PlainKey In beta

Privacy Policy

This Privacy Policy document explains what personal data we process, why we process it, and your rights under the General Data Protection Regulation (“GDPR”).

Author: PlainKey

PlainKey (“PlainKey”, “we”, “us”) provides a passkeys-only authentication service for developers and organisations.

PlainKey is currently offered as an early beta. We take privacy seriously and aim to process the minimum amount of personal data required to operate the service.

This Privacy Policy explains what personal data we process, why we process it, and your rights under the General Data Protection Regulation (“GDPR”).

PlainKey is designed as a European-first authentication service, with GDPR considerations built into the architecture from the start. We aim to minimise personal data, clearly separate data controller and processor roles, and provide transparency around how data is handled.

1. Who we are

Service name: PlainKey
Operator: PlainKey
Location: Norway
Contact: privacy@plainkey.io

PlainKey is the data controller for personal data processed in connection with our website and customer accounts.

When PlainKey is used by customers to authenticate their own end users, PlainKey acts as a data processor on behalf of the customer.

2. Data roles and responsibilities

PlainKey processes personal data in two distinct contexts:

2.1 PlainKey customers (account holders)

When individuals or organisations create an account with PlainKey, PlainKey acts as the data controller for personal data related to those customer accounts.

This includes data such as:

  • name
  • email address
  • company information
  • authenticator metadata required for authentication security
  • public key credential data (WebAuthn credentials), authentication challenges, and other data used for authentication
  • authentication event data
  • account and project metadata

This data is processed to provide, operate, and secure the PlainKey service.

2.2 End users of PlainKey customers

When PlainKey is used to enable passkey authentication for a customer's application, PlainKey processes authentication data on behalf of the customer.

In this context:

  • the customer is the data controller
  • PlainKey acts as a data processor

PlainKey processes only the data required to perform authentication, such as:

  • user identifiers (e.g. username or email, as provided by the customer)
  • public key credential data (WebAuthn credentials), authentication challenges, and other data used for authentication
  • authenticator metadata required for authentication security
  • authentication event data

This data is processed to provide, operate, and secure the PlainKey service.

PlainKey does not manage end-user identities, user profiles, or application sessions. Customers remain fully responsible for identity management, session handling, and communication with their end users.

3. What data we do not process

PlainKey does not:

  • store passwords
  • store private cryptographic keys
  • sell personal data
  • use personal data for advertising
  • track end users across unrelated websites

Private authentication keys remain securely on the user's device or platform authenticator.

4. Legal basis for processing

PlainKey processes personal data under the following GDPR legal bases:

  • Contract - Article 6(1)(b) - to provide and operate the PlainKey service (contractual obligations between PlainKey and its customers)
  • Legitimate interests - Article 6(1)(f) - to maintain security, prevent abuse, and improve reliability (to protect the security and integrity of the PlainKey service)
  • Legal obligations - Article 6(1)(c) - where required by applicable law (to comply with legal obligations such as data protection laws)

5. Subprocessors

PlainKey uses a limited number of subprocessors to operate the service. These subprocessors process personal data only on PlainKey's behalf and are subject to appropriate GDPR safeguards.

Current subprocessors include:

  • Vercel - hosting infrastructure
    • Region: Stockholm, Sweden (North) - eu-north-1 - arn1
  • Supabase - database and backend infrastructure
    • Region: eu-north-1 and eu-west-1

This list may be updated as the service evolves.

PlainKey follows a Europe-first infrastructure approach. We prioritise EU regions and GDPR safeguards when selecting infrastructure providers. To enable rapid development and early validation of the service, PlainKey currently relies on a small number of widely used and established infrastructure providers that support EU-region deployments. As the service matures, infrastructure choices are continuously reviewed with the goal of maintaining strong European data residency and privacy standards.

6. International data transfers

PlainKey aims to host and process personal data within the EEA or in European jurisdictions recognised by the European Commission as providing an adequate level of data protection (such as the UK and Switzerland).

If personal data is transferred outside these jurisdictions, appropriate safeguards (such as Standard Contractual Clauses) are applied in accordance with GDPR requirements.

7. Data retention

PlainKey retains personal data only for as long as necessary:

  • customer account data is retained until deletion is requested or required for legal reasons
  • authentication credential data is retained while the customer uses the service
  • logs may be retained for a limited period for security, debugging, and abuse prevention

8. Security measures

PlainKey implements appropriate technical and organisational measures to protect personal data, including:

  • encryption in transit (TLS)
  • authenticated and restricted access to production systems
  • least-privilege access principles
  • logging and monitoring for security and abuse prevention

As an early beta service, security practices are continuously reviewed and improved as the service evolves.

9. Data Processing Agreement (DPA)

When acting as a data processor for customer end users, PlainKey will provide a Data Processing Agreement (DPA) to customers before production use of the service.

10. Your rights

Under the GDPR, individuals have the right to:

  • access their personal data
  • request correction or deletion
  • object to processing
  • request restriction of processing
  • data portability
  • lodge a complaint with a supervisory authority

Requests may be sent to privacy@plainkey.io.

Where PlainKey acts as a data processor, end users should generally direct privacy-related requests to the relevant customer, who acts as the data controller for that data.

11. Changes to this policy

We reserve the right to update this Privacy Policy as PlainKey evolves.
The most recent version will always be available on this page.