Privacy Policy
Effective date: July 17, 2026
Who we are
WordKey Inc. ("WordKey", "we", "us") is a Delaware corporation that operates the WordKey authentication protocol, the wordkey.app websites and applications, and the WordKey SDK. This policy explains what we collect, what we deliberately do not collect, and the rights you have over your information.
Zero-knowledge by design
WordKey is built so that we cannot read your word — not "will not", but cannot.
- Your word is never stored in recoverable form. Your device converts your word into a one-way cryptographic hash before anything leaves it. The plaintext word is never transmitted to or stored on WordKey servers, and the hash cannot be reversed to reveal it.
- There is no password database. A breach of WordKey's systems would yield no credentials, because credentials in the traditional sense do not exist on our servers.
- Profile data stays on your device. Optional WordKey Profile information (such as autofill details) is stored encrypted on your device only and is never stored on WordKey servers. It is shared with a site only when you explicitly consent, and it flows directly from your device to that site.
The minimal data we do hold
Running the service requires a small amount of data:
- Business accounts: company name, contact name, email address, and billing records for paid plans (payment card details are processed by our payment provider, Stripe, and never touch WordKey servers).
- Waitlist emails: the email address you give us when you join the waitlist. We use it to send your invite and nothing else — no marketing, no resale.
- Authentication event metadata: records that an authentication occurred — timestamps, the site involved, and device identifiers — used for security monitoring, roaming approvals, and business billing. This metadata never includes your word.
- Founding Partner applications: the business and contact details submitted with an application.
Cookies
We use strictly necessary cookies only: session cookies that keep you signed in to the consumer app, business portal, or admin panel. We do not use advertising cookies, cross-site tracking cookies, or third-party analytics trackers on wordkey.app.
How we use information
We use the data above to operate and secure the service, notify you of security-relevant events (such as a word change), invite you from the waitlist, and bill business accounts. We do not sell personal information, and we do not use it for advertising.
Your rights (GDPR & CCPA)
Depending on where you live — including the European Economic Area, the United Kingdom, and California — you may have the right to:
- access the personal information we hold about you;
- correct inaccurate information;
- request deletion of your information;
- receive a portable copy of your information;
- opt out of any sale or sharing of personal information (we do not sell or share personal information as defined by the CCPA); and
- not be discriminated against for exercising any of these rights.
To exercise any of these rights, email privacy@wordkey.app. We will respond within the timeframes required by applicable law. Note that because words are stored only as one-way hashes, we cannot look up or disclose anyone's word — including your own.
Retention and security
We keep business account and billing records for as long as the account is active and as required for tax and accounting purposes. Waitlist emails are deleted after your invite is redeemed or on request. Authentication metadata is retained for security and billing, then aged out. All data in our systems is encrypted in transit and at rest.
Children
WordKey is not directed at children under 13, and we do not knowingly collect personal information from them.
Changes to this policy
If we make material changes, we will update the effective date above and, where required, notify business account holders by email.
Contact
WordKey Inc.
Email: privacy@wordkey.app