Last updated: February 26, 2026
HitKey ("we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our OAuth 2.0 identity provider platform (the "Service").
By accessing or using the Service, you signify that you have read, understood, and agree to the collection and use of your information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
We collect the following categories of information:
Account Information: email address, password (stored in hashed form using scrypt), display name, surname, given names, native script representation, and username.
Authentication Data: OAuth 2.0 tokens (authorization codes, access tokens, refresh tokens), two-factor authentication secrets (encrypted), session identifiers, and login timestamps.
Technical Data: IP address, browser type and version, operating system, device identifiers, referring URLs, and pages visited within the Service.
OAuth Authorization Data: records of third-party applications you have authorized, scopes granted, and authorization timestamps.
We use the collected information for the following purposes:
Service Operation: to create and manage your account, authenticate your identity, generate and validate OAuth 2.0 tokens, and facilitate single sign-on across authorized applications.
Security: to detect, prevent, and respond to fraud, abuse, security incidents, and technical issues; to enforce our Terms of Service; and to maintain audit logs for compliance purposes.
Communication: to send you service-related notices, including security alerts, verification codes, password reset instructions, and account notifications.
Improvement: to analyze usage patterns, diagnose technical problems, and improve the functionality, reliability, and user experience of the Service.
By creating an account and using the Service, you provide your explicit, informed, and unambiguous consent to the collection, processing, storage, and use of your personal data as described in this Privacy Policy.
You acknowledge that you provide all personal data voluntarily, of your own free will, and with full understanding of how it will be processed. This consent extends to all data processing operations necessary for the provision of the Service, including the transmission of your authorized profile data to third-party applications through the OAuth 2.0 protocol when you explicitly grant such authorization.
You have the right to withdraw your consent at any time by deleting your account. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.
We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
Encryption: passwords are hashed using scrypt; two-factor authentication secrets are encrypted at rest; all data in transit is protected with TLS 1.2 or higher.
Access Control: strict role-based access controls limit data access to authorized personnel and systems on a need-to-know basis.
Infrastructure: data is stored in secure facilities with appropriate physical and environmental safeguards.
While we strive to protect your personal data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.
When you authorize a third-party application through the OAuth 2.0 protocol, we transmit only the specific profile data corresponding to the scopes you have approved. We do not sell, rent, or trade your personal data to third parties for their marketing purposes.
Third-party applications that receive your data through the OAuth 2.0 protocol are subject to their own privacy policies and data handling practices. We are not responsible for the privacy practices of third-party applications.
We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to: comply with a legal obligation, protect and defend our rights or property, prevent or investigate possible wrongdoing in connection with the Service, or protect the personal safety of users or the public.
The Service uses cookies and similar technologies strictly for functional purposes:
Session Cookies: to maintain your authenticated session and provide a seamless user experience across pages.
Preference Cookies: to store your language preference and interface settings.
Security Cookies: to support CSRF protection, rate limiting, and other security mechanisms.
We do not use advertising cookies, third-party tracking pixels, or behavioral analytics services. You may configure your browser to reject cookies, but certain features of the Service may not function properly without them.
Depending on your jurisdiction, you may have the following rights regarding your personal data:
Right of Access: you may request a copy of the personal data we hold about you.
Right to Rectification: you may update or correct your personal data at any time through your account settings.
Right to Erasure: you may request the deletion of your account and associated personal data, subject to any applicable legal retention obligations.
Right to Data Portability: you may request your personal data in a structured, commonly used, and machine-readable format.
Right to Object: you may object to certain processing of your personal data where we rely on legitimate interests as the legal basis.
To exercise any of these rights, please contact us through the HITKEY website.
We retain your personal data for as long as your account is active or as needed to provide you with the Service. Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by applicable law, regulation, or legitimate business purposes such as:
Compliance with legal or regulatory obligations. Resolution of disputes and enforcement of our agreements. Prevention of fraud and abuse.
Authentication logs and security-related records may be retained for up to 12 months following account deletion for security audit purposes.
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly. If you believe that a child under 16 has provided us with personal data, please contact us immediately.
Your information may be transferred to, stored, and processed in countries other than the country in which you reside. By using the Service, you consent to the transfer of your information to countries that may have data protection laws that differ from those of your country of residence.
Where we transfer personal data across borders, we implement appropriate safeguards to ensure that your data receives an adequate level of protection in accordance with applicable data protection laws.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated Privacy Policy on the Service and updating the "Last updated" date.
Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy. We encourage you to review this Privacy Policy periodically.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through the HITKEY website.