# Privacy Policy — Keepstone

> Keepstone's privacy policy. What we collect, why, how long we keep it, and what we will never do with it. Applies to Keepstone, LLC.

Source: https://keepstone.tech/privacy
Last modified: 2026-04-24

---

Privacy Policy

# What we collect, why, and what we never do with it.

This policy covers **Keepstone, LLC** (“we,” “us”), a Delaware limited liability company, and the website at **keepstone.tech**. It applies to anyone who visits the site, contacts us, submits an assessment or discovery request, or engages us to build and operate software. Contracted clients are additionally covered by our Master Services Agreement and Data Processing Agreement, which take precedence over anything on this page.

_●_ effective january 2026 _●_ questions: privacy@keepstone.tech [_●_ print / save as pdf](#)

01 · Information we collect

## Four categories, in order of sensitivity.

a · Website analytics

#### Standard server & analytics logs.

Page views, referrer, device & browser class, approximate location derived from IP (city/region), and timestamps. We use privacy-respecting analytics and do not set third-party advertising or cross-site tracking cookies.

_low_

b · Direct submissions

#### Anything you send us through a form or email.

Name, company, role, email, phone (if you provide it), and any context you share about your business or software. We only collect what you explicitly send. The intake forms on [/start](/start) also capture standard request metadata at submit time (browser user-agent, referring page, and the path query parameter that selected Assessment vs Discovery), used to distinguish channel and to debug submissions that go missing. Submissions flow through our self-hosted automation at `n8n.whitenapp.cloud` and are recorded in our internal Google Workspace (Sheets row + Gmail notification to the team). See section 05 below for the subprocessor list and retention.

_confidential_

c · Assessment data

#### Results of comprehensive infrastructure & code review.

If you engage us for a free assessment, we perform a thorough review of the system you've asked us to evaluate. That can include: read-only access to hosting, domains, source repositories, CI/CD, databases, logs, monitoring, and integrations; a review of architecture, configuration, and code; and machine-generated output describing what we found. This is the most sensitive category of information we hold, and we treat it accordingly.

_high_

d · Engagement data

#### Information generated while we operate your software.

Under an active engagement, we have access to the systems we operate, including production data, logs, and configuration. This is governed by our Master Services Agreement and Data Processing Agreement, not this policy alone.

_contractual_

02 · Assessment data, specifically

## The most important thing on this page.

Free assessments require deep access. You're trusting us with material that could embarrass you, reveal weaknesses, or expose your customers. Here is exactly how we handle it.

i / iv

Least-privilege access

### Read-only, scoped, time-bound.

We request the minimum access required to complete the review. Access is scoped to the system being assessed, logged, and revocable by you at any time. No production writes, no customer-data exports unless explicitly required and agreed to in writing.

ii / iv

Need-to-know

### Two people, maximum.

Assessment material is accessible only to the Keepstone principal leading the engagement and the assigned engineer performing the review. It is never shared with subcontractors, marketing, or anyone outside the firm.

iii / iv

No training, no secondary use

### It's for you, not for us.

Your code, configuration, and data are never used to train models, seed datasets, or build generalized tooling. AI tools we use during the review run under enterprise agreements that prohibit training on inputs. We do not anonymize and reuse what we learn about your system.

iv / iv

30-day deletion

### Gone, unless we're working together.

If you don't engage us for services within 30 days of delivering the assessment, we delete the working material: scan output, notes, exports, and anything derived from your systems. The written report we handed you is yours to keep. Deletion is documented; you can request written confirmation.

**One exception.** If you explicitly ask us to retain the material longer — for example, because you're evaluating us alongside other firms and want the findings available to a future provider — we will, in writing, and delete on the date you name.

03 · How we use information

## Narrow purposes, written down.

### We do

*   →Respond to your inquiry and evaluate fit
*   →Perform assessments & discoveries you request
*   →Operate software under signed engagements
*   →Send billing and contractual communications
*   →Keep our site secure and functioning
*   →Comply with legal obligations

### We don't

*   —Sell, rent, or share your information for marketing
*   —Add you to newsletters without opt-in
*   —Use client data to train AI models
*   —Publish case studies without written consent
*   —Operate third-party ad or retargeting pixels
*   —Transfer your data to third parties outside the subprocessors below

04 · Retention

## How long we keep each category.

Website analytics

#### 13 months, rolling.

Aggregated analytics; individual session records are pruned on schedule.

_13 mo_

Inquiry & form submissions

#### 12 months from last contact.

Deleted sooner on request. Retained longer only if you become a client or ask us to.

