Enterprise prospects needing a signed DPA or vendor-assessment answers can reach the privacy team at privacy@setuppasskeys.com.

Privacy Policy

Effective 22 April 2026. This page explains what data SetupPasskeys Ltd (trading as "SetupPasskeys", "we", "us", "our") collects when you use setuppasskeys.com, how we use it, and your rights under the UK/EU GDPR.

1. Who we are

SetupPasskeys Ltd, registered in Ireland. Data controller contact: privacy@setuppasskeys.com.

2. What we collect

Account data — when an admin signs up: email address, hashed password (via Supabase Auth), and the display name they enter.
Organisation configuration — branding (logo URL, accent colour, org name), passkey policy settings, support contact fields, and optional custom domain. Stored in Supabase and served to the branded guide URL.
Billing data — Stripe handles payment methods and card details directly; we only store Stripe's customer and subscription IDs and the current plan status. We never see or store card numbers.
Usage events — when an end user walks through a passkey registration guide we record anonymised events (vendor, step reached, completion, OS version string) so admins can see aggregate stats. No personal identifiers are attached.
Passkeys themselves — we do not store, see, or handle passkey secrets. Passkeys live on the end user's device and in Microsoft Entra ID. We guide the user through the registration flow; their credentials never pass through us.
Cookies and local storage — a Supabase auth session cookie for signed-in admins, plus a small localStorage record of the admin playground if used. No tracking cookies, no ad networks.

3. How we use it

Provide the service you signed up for.
Process payments through Stripe and manage subscriptions.
Send transactional emails (sign-up confirmation, post-purchase welcome, receipt).
Aggregate usage stats so admins can see their own org's rollout progress.
Detect and prevent abuse of the platform.

We do not sell data. We do not share data with advertisers.

4. Legal basis (UK/EU GDPR)

Account data and billing data: contract. Usage events (anonymised): legitimate interests (running the service). Transactional email: contract. Marketing email: we do not send marketing email without explicit consent.

5. Sub-processors we share with

Supabase — database + auth. Based in United States; SCCs in place.
Stripe — payments. Based in United States; SCCs in place.
Vercel — hosting + edge runtime. Based in United States; SCCs in place.
Resend — transactional email (post-purchase welcome, magic-link sign-in, billing notices, prospect outreach). Based in United States; DPA + SCCs in place.
Google (Gemini API) — AI screenshot diagnosis when an end-user uploads a screenshot to troubleshoot a stuck passkey registration. PII tokens are scrubbed from the response server-side; image bytes are not retained by Google for training per the Gemini API enterprise terms. Based in United States; DPA + SCCs in place.
Microsoft — public Entra-tenant branding lookup (customer domain only, no personal data) so a deployed organisation's logo and accent colour appear correctly on the branded URL.

5a. AI screenshot diagnosis

End-users who get stuck during passkey registration can optionally upload a screenshot of their screen for an AI-assisted diagnosis. The screenshot and a small bundle of context (device vendor, walkthrough position, org policy) are sent to the Gemini API. The response is sanitised server-side: any text resembling an email, phone number, or long identifier is replaced with an ellipsis before the diagnosis is rendered. The opt-in manual blur tool in the upload UI lets the user paint over any visual content they don't want sent. Per-event audit rows (device, confidence, severity, latency) are retained on a 24-month rolling window. Image bytes are not retained by Google for training per the Gemini API enterprise terms.

Screenshot retention for product review. When the AI generates a fresh diagnosis (i.e. the answer didn't already exist in our verified library), the original screenshot may be retained on the candidate library entry so a SetupPasskeys reviewer can craft a more accurate canonical answer for the next user with the same issue. We use this material strictly to improve the troubleshooter — never for marketing, never shared with third parties beyond the Gemini API call already described above. Screenshots on candidate rows are deleted automatically:

The moment a reviewer promotes the entry to the verified library or rejects it; or
30 days after the diagnose call, whichever comes first.

Each diagnose attempt has a "Help us improve by keeping this screenshot for product review" checkbox in the upload UI. Unchecking it sends the image to Gemini for the live diagnosis but skips the candidate-library store entirely. Customer admins can also flip the org-wide default off via org_config.ai_keep_screenshots_for_review for every diagnosis run on their tenant — useful for tenants under strict data-handling contracts. Either flag set to off prevents storage; the closed-loop still works on description + device fingerprint alone, just with less mockup-development signal.

6. How long we keep it

Account + org config: until you delete the org (kept for 30 days after deletion to allow recovery, then permanently removed).
Billing records: 7 years (tax/financial record-keeping law).
Usage events: 24 months rolling window.
Auth session cookies: 7 days.

7. Your rights

Under the UK/EU GDPR you can request access to your data, correction of inaccurate data, erasure, restriction of processing, data portability, and object to processing. Email privacy@setuppasskeys.com and we will respond within 30 days. You can also complain to the ICO (UK) or your local supervisory authority.

8. Security

All traffic is TLS 1.2+. Supabase enforces row-level security so an org admin can only read their own org's data. Stripe is PCI DSS Level 1 certified. Passwords are hashed with bcrypt via Supabase Auth.

9. Changes to this policy

If we make material changes we will email registered admins at least 30 days before they take effect. Minor updates (wording, contact details) are posted here with a new effective date.

10. Contact

Questions, requests, or complaints: privacy@setuppasskeys.com.