govern that processing relationship.

    2. Personal Data We Collect

    Depending on how you interact with Keel, we may collect:

    • Account and contact information such as name, email, company, billing contact, and role.
    • Commercial and billing information such as plan, invoice, payment status, and governed-request volume.
    • Service configuration data such as project identifiers, policy settings, routing preferences, and provider credential metadata.
    • Request, permit, routing, usage, lifecycle, audit, and support records generated through the service.
    • Device, usage, and log data such as IP address, timestamps, browser or device information, and security event records.
    • Website and marketing data such as form submissions, newsletter preferences, cookies, local-storage preferences, and analytics data described in our Cookie Policy.

    3. How Keel Handles AI Request Data

    Keel is an AI control plane for governed execution. Keel is not a model host. What request data Keel receives depends entirely on which mode you use, and you choose the mode.

    Permit-first mode. When you call Keel only for a permit decision, Keel receives request metadata — model, estimated token counts, declared attributes, and identifiers — and evaluates your policy against it. Keel does not receive your prompt content or the AI's output, and Keel does not receive your AI provider API keys. Your application calls the AI provider directly, outside Keel.

    Governed-execution mode. When you route an AI call through Keel (the execute and provider-proxy routes), Keel relays the call to the provider on your behalf. To do that, Keel receives the prompt-bearing request body, in order to dispatch it and, where the prompt firewall is enabled, to screen it. AI provider API keys used on these routes are stored with application-layer encryption and resolved server-side; they are not exposed in logs or governance events.

    In either mode, Keel does not persist raw prompt text. On governed-execution routes the request body is held only in memory — for as long as it takes to dispatch the call and, where the prompt firewall is enabled, to screen it. What Keel retains about the request is a cryptographic digest of it, used to bind and later verify the request, together with metadata such as token counts, provider and model identifiers, cost, timestamps, permit decisions, reason codes, constraints, routing metadata, and budget accounting entries. Prompt firewall evaluation runs inline against the request payload; firewall results are recorded as metadata such as rule matches and outcomes, never as stored prompt text.

    Keel does retain the provider's response on governed-execution routes. The response body is stored on the request's execution record, and — for idempotent proxy calls — in a short-lived response cache, so that retried requests return a consistent result and the request can be reconstructed for audit and reconciliation. Large responses are size-capped. Retained responses are subject to the retention practices described in the Retention section below. Permit-first requests return no provider output to Keel, so there is no response for Keel to store.

    4. How We Use Personal Data

    • To provide, operate, maintain, secure, and support the service.
    • To authenticate users and enforce project-scoped access.
    • To evaluate governed requests and issue permit decisions before execution.
    • To route, constrain, deny, or manage governed execution on supported routes.
    • To persist audit, lifecycle, usage, billing, and accounting records.
    • To monitor availability, debug issues, prevent abuse, and investigate incidents.
    • To communicate about support issues, security notices, billing, and legal updates.
    • To improve our services, documentation, and operational processes.

    5. Infrastructure and Service Providers

    Keel uses service providers and infrastructure vendors to operate the service, including authentication, compute and database hosting, object storage, billing, and timestamping services for certain enterprise evidence flows. Our current subprocessor list, including vendor names and roles, is published at /subprocessors. Questions: privacy@keelapi.com.

    We may also disclose relevant request data to third-party AI providers when you use managed execution routes. If you use permit-first flows, your application may call those providers directly after Keel issues a permit, and that downstream provider-side processing is governed by your relationship with that provider.

    6. Security and Data Handling

    • Customer traffic is served over HTTPS.
    • Project-scoped data is protected by database-enforced tenant isolation controls.
    • Stored objects use server-side encryption, and provider keys use application-layer encryption.
    • Runtime secrets are managed outside the repository.
    • Structured logging redacts common secret keys and secret-like values.

    7. Retention

    Retention varies by data type, plan, customer agreement, and legal or security requirements. Keel currently enforces plan-tier dashboard log retention windows for a limited subset of dashboard-facing records:

    • Starter: 30 days
    • Production: 180 days
    • Enterprise: 365 days

    Those windows do not currently apply to every compliance, evidence, or lifecycle record in the system. Some records remain governed by Keel's evidence model, export surfaces, security needs, accounting needs, backups, dispute handling, and any applicable contractual or legal obligations.

    8. Your Rights and Requests

    Depending on your location and the context of processing, you may have rights to access, correct, delete, restrict, object to, or receive a portable copy of certain personal data. We may need to verify your identity and authority before responding.

    If we process personal data on behalf of a customer, we may direct your request to that customer. For customers with separate contractual commitments, data subject request handling may also be governed by the applicable customer agreement.

    9. Data Sharing

    We do not sell personal data. We may disclose personal data to service providers, third-party AI providers involved in managed execution, customer administrators and authorized users within the same customer account, professional advisors, auditors, potential acquirers under confidentiality protections, or when required by law or necessary to protect rights, safety, or security.

    10. International Transfers

    Keel and its service providers may process personal data in the United States and other jurisdictions where Keel or its subprocessors operate. Where required, we will use appropriate legal transfer mechanisms for cross-border data transfers.

    11. Changes to This Policy

    We may update this Privacy Policy from time to time. We will post the updated version here and revise the last updated date. Where required by law, we will provide additional notice.

    12. Contact

    For privacy-related questions or requests, contact privacy@keelapi.com. For legal notices, contact legal@keelapi.com. For cookie-specific disclosures, see our Cookie Policy.