Privacy Policy

This Privacy Policy explains how Keystone (“Keystone,” “we,” “us,” or “our”), a product of Tranquility Labs LLC, collects, uses, stores, and protects information about you when you use our service at keystoneapp.com and any related applications (collectively, the “Service”).

Keystone is a personal financial context engine. Our purpose is to help you consolidate your financial data into structured, portable artifacts that you own and control. We are deeply committed to data minimization and user ownership — these are not marketing claims, they are design principles reflected in our architecture.

For users in the European Economic Area (EEA) or United Kingdom, Keystone acts as a Data Controller in respect of your personal data as defined under the General Data Protection Regulation (GDPR) and the UK GDPR.

Contact us: privacy@keystoneapp.com | Brooklyn, New York

We collect only the data necessary to provide the Service. We do not sell your data, use it for advertising, or share it with third parties for their commercial purposes.

2.1 Financial Data You Enter

The core of Keystone is the financial data you voluntarily enter. This includes:

• Income information: salary, bonus structures, freelance earnings, investment income, retirement distributions
• Expense data: recurring and one-time expenses, categories, and projected changes
• Asset information: cash accounts, property values, vehicle values
• Investment holdings: brokerage accounts, retirement accounts (401k, IRA), other investment vehicles
• Liabilities: mortgages, loans, credit card balances, and associated payment terms
• Goals: savings targets, planned major purchases, retirement timelines
• Insurance: policy types, coverage amounts, premiums
• Household context: number of dependents, career information, geographic information

This data is highly sensitive. We treat it accordingly. See Section 5 for how it is stored and protected.

2.2 Account and Authentication Data

When you register for an account, we collect:

• Email address
• Password (stored as a salted cryptographic hash — we cannot read your password)
• Workspace identifiers associated with your account

2.3 Usage and Technical Data

When you use the Service, we may automatically collect limited technical information including:

• Browser type and version
• Operating system
• IP address (used for security and fraud prevention, not for tracking or profiling)
• Pages visited and features used within the Service
• Timestamps of actions (e.g., Keystone generation events)

We do not use third-party advertising trackers, behavioral analytics platforms, or cross-site tracking technologies.

2.4 Guest Mode Data

If you use Keystone in guest mode, you interact with a pre-populated demo dataset containing realistic but entirely fictitious financial data. No personal financial information you enter in guest mode is associated with an account or retained after your session ends. Guest sessions use only ephemeral server-side state and browser session storage.

If you are located in the EEA or UK, we process your personal data under the following lawful bases as required by Article 6 of the GDPR:

Performance of a Contract (Article 6(1)(b))

The primary basis on which we process your financial data and account data is contractual necessity. When you register and use Keystone, you enter into a contract with us (the Terms of Service), and processing your data is necessary to deliver the Service you have requested.

Legitimate Interests (Article 6(1)(f))

We process limited technical and usage data for our legitimate interests, including: securing the Service against unauthorized access; detecting and preventing fraud; debugging and improving Service reliability; and maintaining records of Keystone generation events.

Legal Obligation (Article 6(1)(c))

We may process or retain certain data where required by applicable law, including financial recordkeeping obligations, tax law, or in response to lawful requests from public authorities.

Consent (Article 6(1)(a))

Where we introduce any processing activity not covered by the above bases, we will seek your explicit, freely given, and revocable consent before commencing that processing.

We use the data we collect solely for the following purposes:

• Service delivery: Compiling your Keystone artifact bundle (snapshot, planning timeline, constitution, manifest) from your financial data.
• Validation and scoring: Running validation checks and computing your data health score to surface data quality issues before export.
• Account management: Managing your account, authenticating your identity, and providing customer support.
• Keystone history: Recording metadata about your Keystone generation events (timestamp, schema version, health score) so you can track versions.
• Security and integrity: Detecting unauthorized access, preventing fraud, and maintaining the integrity of the Service.
• Service improvement: Using aggregated, non-personally-identifiable usage patterns to improve the reliability and quality of the Service.
• Legal compliance: Meeting our obligations under applicable law.

We do not use your data for: advertising; sale to third parties; building behavioral profiles for commercial purposes; or training AI or machine learning models on your personal financial information.

5.1 Current Infrastructure

In the current beta phase, financial data entered via the web application is stored using the Notion API as a backend database. This means Notion, Inc. processes your data as a sub-processor on our behalf under a Data Processing Agreement. Notion's infrastructure is hosted on AWS in the United States. We are actively developing a migration to a self-hosted database (see Section 5.4 on the architecture roadmap).

5.2 Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

• All data in transit is encrypted using TLS 1.2 or higher
• Passwords are stored as salted cryptographic hashes and are never transmitted or stored in plaintext
• API access is authenticated using JSON Web Tokens (JWT) with appropriate expiry
• Access to production systems is restricted to authorized personnel with documented access controls
• We conduct periodic reviews of our security posture

Despite these measures, no system is completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities as required by law (within 72 hours for GDPR-covered incidents where feasible).

