Service Related:

Last updated 4/14/24

BatchKeys (“BatchKeys”) operates several websites and services including Batchkeys.com and related subdomains. It is BatchKeys’s policy to respect your privacy regarding any information we may collect while operating our services.

To offer greater privacy and control of data for individuals who use or are stored within our services, we will apply the GDPR to all individuals who are stored within or use our services, whether inside or outside of the EU.

We believe in the GDPR and in increased privacy for everyone.

In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and replaces the existing legal framework (the Data Protection Directive and the various member state laws).

The GDPR is a comprehensive set of regulations that dictates what companies like BatchKeys must do in order to properly protect our customers’ data. Even though we are not a European company, we have many customers in the EU and we fully comply with these regulations. This document explains in simple terms what we’re doing in order to ensure compliance.

Note: The full GDPR regulations are extremely long and complicated. This isn’t meant to be a comprehensive list of every single thing we do to protect your data, but rather it’s a simple summary so that you can have a good idea of the protections we have in place. Please feel free to reach out to us if you have questions about specific items that aren’t addressed here.

GDPR defines three parties, which we will reference throughout this document:

Data Subject – This is the person about whom data is being stored and used. Any user that you store within our systems (i.e. your customer) is a data subject. You are also a data subject, because you have an account with BatchKeys (i.e. you’re our customer).
Data Controller – This is the person or company that is using the data that’s being stored. You (our customer, and a user of BatchKeys) are a data controller. We are also a data controller, concerning your personal data, because you have an account with BatchKeys.
Data Processor – These are companies that create tools to actually store and take advantage of the data. We (BatchKeys) are a data processor.

The data Controller and Processor both have different responsibilities to ensure that we are acting legally and ethically. This document explains what we do to comply with GDPR as a Processor, and how we use the data we collect, but you should keep in mind that you also have responsibilities to the people who’s information you store using BatchKeys

1.4. Technical security

As a company focused on software licensing, our customers entrust us with very important data for their businesses. Keeping your data secure and private is of the utmost importance, and so we are careful to follow industry best practices.

If you have questions or concerns, reach out to us at security@Batchkeys.com.

1.5. Data Transfer

BatchKeys complies with certain legal frameworks relating to the transfer of data from the European Economic Area, the United Kingdom, and Switzerland (collectively, EU) to the United States. When BatchKeys engages in such transfers, BatchKeys relies on Standard Contractual Clauses as the legal mechanism to help ensure your rights and protections travel with your personal information. To learn more about the European Commission’s decisions on international data transfer, see this article on the European Commission website.

1.6. Data Processing Addendum

GDPR requires that we have a contract, called a Data Processing Addendum (DPA), with our customers which specifies things like how we process data, that we will assist you in your GDPR obligations to your customers, etc. In our case, our Data Processing Addendum is our standard Terms of Service, which applies to all of our customers, including you.

To obtain a copy of our Data Processing Addendum, please reach out to legal@Batchkeys.com, or visit the page listed above.

1.6.1. Changes to our DPA; other DPAs

To ensure no inconsistent or additional terms are imposed on us beyond that reflected in our standard DPA and model clauses, we cannot agree to sign customers’ DPAs. As a small team we also can’t make individual changes to our DPA since we don’t have a legal team on staff. Any changes to the standard DPA would require legal counsel and a lot of back and forth discussion that would be cost prohibitive for our team.

1.7. Data Processing Officer

We have appointed a Data Protection Officer. They may be contacted at legal@Batchkeys.com.

1.8. Data Breach Notification Plan

We work hard to keep our software secure so that there are no data breaches, but in the event that there is a data breach, we have a plan in place that fully complies with the requirements laid out by GDPR. You can read our full plan below, but the basic idea is that if we become aware of a data breach, we will notify any of our customers who may have been impacted, and provide them with the appropriate information so that they can also comply with their responsibilities as a Data Controller.

The specifics of our response to a data breach would of course depend on the details of the breach itself (the method of the breach, what data was compromised, etc.) but here is an outline of how we will approach the situation:

1.8.1. Identifying a breach

The first step in responding to a data breach is knowing that one has happened in the first place. We monitor the status of our security with technology (running penetration tests and network scans) as well as policy (training employees on what to look out for, making sure issues are escalated appropriately).

