Privacy Policy

1. Data Controller

Metamorphic Services Limited ("we", "us", "our") is the data controller responsible for your personal information.

Registered office: London, United Kingdom

Contact: privacy@thekeystone.ai

2. Information We Collect

We collect the following categories of personal data through this website:

2.1 Contact Form Submissions

• Data collected: Name, email address, company name, message content

• Storage: Supabase database (contact_submissions table)

• Purpose: Responding to enquiries and customer service

• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

2.2 Early Access Programme Signups

• Data collected: Email address, company name, role

• Storage: Supabase database (early_access_entries table)

• Purpose: Programme communications and product launch notifications

• Legal basis: Consent (Art. 6(1)(a) GDPR)

2.3 Security Document Requests

• Data collected: Email address, company name, and (for NDA-gated documents) full name and reason for request

• Storage: Supabase database (security_doc_requests table)

• Purpose: Secure document delivery and access control

• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

2.4 Cookie Consent Preferences

• Data collected: Cookie category preferences (necessary, analytics, functional)

• Storage: Browser localStorage

• Purpose: Respecting user privacy preferences and GDPR compliance

• Legal basis: Legal obligation (Art. 6(1)(c) GDPR)

2.5 Analytics Data (Consent-Gated)

• Data collected: Page views, user journeys, session recordings, device information, browser type

• Processors: Google Analytics 4, Hotjar, Vercel Analytics

• Purpose: Understanding user behavior to improve website experience

• Legal basis: Consent (Art. 6(1)(a) GDPR)

• Note: These scripts only load after explicit user consent

2.6 Error Tracking Data (Legitimate Interest)

• Data collected: Error context, stack traces, browser information, user actions leading to error

• Processor: Sentry

• Purpose: Identifying and fixing technical issues to maintain service quality

• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

• Note: Not consent-gated as it is essential for service quality and security

2.7 CAPTCHA Verification

• Data collected: IP address, browser fingerprint

• Processor: Cloudflare Turnstile

• Purpose: Security verification and bot prevention

• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

3. Data Processors and International Transfers

We use the following third-party processors to operate this website. Where processors are located outside the UK/EU, we ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) or adequacy decisions.

Processor	Purpose	Location
Supabase (EU region eu-west-1)	Database, authentication, and data storage	European Union (Ireland)
Resend	Transactional email delivery	United States
Google Analytics 4	Website analytics and user behavior tracking (consent-gated)	United States
Hotjar	User behavior analytics and session recordings (consent-gated)	European Union
Vercel	Hosting, edge functions, and analytics (consent-gated)	United States
Cloudflare	CDN and Turnstile CAPTCHA for security verification	Global
Sentry	Error tracking and performance monitoring (legitimate interest)	United States

4. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

• Contact form submissions: 2 years from submission date

• Early access signups: Until the programme ends or you unsubscribe

• Security document requests: Until the request is fulfilled, then 90 days

• Cookie consent preferences: 12 months, then re-prompted

• Analytics data: As per processor defaults (Google Analytics: 14 months, Hotjar: 365 days)

• Error tracking data: 90 days

5. Your Rights

Under GDPR and UK data protection law, you have the following rights:

• **Right of access**: Request a copy of your personal data

• **Right to rectification**: Correct inaccurate or incomplete data

• **Right to erasure**: Request deletion of your personal data

• **Right to data portability**: Receive your data in a structured, machine-readable format

• **Right to object**: Object to processing based on legitimate interest

• **Right to restrict processing**: Limit how we use your data

• **Right to withdraw consent**: Withdraw consent at any time (where consent is the legal basis)

To exercise any of these rights, contact us at privacy@thekeystone.ai

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• All data in transit is encrypted using TLS 1.3

• Database hosted in Supabase EU region with encryption at rest

• Access controls and role-based permissions

• Regular security monitoring via Sentry

• CSRF protection on all forms

• Cloudflare Turnstile CAPTCHA to prevent abuse

7. Marketing Communications

We will only send you marketing emails if you have explicitly opted in (e.g., via early access signup).

All marketing emails include an unsubscribe link. You can opt out at any time without affecting other services.

8. Children's Privacy

This website is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.

9. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email (if we have your contact details) or a prominent notice on the website.