_12 mo_

Assessment working data

#### Deleted within 30 days of assessment delivery.

Unless we begin a paid engagement, or you ask us in writing to retain it. The written report delivered to you is yours; the raw material is not kept.

_30 days_

Engagement records

#### Per contract.

Governed by your MSA and DPA. Operational data is deleted or returned at handoff; billing and legal records are retained as required by law.

_contractual_

05 · Subprocessors & tools

## Who else touches the work.

We use a small set of tools to run the firm and to operate client systems. The categories are listed below; the specific vendor list is current at the time of engagement and provided on request.

Firm operations

#### Email, documents, CRM, billing.

Used to run Keepstone. Not used to store client production data or assessment material.

_firm-only_

Form intake

#### Self-hosted automation + Google Workspace.

Submissions to the [/start](/start) intake forms (Assessment and Discovery) are processed by an n8n workflow we own and host at `n8n.whitenapp.cloud`, then written to a row in our private Google Sheet and notified to the team by Gmail. Both are inside our internal Google Workspace tenant, not a customer-facing system. The contents of a submission are retained while the engagement remains a possibility — typically through proposal, kickoff, and any follow-up — and are deleted within 30 days of a written deletion request to [privacy@keepstone.tech](mailto:privacy@keepstone.tech). We don't sell intake data, run paid advertising against it, or share it with third parties beyond the automation steps named above.

_self-hosted_

AI providers

#### Enterprise agreements only.

We use AI extensively to operate. Every provider we route data through is under a contract that disables training on inputs and enforces enterprise data handling. Consumer-tier AI tools are not used on client material.

_no training_

Source & CI

#### Inside your accounts where possible.

Source control, CI/CD, and hosting live in client-owned accounts by default. When code sits temporarily in a Keepstone-managed account during a build, it migrates to the client account at handoff.

_per project_

Monitoring & observability

#### Client-scoped, metadata-first.

Uptime checks, error tracking, logs, and metrics. Payloads are scoped to what's needed to operate monitoring; end-user PII is not routed through these tools unless unavoidable and contractually approved.

_metadata_

06 · Security

## How we protect what we hold.

### Controls

*   →MFA on every account that touches client data
*   →Encrypted credential storage; no shared passwords
*   →Encrypted laptops; automatic screen lock
*   →Least-privilege access, documented & auditable
*   →Quarterly access review for active engagements

### Limits

*   →We are a small firm, not SOC 2 audited today
*   →We are transparent about that on the first call
*   →We align to SOC 2 & NIST CSF controls in practice
*   →Material clients receive a security questionnaire response

07 · Your rights

## What you can ask us to do.

These rights are available to everyone. California residents and residents of other jurisdictions with specific privacy laws have additional rights; we honor them regardless of where you live.

Access

#### Know what we have about you.

We'll tell you what categories of information we hold and, where practical, provide a copy.

_5 days_

Correction

#### Fix anything wrong.

If something we have about you is inaccurate, tell us and we'll correct it.

_5 days_

Deletion

#### Ask us to delete.

We'll delete what we hold, subject to legal & contractual retention obligations. For assessment working data, deletion happens automatically within 30 days unless you engage us.

_30 days_

Portability

#### Take it with you.

Engaged clients get everything back in native formats at handoff. Non-clients can request an export of the information we hold about them.

_on request_

Opt-out

#### Stop hearing from us.

Any email we send includes a way to opt out of non-essential communications. Transactional and contractual messages continue.

_immediate_

Email [privacy@keepstone.tech](mailto:privacy@keepstone.tech) for any request. We respond within five business days.

08 · Other standard terms

## The small print, still in plain English.

Children

#### Our services are not for children.

We don't knowingly collect information from anyone under 16. If you believe we have, contact us and we'll delete it.

_—_

International transfers

#### We are a US firm.

We operate from the United States. If you contact us from outside the US, your information is transferred to and processed in the US.

_US_

Changes to this policy

#### We'll tell you.

Material changes are announced on this page with a new effective date. Engaged clients receive direct written notice of changes that affect the handling of their data.

_notified_

Governing law

#### California.

This policy is governed by the laws of the State of California, without regard to conflict-of-laws rules.

_CA_

09 · Contact

## Questions, requests, or concerns.

Email [privacy@keepstone.tech](mailto:privacy@keepstone.tech). We respond within five business days. If you'd rather talk to a person first, ask for a call — we don't hide behind forms.

Keepstone, LLC · Delaware LLC · privacy@keepstone.tech

Ready to move?

## Start with an assessment.

Free review of a system you have, or paid discovery to design a system you need. Your data handled the way this page describes.

[Free assessment →](start?path=assess) [privacy@keepstone.tech →](mailto:privacy@keepstone.tech)