If we ever identify a breach, or even notice something out of the ordinary that justifies investigation, we will take the following steps:

1.8.2. Assigning roles and responsibility

At any company, the best way to ensure that an issue is taken seriously is to make sure that it has the attention of top leadership. BatchKeys has one individual who will personally handle all security concerns. They will be responsible for organizing the company-wide response, assigning roles, and ensuring that we do everything outlined in this document and more to handle the situation as thoroughly as possible.

Every member of the company knows that if there is ever a security concern, the issue should go directly to the CEO without any delay.

1.8.3. Investigate the type and scope of the breach

Breaches can happen in many different ways. They can be the result of a technical or social failing on our end. In many cases, the customer may have been tricked into giving their login information to the attacker, and it might not be the result of insecurity in the software at all.

In order to decide how to respond to a breach, we must first understand how the breach happened. We will seek to answer the following questions as quickly as possible:

Was there some sort of failure of our technology or processes that enabled the breach?
What data was accessed?
What was (or might have been) done with the data? I.e. deleting data is different from exporting it outside our server.
How many users were impacted?

1.8.4. Address immediate threats

If we find that the breach is caused by a customer’s login information being compromised (e.g. two business partners are fighting over ownership of the business and one steals the other’s account login information) we will shut down API access for the account in question until we are confident that the rightful owner is the only one with access. In some cases this can take several days or longer as there may be legal issues outside of our control that must be adjudicated first.

If we determine that the breach occurred due to an vulnerability on our end, we will work to fix whatever the vulnerability was as quickly as possible to prevent further damage. If a situation like this ever arises, every employee at BatchKeys who can be helpful will treat this as their top priority and set aside any other responsibilities until the problem is resolved.

1.8.5. Notify the appropriate parties of the breach

This step will depend heavily on the details of the breach. For example, in a situation where a specific user is phished, they will likely already know about the breach, and it wouldn’t impact any of our other customers. But if our entire database is compromised by a hacker, that would potentially impact all of our users (our customers, as well as your customers).

Our general guideline is that if there’s a reasonable possibility that the breach will have a negative impact on a customer, we will notify them quickly. “Quickly” can mean different things depending on how long it takes us to conclude our investigation, but when possible, our goal would be to send notifications no more than 72 hours after we become aware of the issue.

1.8.6. Your responsibilities

Note: If you or your customers are in the EU then you may be subject to the GDPR data breach notification rules. This basically means that if you are storing private information about a person in our systems and that data is breached, you may be responsible for notifying that person the same way we are responsible for notifying you (this is true with any service you use, not just us). If this happens, we will work with you to make sure that you have all the information possible so that you can comply with the GDPR.

1.9. Trusted third-party services we may use

We may share data with the following third-parties as necessary, also known as Subprocessors under GDPR, so that we can offer our services to you, and so that we know how to continue improving our services to remain valuable to you. Note that just because a company is on this list does not mean we currently use them or share any data with them. The main purpose of this list is to future proof your expectations of us. Nor is this list fully extensive. Please contact us for a complete and up to date list.

Cloudflare for DNS and reverse proxy
Fastly for WAF and DDoS mitigation
Stripe for payment processing
Fathom for privacy-first analytics
Rewardful for affiliate program
Papertrail for log management
Sentry for error and performance monitoring
IPInfo for IP geolocation and threat data (e.g. to determine if you’re from the EU, using the TOR network, etc.)
SendGrid for sending transactional email
Heroku for some hosting infrastructure
AWS for some hosting infrastructure
Shock Hosting for some hosting infrastructure
Zapier for workflow automation
Analytics for analytics

1.10. Information we collect on our customers (i.e. you)

If you have a BatchKeys account, we are the Controller of your personal information (PI). The data below is stored locally within our systems (unless noted otherwise), and may also be stored in a third-party service listed above. All logs are scrubbed of sensitive info (passwords, tokens, etc.) locally before being sent over the wire.

1.10.1. Personal information and unique identifiers

Unique user and account IDs
Unique Stripe customer and subscription IDs
Stripe price ID’s of purchased plans
Stripe hosted invoice URL
First name
Last name
Email
Hashed password
Company name
Credit/debit card information (data is stored securely by Stripe, not our local servers)
IP address for API rate limiting
IP address via API request logs
Date/time of resources being accessed via API request logs

1.11. Information we store on your customers

We are the Processor of your customers’ data (the licensed users of your software products), you are the Controller of said data. We never share your customers’ data with any third-parties outside of our log management services and other infrastructure-related services.

