Privacy Policy
plain language, no tricks.

Overview

kief.dev is operated by Kief Studio LLC, a cybersecurity and developer tools company based in Shrewsbury, Massachusetts. This site provides two things: free developer tools that require no account, and Vekt, a supply chain security product with paid tiers. This policy covers both. The short version: we collect very little, we don't sell anything, and most of what passes through our systems is never written to disk.

Analytics

We use Plausible Analytics, hosted in the EU. Plausible is cookieless -- it sets no cookies, stores no personal data, and cannot track individual users across sessions or sites. It gives us page views and referrer data in aggregate. No Google Analytics. No Facebook Pixel. No tracking scripts from ad networks. Plausible is fully GDPR compliant by design.

Developer tools

The free tools on kief.dev (DNS lookup, SSL checker, security header analyzer, encoder/decoder, diff tools, and others) require no account and store nothing. Any input you provide is processed server-side to fulfill the request and then discarded. We do not log tool inputs, outputs, or the content of any queries you make. If a tool uses AI (powered by OpenRouter), your input is sent to the model provider for inference and immediately discarded -- we never log it, and it is not used to train models.

Vekt API

The Vekt API requires an API key. When you submit a lockfile or manifest for scanning, the package content is processed in memory and never persisted to disk or a database. What we do log for each API request:

• Your API key ID (a short identifier, not the key itself)
• Package ecosystem and count (e.g., "npm, 312 packages")
• Request latency
• A hashed /24 IP subnet for abuse detection (e.g., 192.168.1.x hashed -- not your full IP)

Package names and versions are not retained beyond the duration of the request. We use OSV.dev (operated by Google) as our vulnerability data source. Package identifiers are sent to OSV.dev to query for known vulnerabilities; their privacy policy applies to those requests.

Vekt browser extension

The Vekt browser extension detects package registries (npm, PyPI, crates.io, etc.) and enriches package pages with security data. It transmits only three things to our API: the package ecosystem, the package name, and the package version. Nothing else. Specifically, the extension never transmits:

• Browsing history or URLs outside of recognized registry pages
• Page content, DOM data, or screenshots
• Cookies or localStorage
• Any data about pages that are not recognized package registry pages

The extension works in incognito/private browsing mode without storing any state. It uses the GitHub API for repository enrichment data (stars, issues, last commit) on npm packages that link to GitHub. GitHub's privacy policy governs those requests.

Blog and newsletter

The kief.dev blog runs on Ghost. Reading posts requires no account. If you subscribe to the newsletter, Ghost uses a magic link flow -- you provide your email address, we store it for the purpose of sending you the newsletter, and you can unsubscribe or request deletion at any time. Email us at [email protected] and we will delete your address within 30 days.

Payments

All payment processing is handled by Stripe (PCI DSS Level 1 certified). We never see or store your card number, CVV, or bank details. What we store on our side: your Stripe customer ID, your active subscription ID, and the plan tier you are on. That is it.

CRM and internal tracking

When you sign up for a Vekt account or make a purchase, your name and email address are sent to our internal outreach CRM and a private Discord channel for internal tracking and follow-up. This is so we can onboard you properly and reach out if there are issues with your account. We do not share this data with third parties and do not use it for unsolicited marketing beyond service-related communications.

What we do not collect

To be explicit about the things we do not collect:

• Browsing history (the extension never touches this)
• Lockfile or package contents beyond the duration of a scan request
• Tool inputs or outputs from the free developer tools
• Cookies used for tracking (Plausible is cookieless)
• Device fingerprints or canvas fingerprints
• Cross-site tracking data of any kind

Third-party services

Services we use and what data they may receive:

• Plausible Analytics (EU) -- anonymous aggregate traffic data
• Stripe (US) -- payment information for paid plans
• OSV.dev (Google) -- package identifiers during Vekt scans
• OpenRouter -- AI tool inputs (processed for inference, not retained)
• GitHub API -- package names for repository enrichment in the browser extension

Your rights

Under GDPR (if you are in the EU) and CCPA (if you are in California), you have the right to access, correct, delete, and port your personal data. To exercise any of these rights, email [email protected]. We will respond within 30 days. Because we collect very little personal data, most requests are straightforward.

Data retention

• API usage logs (key ID, package count, latency, hashed subnet): 90 days, then automatically deleted
• Email and account data: retained until you request deletion
• Analytics: aggregated only, no individual data retained at any point
• Tool inputs and scan content: never written to disk, not retained

Children

kief.dev is not intended for children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has submitted personal data through this site, contact us at [email protected] and we will delete it promptly.

Changes to this policy

We will update this page if our data practices change in any meaningful way. Check the "last updated" date at the top to know if anything has changed since you last read it. We will not make retroactive changes that weaken your privacy protections without notice.