Data Handling Notice

Document 04 of 5 · Last reviewed: May 28, 2026

This notice describes what data keyrotate collects, where it goes, how long it is kept, and what rights you have over it. It applies to both the marketing website and the CLI tool. The bottom line: we do not collect personal data through the tool itself, and we collect the minimum possible on the website.

The keyrotate CLI

The CLI does not collect any data. It does not make HTTP requests to any keyrotate-controlled server. There is no telemetry, no error reporting, no usage analytics, and no auto-update check. All operational state — your configuration, your rotation history — lives only on the machine where you run the tool.

Network calls made by the CLI

During a rotation, the CLI makes outbound HTTPS calls only to:

• The upstream provider you are rotating a key for (e.g. api.openai.com), to verify the new key.
• The destinations you have configured (e.g. api.github.com, api.netlify.com) — usually delegated to that destination's official CLI.

That is all. No traffic flows to keyrotate or BotFlow Lab.

Local files written by the CLI

• ~/.config/keyrotate/audit.log — JSONL log of rotation outcomes. Records timestamp, provider, destinations attempted/succeeded/failed, verifier result, your local username. Never the key value. Mode 0600.
• Any .env files you configure as destinations — written with mode 0600.

The marketing website (keyrotate.dev)

The site is a static page hosted on Netlify. We do not run analytics, advertising trackers, cookies, or fingerprinting.

What Netlify automatically logs

• Your IP address (for abuse prevention and basic request routing).
• The page URL you requested, your User-Agent string, the Referer header, and the response status.
• Standard CDN access logs, retained by Netlify for up to 30 days under their access-log retention policy.

BotFlow Lab does not export, archive, or analyze these logs except where needed to respond to a security incident or comply with law. See Netlify's Privacy Notice for their full data handling.

What the website does not do

• No cookies.
• No third-party analytics, advertising, or tracking scripts.
• No newsletter signup, no account creation, no form submissions.
• No social-media embeds that beacon back to their hosts.

Your rights

Because we collect essentially nothing tied to you, we usually cannot honor an "access" or "deletion" request — there is no record to retrieve. If you believe Netlify holds CDN logs about your requests to keyrotate.dev and you wish to exercise GDPR / CCPA / PDPA rights over those logs, contact privacy@keyrotate.dev and we will coordinate with Netlify on your behalf.

Children

keyrotate is a security utility for operators and developers. It is not directed at children under 13 and we do not knowingly collect data from them.

Changes

We may update this notice. Material changes will be reflected in the "Last reviewed" date at the top and announced via the GitHub repository.