Privacy Policy
Effective date: July 18, 2026
This Privacy Policy explains what information Seekrit ("we," "us," or "our") collects when you use the seekrit secrets management service (the "Service"), why we collect it, and the choices you have. It's meant to be read together with our security model, which describes in technical detail what the server can and cannot see.
Contents
- The short version
- Information we collect
- What we never see
- How we use information
- Cookies and local storage
- How we share information
- Data retention
- Security
- Your rights and choices
- International data transfers
- Children's privacy
- Changes to this policy
- Contact
The short version
seekrit is zero-knowledge by design: your secret values are encrypted in your browser or CLI before they ever leave your device, and we never hold the keys needed to decrypt them. What we collect instead is account information, billing information, and metadata — names, roles, timestamps, and audit events — never secret contents. We don't sell your data, and we don't run ad-tracking on the Service.
Information we collect
Account and identity information. When you sign up, we (through our authentication provider, Stytch) collect your email address, name, and authentication details, and which organizations you belong to and with what role.
Organization and workspace metadata. Names of your organizations, applications, environments, groups, and secrets; roles and key grants; service token metadata (a hash of the token and its public key, never the token itself); and the append-only audit log of who did what and when.
Secret ciphertext and wrapped keys. We store the encrypted contents of your secrets and environment keys wrapped to your principals' public keys. This is data we hold but, by design, cannot read — see what we never see.
Usage data. Sampled, metered counts of activity such as secret resolves, used to calculate usage and to detect abuse. This is aggregate/count data, not a record of which secret values were read.
Device and log data. Standard request metadata our infrastructure provider, Cloudflare, processes to serve traffic and defend against abuse — IP address, user agent, timestamps, and request paths.
Communications. If you email us (for support, security reports, or otherwise), we keep that correspondence and any information you choose to include in it.
What we never see
Mirroring our security model:
- Plaintext secret values.
- Any environment's data-encryption key in unwrapped, decryptable form.
- Any user's private key in unencrypted form.
- Any account passphrase.
- The full string of a service token — only its hash.
A full compromise of our infrastructure would expose ciphertext and metadata, never usable secret values, because we never hold the keys required to decrypt them.
How we use information
We use the information above to: operate and secure the Service; authenticate you and enforce access control; calculate usage and process billing; send transactional emails you haven't opted out of (see email notifications); respond to support and security reports; detect, investigate, and prevent abuse or security incidents; and comply with legal obligations. We do not use your data to serve ads, and we do not build advertising profiles.
Cookies and local storage
The seekrit dashboard stores your session token in your browser's local storage, not a tracking cookie, to keep you signed in. Our authentication provider, Stytch, may set its own cookies during hosted login flows (for example, an OAuth redirect). We don't run third-party advertising or analytics trackers on the Service or this site.
How we share information
We share information only as needed to run the Service:
- Service providers (subprocessors). Cloudflare (hosting, database, key-value storage, usage metering, and transactional email delivery), Stytch (authentication), and Stripe (payment processing) each process the data described above solely to provide their part of the Service, under their own security and confidentiality obligations to us.
- Your own integrations. If you configure audit log export to your own OTLP endpoint (Datadog, Grafana, Splunk, etc.), that export goes where you direct it — it's your data going to a destination you control, not a Seekrit subprocessor relationship.
- Legal and safety. We may disclose information if required by law, subpoena, or legal process, or when we believe in good faith it's necessary to protect the rights, property, or safety of Seekrit, our customers, or others.
- Business transfers. If Seekrit is involved in a merger, acquisition, or asset sale, information may be transferred as part of that transaction, subject to this Policy.
We do not sell your personal information.
Data retention
We retain account and organization metadata for as long as your account is active, and audit log entries as an append-only record for as long as the organization exists (or as required by applicable law). If you close your account, we retain data for a reasonable transition period to allow export and to meet legal, tax, and security obligations, after which it's deleted or anonymized.
Security
Secret values and environment keys are encrypted client-side before they reach us and remain encrypted at rest; all traffic to the Service is encrypted in transit. Because decryption happens only on your devices, we cannot recover a lost passphrase or private key on your behalf — see your content and your keys in our Terms. If you discover a security vulnerability, please report it to security@seekrit.dev rather than disclosing it publicly — see our responsible disclosure process.
Your rights and choices
- Access and export. You can view and export your organization's data — secrets, metadata, and audit history — directly from the dashboard or CLI at any time.
- Deletion. You can delete secrets, environments, applications, or your entire organization from the dashboard. Closing your account triggers the retention period described above.
- Notification preferences. Each transactional email type has its own on/off switch under account → notification settings.
- Data subject rights. Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information, or to object to or restrict certain processing. To exercise any of these rights, contact privacy@seekrit.dev; we'll respond consistent with applicable law.
International data transfers
Cloudflare's network operates globally, which means information may be processed in countries other than your own. Where required, we rely on appropriate safeguards (such as standard contractual clauses) for these transfers.
Children's privacy
The Service is not directed to individuals under 18, and we don't knowingly collect personal information from children. If you believe a child has provided us information, contact us at privacy@seekrit.dev and we'll delete it.
Changes to this policy
We may update this Policy from time to time. If a change is material, we'll provide reasonable notice (for example, by email or an in-app notice) before it takes effect. The "Effective date" above reflects the last update.
Contact
Questions about this Policy or your data: privacy@seekrit.dev. Security reports: security@seekrit.dev.