Skip to main content
HumanKey
Wersja polska

Privacy Policy

Last updated: February 2026

1. Who We Are

HumanKey (“we”, “us”) provides AI traffic intelligence services. This policy explains how we collect, use, and protect personal data in compliance with the GDPR and ePrivacy Directive.

Data Controller: HumanKey, a ChainGuard project, Poland.
Contact: Contact Form (Privacy Inquiries)

2. Data We Collect

Account Data

  • Email address, name (optional)
  • OAuth provider identifiers (Google) — only if you use social login
  • Hashed password (bcrypt, 12 rounds) — only if using email/password authentication
  • Account metadata: plan tier (free/pro/enterprise), role (user/admin), registration timestamp, email verification status
  • Stripe customer ID (only if you subscribe to a paid plan)

Traffic Analysis Data

  • IP addresses: Hashed with a daily rotating salt — we never store raw IP addresses
  • User-Agent strings: Truncated to 200 characters for bot classification only
  • Page URLs and referrer URLs (for traffic analysis)
  • Visit timestamps and duration
  • Bot classification results (human/bot, confidence score)

3. Legal Basis (GDPR Art. 6)

  • Contract performance: Processing account data to provide our service
  • Legitimate interest: Bot detection and traffic classification to protect website owners
  • Consent: Analytics cookies (optional, via cookie consent banner)

Automated Processing (Art. 22 GDPR)

Our bot detection uses automated classification of web traffic requests. This automated processing does not produce legal effects or similarly significantly affect your website visitors — it classifies network requests, not individuals. Visitors whose requests are classified as AI bot traffic are not individually profiled or subjected to consequential automated decisions.

4. Data Minimisation

We follow the principle of data minimisation. IP addresses are hashed before storage, User-Agent strings are truncated, and we only retain data necessary for traffic analysis.

5. Your Rights

Under the GDPR, you have the right to:

  • Access: Export all your data from Dashboard → Settings → Export Data
  • Erasure: Delete your account and all associated data from Dashboard → Settings → Delete Account
  • Portability: Download your data in JSON format
  • Rectification: Update your profile information in Dashboard → Settings
  • Object: Contact us to opt out of specific processing activities

6. Cookies

  • Essential: Authentication tokens (httpOnly, secure) — required for login
  • Optional: Analytics cookies — only set with your consent

7. Data Retention

Visit data retention depends on your plan:

  • Free plan: 7 days
  • Pro plan: 30 days
  • Business plan: 90 days
  • Enterprise plan: 365 days

Data beyond these periods is automatically and permanently deleted. Account data is retained until you delete your account.

Account Deletion & Data Portability

Deletion

You may delete your account at any time from Settings > Account > Delete Account. Upon deletion, all traffic records, API keys, and account data are permanently erased within 30 days. Site configuration data is deleted immediately.

Data Portability

You may export your traffic data in CSV or JSON format from the Dashboard at any time before account deletion. This right is available to all plan tiers.

8. Sub-Processors & Third-Party Services (GDPR Art. 28)

We use the following sub-processors to deliver our service. All processors are contractually bound by Data Processing Agreements (DPAs) that comply with GDPR requirements:

ServicePurposeLocationDPA
NeonPostgreSQL database hosting (primary data store)🇩🇪 Azure Germany West Central (Frankfurt, Germany)View DPA
RailwayBackend API hosting, Redis cache🇳🇱 EU West (Amsterdam, Netherlands)View DPA
VercelFrontend hosting & CDN (Edge Network)🇺🇸 Global (US-based, EU-US DPF certified)View DPA
StripePayment processing & subscription billing🇺🇸 US (GDPR-compliant, EU SCCs)View DPA
SentryError tracking (PII stripped before transmission)🇺🇸 US (GDPR-compliant, EU SCCs)View DPA
ResendTransactional emails (verification, password reset)🇺🇸 US (GDPR-compliant)View DPA
GoogleOAuth authentication (optional — only if you choose social login)🇺🇸 US (EU-US DPF certified, EU SCCs)Standard DPAs

🛡️ Data Transfer Safeguards

  • EU Storage: All primary data (accounts, visits, analytics) is stored in EU regions (Neon Germany, Railway Netherlands)
  • Standard Contractual Clauses: US-based processors (Vercel, Stripe, Sentry, Resend) have executed EU SCCs per GDPR Chapter V
  • EU-US Data Privacy Framework: Vercel is certified under the EU-US DPF (2024), providing additional adequacy safeguards
  • PII Minimization: Sentry receives NO personal identifiers — all email addresses and IP addresses are stripped via beforeSend hook before transmission
  • Stripe Data Retention: Payment data retained by Stripe for 7 years per EU tax law. You can request deletion after legal retention period expires.

Right to Object: If you object to data transfers outside the EU, contact us at contact us. Note that certain services (billing, OAuth) require US processors — opting out may limit functionality.

9. Security

We use encryption in transit (TLS), hashed passwords (bcrypt), JWT token rotation, rate limiting, and row-level access control to protect your data.

10. Data Protection Impact Assessment

Our systematic bot monitoring processing has been assessed under GDPR Article 35. View the full Data Protection Impact Assessment (DPIA) for details on risk assessment, safeguards, and compliance measures.

Children's Data

HumanKey is a business-to-business (B2B) service intended for website owners and operators. We do not knowingly collect data from individuals under 18 years of age. If you become aware of a minor using the Service, please contact us via our contact form.

11. Contact

For privacy-related inquiries, contact us at contact us.