PlainKey AS (NO 937 528 779) ("PlainKey", "we", "us") provides a passkeys-only authentication service for developers and organisations.
This Privacy Policy explains what personal data we process, why we process it, and your rights under the General Data Protection Regulation ("GDPR") and the Norwegian Personal Data Act (LOV-2018-06-15-38).
PlainKey is designed as a European-first authentication service, with GDPR considerations built into the architecture from the start. We aim to minimise personal data, clearly separate data controller and processor roles, and provide transparency around how data is handled.
1. Who we are
Service name: PlainKey Operator: PlainKey AS (NO 937 528 779) Location: Norway Contact: privacy@plainkey.io
PlainKey is the data controller for personal data processed in connection with our website and customer accounts.
When PlainKey is used by customers to authenticate their own end users, PlainKey acts as a data processor on behalf of the customer.
2. Data roles and responsibilities
PlainKey processes personal data in two distinct contexts:
2.1 PlainKey customers (account holders)
When individuals or organisations create an account with PlainKey, PlainKey acts as the data controller for personal data related to those customer accounts.
This includes data such as:
- name
- email address
- company information
- authenticator metadata required for authentication security
- public key credential data (WebAuthn credentials), authentication challenges, and other data used for authentication
- authentication event data, including IP address and User-Agent (device) data
- account and project metadata
This data is processed to provide, operate, and secure the PlainKey service.
2.2 End users of PlainKey customers
When PlainKey is used to enable passkey authentication for a customer's application, PlainKey processes authentication data on behalf of the customer.
In this context:
- the customer is the data controller
- PlainKey acts as a data processor
PlainKey processes only the data required to perform authentication, such as:
- user identifiers (e.g. username or email, as provided by the customer)
- public key credential data (WebAuthn credentials), authentication challenges, and other data used for authentication
- authenticator metadata required for authentication security
- authentication event data, including IP address and User-Agent (device) data
This data is processed to provide, operate, and secure the PlainKey service.
PlainKey does not manage end-user identities, user profiles, or application sessions. Customers remain fully responsible for identity management, session handling, and communication with their end users.
3. What data we do not process
PlainKey does not:
- store passwords
- store private cryptographic keys
- sell personal data
- use personal data for advertising
- track end users across unrelated websites
Private authentication keys remain securely on the user's device or platform authenticator.
4. Legal basis for processing
PlainKey processes personal data under the following GDPR legal bases:
- Contract - Article 6(1)(b) - to provide and operate the PlainKey service (contractual obligations between PlainKey and its customers)
- Legitimate interests - Article 6(1)(f) - to maintain security, prevent abuse, and improve reliability (to protect the security and integrity of the PlainKey service)
- Legal obligations - Article 6(1)(c) - where required by applicable law (to comply with legal obligations such as data protection laws)
5. International data transfers
PlainKey follows a Europe-first infrastructure approach. We prioritise EU regions and GDPR safeguards when selecting infrastructure providers. Personal data is currently stored and processed on servers located in Germany, hosted by Hetzner Online GmbH, an EU-based provider.
If personal data is ever transferred outside the EEA, appropriate safeguards (such as Standard Contractual Clauses) will be applied in accordance with GDPR requirements.
6. Data retention
PlainKey retains personal data only for as long as necessary:
- customer account data is retained until deletion is requested or required for legal reasons
- authentication credential data is retained while the customer uses the service
- logs are retained for a limited period for security, debugging, and abuse prevention
7. Security measures
PlainKey implements appropriate technical and organisational measures to protect personal data, including:
- encryption in transit (TLS)
- authenticated and restricted access to production systems
- least-privilege access principles
- logging and monitoring for security and abuse prevention
Security practices are continuously reviewed and improved as the service evolves.
8. Data Processing Agreement (DPA)
When acting as a data processor for customer end users, PlainKey provides a Data Processing Agreement (DPA) upon request. Contact us at privacy@plainkey.io.
9. Your rights
Under the GDPR and the Norwegian Personal Data Act, individuals have the right to:
- access their personal data
- request correction or deletion
- object to processing
- request restriction of processing
- data portability
- lodge a complaint with a supervisory authority
Requests may be sent to privacy@plainkey.io.
Where PlainKey acts as a data processor, end users should generally direct privacy-related requests to the relevant customer, who acts as the data controller for that data.
10. Changes to this policy
We reserve the right to update this Privacy Policy as PlainKey evolves. The most recent version will always be available on this page.