5.3 The Keystone Artifact

When you generate a Keystone, the artifact bundle is compiled server-side and delivered to your device as a downloadable ZIP file. The artifact contains your financial data in structured form. Once delivered to you, the artifact is under your control. We retain a metadata record of each generation event (timestamp, health score, schema version) but do not retain a copy of the artifact contents after delivery.

5.4 Architecture Roadmap and Privacy Implications

Keystone is designed with a local-first philosophy. Our roadmap includes a desktop application (“Own the Software” tier) that runs entirely on your device with a local SQLite database — no data ever leaves your machine except in the Keystone artifact you choose to export. We will provide clear disclosure at each migration point about how the storage of your data changes.

We share your data with a limited number of third-party service providers who process it strictly on our behalf and under our instructions. We maintain Data Processing Agreements with each of these processors:

• Notion, Inc.: Database backend (current MVP). Processes financial data entered via the web application. Data stored on Notion's infrastructure (AWS, US). Subject to Notion's Data Processing Addendum.
• Hosting Provider: Application server hosting. Processes server logs and authentication database.
• Email Provider: Transactional email delivery (account verification, security alerts). Processes email addresses only.

We do not use advertising networks, behavioral analytics platforms, data brokers, or any other third parties that would process your data for their own purposes.

Keystone is operated from New York. If you are located in the EEA or UK, your personal data may be transferred to and processed in countries outside the EEA/UK, including the United States, where data protection laws may differ from those in your jurisdiction.

We ensure that any such transfers are protected by appropriate safeguards, which currently include:

• For Notion, Inc.: reliance on Standard Contractual Clauses (SCCs) as adopted by the European Commission, supplemented by the EU-US Data Protection Framework where applicable
• For other processors: equivalent SCC-based mechanisms or adequacy decisions

You may request a copy of the applicable transfer mechanism by contacting us at privacy@keystoneapp.com.

We retain your personal data for no longer than is necessary for the purposes for which it was collected:

• Financial data: Retained for the life of your account. Deleted within 30 days of account deletion.
• Account and authentication data: Retained for the life of your account plus any legally required period (typically up to 7 years for fraud prevention records).
• Keystone generation metadata: Retained for the life of your account. Contains only timestamp, health score, and schema version — not artifact contents.
• Server logs and technical data: Retained for up to 90 days for security and debugging purposes, then automatically deleted.

If you delete your account, we will purge your financial data and account information within 30 days, except where we are legally required to retain certain records longer. We will confirm deletion on request.

9.1 Rights Under GDPR (EEA and UK Users)

• Right of Access (Article 15): You can request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): You can correct inaccurate or incomplete personal data. Within Keystone, you can edit most financial data directly via the web UI at any time.
• Right to Erasure / “Right to be Forgotten” (Article 17): You can request deletion of your personal data where it is no longer necessary for the purpose for which it was collected.
• Right to Restriction of Processing (Article 18): You can request that we restrict processing of your data in certain circumstances.
• Right to Data Portability (Article 20): You can receive your personal data in a structured, commonly used, machine-readable format. The Keystone artifact export feature is designed to fulfill this right in practice.
• Right to Object (Article 21): You can object to processing based on legitimate interests.
• Right not to be subject to automated decision-making (Article 22): Keystone does not make automated decisions with legal or similarly significant effects on you. The data health score and validation report are informational tools only.

9.2 Rights Under CCPA/CPRA (California Residents)

California residents have additional rights under the CCPA as amended by the CPRA:

• Right to know what personal information is collected, used, disclosed, or sold
• Right to delete personal information (subject to exceptions)
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information (note: we do not sell or share your data)
• Right to non-discrimination for exercising your privacy rights

9.3 How to Exercise Your Rights

To exercise any of your rights, contact us at privacy@keystoneapp.com with the subject line “Privacy Rights Request.” We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

If you are in the EEA or UK and are dissatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

Keystone uses a minimal set of cookies strictly necessary to operate the Service:

• Session cookies: Used to maintain your authenticated session. These expire when you close your browser or log out.
• CSRF protection tokens: Used to prevent cross-site request forgery attacks.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not use pixel trackers, fingerprinting technologies, or any form of cross-site behavioral tracking.

Keystone is not directed at children under the age of 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will promptly delete it.

Keystone is currently in beta. This means:

• Features, data models, and infrastructure may change significantly during the beta period
• We may migrate data between storage backends (e.g., from Notion to a self-hosted database) during this period. We will notify you in advance of any such migration and describe its privacy implications.
• Our security posture is actively maturing. We will disclose material security improvements as they are implemented.

We will post any changes to this Privacy Policy on this page with an updated effective date. For material changes — changes that affect how we process your financial data, your rights, or who we share your data with — we will notify registered users by email at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Data Controller: Tranquility Labs LLC
Privacy contact: privacy@keystoneapp.com
Postal address: Brooklyn, New York