Legal

Privacy Policy

Last updated: April 4, 2026

This Privacy Policy ("Policy") describes how Kevo Labs ("Kevo," "we," "us," or "our") collects, uses, discloses, and protects information in connection with the Kevo platform, SDK, APIs, portal, documentation, and all related services (collectively, the "Services"). By accessing or using the Services, you agree to this Policy. If you do not agree, do not use the Services.

1. Definitions

  • "Customer" means any entity or individual who integrates or uses the Kevo Services (e.g., a developer or company using Kevo SDK).
  • "End User" means a user of the Customer's application who interacts with Kevo-powered wallet functionality.
  • "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection legislation (including GDPR, CCPA, and equivalent regulations).
  • "Key Material" means cryptographic secrets, signer-encrypted wallet material, export artifacts, and related security metadata generated and managed through the Services.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Registration Data: name, email address, company name, billing information when you create a Kevo account or subscribe to a paid plan.
  • API Configuration: publishable keys, webhook URLs, allowed origins, branding preferences, and project settings.
  • Support Communications: messages, feedback, or reports submitted through our support channels.

2.2 Information Collected Automatically

  • Usage & Analytics Data: API call logs, SDK initialization events, authentication events, wallet creation events, signing requests (metadata only, never plaintext payloads), feature usage, error logs, and performance metrics.
  • Device & Network Data: IP address, browser type & version, operating system, device identifiers, referrer URL, and timezone.
  • Cookies & Similar Technologies: session tokens, authentication cookies, preference cookies, and analytics cookies. See Section 9 for details.

2.3 End User Data Processed on Behalf of Customers

When End Users interact with a Customer's application using Kevo, we process certain data as a data processor on behalf of the Customer (acting as the data controller). This includes:

  • Authentication identifiers (email addresses, OAuth provider IDs, wallet addresses used for sign-in).
  • Wallet addresses derived and linked to the End User's account.
  • Transaction signatures and their metadata (chain ID, nonce, gas parameters); we never store or have access to plaintext private keys.
  • Session tokens and refresh tokens (encrypted at rest).

3. Cryptographic Key Material & Signing Architecture

Kevo uses a server-backed signing architecture with isolated signing boundaries. Wallet operations are gated by authenticated user sessions, project controls, and dedicated internal signing services.

  • Embedded EVM wallets for EVM-compatible chains.
  • Embedded Solana wallets for Solana.

Wallet material held by Kevo's infrastructure is encrypted at rest and sensitive operations are gated behind auth, policy checks, and internal signer authentication. Kevo is infrastructure, not an exchange, broker, or investment service.

4. How We Use Your Information

We use collected information for the following purposes:

  • Service Delivery: to provision accounts, generate wallets, process signing requests, and deliver API functionality.
  • Authentication & Security: to verify identity, detect fraud, prevent unauthorized access, and enforce rate limits.
  • Billing & Compliance: to process payments, generate invoices, and comply with tax and financial reporting obligations.
  • Analytics & Improvements: to monitor service performance, debug issues, improve SDK stability, and develop new features.
  • Communications: to send service-related notices, security alerts, and (with your consent) product updates.
  • Legal Obligations: to comply with applicable laws, regulations, legal processes, or governmental requests.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data under the following legal bases:

Legal BasisPurpose
Contract PerformanceProviding the Services, account management, billing
Legitimate InterestAnalytics, fraud prevention, security monitoring, service improvement
Legal ObligationTax reporting, AML compliance, responding to lawful requests
ConsentMarketing communications, optional cookies

6. Data Sharing & Disclosure

We do not sell your Personal Data. We may share information with:

  • Service Providers: cloud hosting (encrypted infrastructure), payment processors, email delivery services, and analytics providers, each bound by data processing agreements.
  • Customers: we provide Customers with aggregated analytics and webhook events relating to their End Users' wallet activity as configured.
  • Legal Requirements: when required by law, subpoena, court order, or governmental regulation; to protect our legal rights; or to prevent fraud, security threats, or violations of our Terms.
  • Business Transfers: in connection with a merger, acquisition, reorganization, or sale of assets, subject to the acquiring entity honoring this Policy.

7. Data Retention

  • Account Data: retained for the duration of your account and for 90 days after deletion request, unless longer retention is required by law.
  • API & Transaction Logs: retained for up to 12 months in identifiable form, then anonymized or deleted.
  • Key Material: encrypted wallet material is retained while the associated wallet is active. Upon account termination, it is securely destroyed within 30 days using cryptographic erasure.
  • Billing Records: retained for the period required by applicable tax and accounting laws (typically 7 years).

8. Data Security

We implement industry-standard technical and organizational measures, including:

  • AES-256-GCM encryption at rest for all key material and sensitive data.
  • TLS 1.3 for all data in transit.
  • Dedicated signing boundaries and internal request authentication.
  • Hardware-backed signer isolation for wallet key operations.
  • Role-based access controls, audit logging, and principle of least privilege.
  • Regular penetration testing and vulnerability assessments.
  • Incident response procedures with 72-hour breach notification (as required by GDPR Art. 33).

While we strive to protect your information, no electronic transmission or storage method is 100% secure. We cannot guarantee absolute security.

9. Cookies & Tracking Technologies

We use the following categories of cookies:

  • Strictly Necessary: authentication tokens, session management, CSRF protection. These cannot be disabled.
  • Functional: remembering preferences, language settings, and portal customizations.
  • Analytics: aggregated usage statistics to improve the Services. We use privacy-respecting analytics where possible.

We do not use third-party advertising trackers. You can manage cookie preferences through your browser settings or our cookie consent banner where applicable.

10. Your Rights

10.1 EEA, UK & Swiss Residents (GDPR)

You have the right to:

  • Access your Personal Data we hold.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten"), subject to legal retention obligations.
  • Restrict processing in certain circumstances.
  • Data Portability: receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw Consent at any time where processing is based on consent.
  • Lodge a Complaint with your local supervisory authority.

10.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what Personal Data is collected, used, and disclosed.
  • Request deletion of your Personal Data.
  • Opt-out of the sale or sharing of Personal Data (we do not sell Personal Data).
  • Non-discrimination for exercising your privacy rights.

10.3 International Data Transfers

If we transfer data outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms. The security measures described in Section 8 apply regardless of where data is processed.

11. Blockchain Data Disclaimer

Transactions executed through Kevo-powered wallets are recorded on public blockchains. Blockchain data is immutable and publicly accessible. Kevo has no ability to delete, alter, or restrict access to on-chain transaction data. Wallet addresses and transaction histories visible on-chain are outside the scope of data deletion requests. This Policy applies only to off-chain data stored on Kevo infrastructure.

12. Children's Privacy

The Services are not directed to individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect Personal Data from children. If we become aware that we have collected data from a child, we will promptly delete it and terminate the associated account.

13. Third-Party Services

The Services may contain links to or integrations with third-party services, blockchains, decentralized applications, or token contracts. We are not responsible for the privacy practices of third parties. We encourage you to review their privacy policies before interacting with them.

14. Changes to This Policy

We may update this Policy periodically. We will notify you of material changes by posting the updated Policy on our website and, where appropriate, by email or in-application notice at least 30 days prior to the effective date. Continued use of the Services after changes become effective constitutes acceptance of the revised Policy.

15. Data Protection Officer & Contact

For any questions about this Policy, to exercise your data rights, or to report a privacy concern, contact us at:

Kevo Labs

Email: [email protected]

Data Protection Inquiries: [email protected]

See also our Terms of Service.