10. Contact and Complaints

Privacy enquiries: privacy@thekeystone.ai

Data controller: Metamorphic Services Limited, London, United Kingdom

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or your local data protection authority.

2. Information We Collect

We collect the following categories of personal data through this website:

2.1 Contact Form Submissions

• Data collected: Name, email address, company name, message content

• Storage: Supabase database (contact_submissions table)

• Purpose: Responding to enquiries and customer service

• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

2.2 Early Access Programme Signups

• Data collected: Email address, company name, role

• Storage: Supabase database (early_access_entries table)

• Purpose: Programme communications and product launch notifications

• Legal basis: Consent (Art. 6(1)(a) GDPR)

2.3 Security Document Requests

• Data collected: Email address, company name, and (for NDA-gated documents) full name and reason for request

• Storage: Supabase database (security_doc_requests table)

• Purpose: Secure document delivery and access control

• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

2.4 Cookie Consent Preferences

• Data collected: Cookie category preferences (necessary, analytics, functional)

• Storage: Browser localStorage

• Purpose: Respecting user privacy preferences and GDPR compliance

• Legal basis: Legal obligation (Art. 6(1)(c) GDPR)

2.5 Analytics Data (Consent-Gated)

• Data collected: Page views, user journeys, session recordings, device information, browser type

• Processors: Google Analytics 4, Hotjar, Vercel Analytics

• Purpose: Understanding user behavior to improve website experience

• Legal basis: Consent (Art. 6(1)(a) GDPR)

• Note: These scripts only load after explicit user consent

2.6 Error Tracking Data (Legitimate Interest)

• Data collected: Error context, stack traces, browser information, user actions leading to error

• Processor: Sentry

• Purpose: Identifying and fixing technical issues to maintain service quality

• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

• Note: Not consent-gated as it is essential for service quality and security

2.7 CAPTCHA Verification

• Data collected: IP address, browser fingerprint

• Processor: Cloudflare Turnstile

• Purpose: Security verification and bot prevention

• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

3. Data Processors and International Transfers

Processor	Purpose	Location
Supabase (EU region eu-west-1)	Database, authentication, and data storage	European Union (Ireland)
Resend	Transactional email delivery	United States
Google Analytics 4	Website analytics and user behavior tracking (consent-gated)	United States
Hotjar	User behavior analytics and session recordings (consent-gated)	European Union
Vercel	Hosting, edge functions, and analytics (consent-gated)	United States
Cloudflare	CDN and Turnstile CAPTCHA for security verification	Global
Sentry	Error tracking and performance monitoring (legitimate interest)	United States

4. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

• Contact form submissions: 2 years from submission date

• Early access signups: Until the programme ends or you unsubscribe

• Security document requests: Until the request is fulfilled, then 90 days

• Cookie consent preferences: 12 months, then re-prompted

• Analytics data: As per processor defaults (Google Analytics: 14 months, Hotjar: 365 days)

• Error tracking data: 90 days

5. Your Rights

Under GDPR and UK data protection law, you have the following rights:

• **Right of access**: Request a copy of your personal data

• **Right to rectification**: Correct inaccurate or incomplete data

• **Right to erasure**: Request deletion of your personal data

• **Right to data portability**: Receive your data in a structured, machine-readable format

• **Right to object**: Object to processing based on legitimate interest

• **Right to restrict processing**: Limit how we use your data

• **Right to withdraw consent**: Withdraw consent at any time (where consent is the legal basis)

To exercise any of these rights, contact us at privacy@thekeystone.ai

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• All data in transit is encrypted using TLS 1.3

• Database hosted in Supabase EU region with encryption at rest

• Access controls and role-based permissions

• Regular security monitoring via Sentry

• CSRF protection on all forms

• Cloudflare Turnstile CAPTCHA to prevent abuse

DRAFT — Pending Legal Review

1. Data Controller

2. Information We Collect

3. Data Processors and International Transfers

4. Data Retention

5. Your Rights

6. Data Security

7. Marketing Communications

8. Children's Privacy

9. Changes to This Policy

10. Contact and Complaints

DRAFT — Pending Legal Review

Privacy Policy

1. Data Controller

2. Information We Collect

3. Data Processors and International Transfers

4. Data Retention

5. Your Rights

6. Data Security

7. Marketing Communications

8. Children's Privacy

9. Changes to This Policy

10. Contact and Complaints