What we collect, why, and what we never do with it.
This policy covers Keepstone, LLC (“we,” “us”), a Delaware limited liability company, and the website at keepstone.tech. It applies to anyone who visits the site, contacts us, submits an assessment or discovery request, or engages us to build and operate software. Contracted clients are additionally covered by our Master Services Agreement and Data Processing Agreement, which take precedence over anything on this page.
Four categories, in order of sensitivity.
Standard server & analytics logs.
Page views, referrer, device & browser class, approximate location derived from IP (city/region), and timestamps. We use privacy-respecting analytics and do not set third-party advertising or cross-site tracking cookies.
Anything you send us through a form or email.
Name, company, role, email, phone (if you provide it), and any context you share about your business or software. We only collect what you explicitly send. The intake forms on /start also capture standard request metadata at submit time (browser user-agent, referring page, and the path query parameter that selected Assessment vs Discovery), used to distinguish channel and to debug submissions that go missing. Submissions flow through our self-hosted automation at n8n.whitenapp.cloud and are recorded in our internal Google Workspace (Sheets row + Gmail notification to the team). See section 05 below for the subprocessor list and retention.
Results of comprehensive infrastructure & code review.
If you engage us for a free assessment, we perform a thorough review of the system you've asked us to evaluate. That can include: read-only access to hosting, domains, source repositories, CI/CD, databases, logs, monitoring, and integrations; a review of architecture, configuration, and code; and machine-generated output describing what we found. This is the most sensitive category of information we hold, and we treat it accordingly.
Information generated while we operate your software.
Under an active engagement, we have access to the systems we operate, including production data, logs, and configuration. This is governed by our Master Services Agreement and Data Processing Agreement, not this policy alone.
The most important thing on this page.
Free assessments require deep access. You're trusting us with material that could embarrass you, reveal weaknesses, or expose your customers. Here is exactly how we handle it.
Read-only, scoped, time-bound.
We request the minimum access required to complete the review. Access is scoped to the system being assessed, logged, and revocable by you at any time. No production writes, no customer-data exports unless explicitly required and agreed to in writing.
Two people, maximum.
Assessment material is accessible only to the Keepstone principal leading the engagement and the assigned engineer performing the review. It is never shared with subcontractors, marketing, or anyone outside the firm.
It's for you, not for us.
Your code, configuration, and data are never used to train models, seed datasets, or build generalized tooling. AI tools we use during the review run under enterprise agreements that prohibit training on inputs. We do not anonymize and reuse what we learn about your system.
Gone, unless we're working together.
If you don't engage us for services within 30 days of delivering the assessment, we delete the working material: scan output, notes, exports, and anything derived from your systems. The written report we handed you is yours to keep. Deletion is documented; you can request written confirmation.
Narrow purposes, written down.
We do
- →Respond to your inquiry and evaluate fit
- →Perform assessments & discoveries you request
- →Operate software under signed engagements
- →Send billing and contractual communications
- →Keep our site secure and functioning
- →Comply with legal obligations
We don't
- —Sell, rent, or share your information for marketing
- —Add you to newsletters without opt-in
- —Use client data to train AI models
- —Publish case studies without written consent
- —Operate third-party ad or retargeting pixels
- —Transfer your data to third parties outside the subprocessors below
How long we keep each category.
13 months, rolling.
Aggregated analytics; individual session records are pruned on schedule.
12 months from last contact.
Deleted sooner on request. Retained longer only if you become a client or ask us to.
Deleted within 30 days of assessment delivery.
Unless we begin a paid engagement, or you ask us in writing to retain it. The written report delivered to you is yours; the raw material is not kept.
Per contract.
Governed by your MSA and DPA. Operational data is deleted or returned at handoff; billing and legal records are retained as required by law.
Who else touches the work.
We use a small set of tools to run the firm and to operate client systems. The categories are listed below; the specific vendor list is current at the time of engagement and provided on request.
Email, documents, CRM, billing.
Used to run Keepstone. Not used to store client production data or assessment material.
Self-hosted automation + Google Workspace.
Submissions to the /start intake forms (Assessment and Discovery) are processed by an n8n workflow we own and host at n8n.whitenapp.cloud, then written to a row in our private Google Sheet and notified to the team by Gmail. Both are inside our internal Google Workspace tenant, not a customer-facing system. The contents of a submission are retained while the engagement remains a possibility — typically through proposal, kickoff, and any follow-up — and are deleted within 30 days of a written deletion request to privacy@keepstone.tech. We don't sell intake data, run paid advertising against it, or share it with third parties beyond the automation steps named above.
Enterprise agreements only.
We use AI extensively to operate. Every provider we route data through is under a contract that disables training on inputs and enforces enterprise data handling. Consumer-tier AI tools are not used on client material.
Inside your accounts where possible.
Source control, CI/CD, and hosting live in client-owned accounts by default. When code sits temporarily in a Keepstone-managed account during a build, it migrates to the client account at handoff.
Client-scoped, metadata-first.
Uptime checks, error tracking, logs, and metrics. Payloads are scoped to what's needed to operate monitoring; end-user PII is not routed through these tools unless unavoidable and contractually approved.
How we protect what we hold.
Controls
- →MFA on every account that touches client data
- →Encrypted credential storage; no shared passwords
- →Encrypted laptops; automatic screen lock
- →Least-privilege access, documented & auditable
- →Quarterly access review for active engagements
Limits
- →We are a small firm, not SOC 2 audited today
- →We are transparent about that on the first call
- →We align to SOC 2 & NIST CSF controls in practice
- →Material clients receive a security questionnaire response
What you can ask us to do.
These rights are available to everyone. California residents and residents of other jurisdictions with specific privacy laws have additional rights; we honor them regardless of where you live.
Know what we have about you.
We'll tell you what categories of information we hold and, where practical, provide a copy.
Fix anything wrong.
If something we have about you is inaccurate, tell us and we'll correct it.
Ask us to delete.
We'll delete what we hold, subject to legal & contractual retention obligations. For assessment working data, deletion happens automatically within 30 days unless you engage us.
Take it with you.
Engaged clients get everything back in native formats at handoff. Non-clients can request an export of the information we hold about them.
Stop hearing from us.
Any email we send includes a way to opt out of non-essential communications. Transactional and contractual messages continue.
Email privacy@keepstone.tech for any request. We respond within five business days.
The small print, still in plain English.
Our services are not for children.
We don't knowingly collect information from anyone under 16. If you believe we have, contact us and we'll delete it.
We are a US firm.
We operate from the United States. If you contact us from outside the US, your information is transferred to and processed in the US.
We'll tell you.
Material changes are announced on this page with a new effective date. Engaged clients receive direct written notice of changes that affect the handling of their data.
California.
This policy is governed by the laws of the State of California, without regard to conflict-of-laws rules.
Questions, requests, or concerns.
Email privacy@keepstone.tech. We respond within five business days. If you'd rather talk to a person first, ask for a call — we don't hide behind forms.
Keepstone, LLC · Delaware LLC · privacy@keepstone.tech
Start with an assessment.
Free review of a system you have, or paid discovery to design a system you need. Your data handled the way this page describes.