1.11.1. Personal information and unique identifiers

IP address for API rate limiting
IP address via API request logs
Date/time of resources being accessed via the API
Amount of times a resource has been accessed via the API
Amount of tokens used on a key via the API (optional, for times where you send consume commands to token-based keys)
Domain names of the web server / website keys are used on (optional, for domain based locking)
UUIDs of a device that keys are used on (optional, for UUID based locking)

1.12. Data retention

All of the above data for both our customers and your customers could be included within our logs (e.g. within database query logs, request logs, databases, etc.), backups, and within temporary storage (e.g. caching systems, etc.), which we keep.

1.13. Data subject rights

Our customers and your customers, the Data Subjects, are entitled through their Data Subject Rights (DSR) to change, and permanently delete (“Right To Be Forgotten”) all their data from our systems.

If we receive a request from one of your customers (a Data Subject) to access, change, export, or delete their data stored within our systems, we, the Processor, will forward the request to you, the Controller, without delay. You have the ability to request the handling of said data as requested by the Data Subject. Note that doing so may cause your customers, a Data Subject, keys to stop functioning temporarily or permanently.

We, the Processor, will not change, export, or delete data on or for any of your customers, a Data Subject, unless it is required by law or by our Terms of Service, or unless we have received documented instruction from you, the Controller, to do so.

DSR requests can include personal data of other individuals, like your employees or customers that you have provided to us and who have requested this of you. We will respond to these requests within 30 days or less, which is within the GDPR requirement.

DSR requests may be sent to legal@Batchkeys.com.

1.14. Lawful basis for processing

GDPR requires that we establish that our data processing is legally justified. They give a variety of reasons it might be valid, and the following is the one that applies to us:

…processing is necessary for the purposes of the legitimate interests pursued by the controller…

Our interpretation of this is that you, as the Controller, have legitimate business interests in using our services to license, distribute and sell your products, and we’re assisting you in pursuing those interests. Keep in mind that this only applies so long as the Controller (you) respects the individual rights of the Data Subjects.

We only collect data that is necessary for the purposes of making our services valuable to you.

1.15. Your responsibilities

As explained above, we are in the role of Data Processor and you are the Data Controller. If you store your customers’ information in our systems, you are still responsible for being compliant as a Controller of your customers’ data. (This would be true regardless of what licensing service you use, so there’s no avoiding it.)

If you’re concerned that you aren’t in compliance, we encourage you to research this topic in more detail, but a good starting point is to ensure that you honor the individual rights laid out in the GDPR regulations to your customers. We encourage everyone to seek appropriate legal counsel if they feel it is need before using our, or any such, services.

As part of our commitment to remaining GDPR compliant and respecting the privacy of our users, we will revisit this document at least once per year to ensure that all of the information is accurate and up-to-date. If you have questions or concerns, contact us at legal@Batchkeys.com.

2. General

2.1. Website visitors

Like most website operators, BatchKeys collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request.

Our purpose in collecting non-personally identifying information is to better understand how BatchKeys’s visitors use its website and to better provide related content to its visitors. From time to time, BatchKeys may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website.

We also collect potentially personally-identifying information like Internet Protocol (IP) addresses for all API users, as well as for Dashboard users (what information is collected is detailed in 1.10. and 1.11.).

2.2. Aggregated statistics

BatchKeys may collect statistics about the behavior of visitors to its websites. BatchKeys may display this information publicly or provide it to others. However, BatchKeys does not disclose personally-identifying information other than as described below.

2.3. Cookies

A cookie is a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns. BatchKeys uses cookies to help BatchKeys identify and track visitors, their usage of BatchKeys’s website, and their website access preferences.

BatchKeys visitors who do not wish to have any cookies placed on their computers should set their browsers to refuse cookies before using BatchKeys’s websites, with the drawback that certain features of BatchKeys’s websites may not function properly without the aid of cookies.

For example, you may not be able to log into your BatchKeys account’s Dashboard without cookies enabled, for technical reasons.

2.3.1. Cookies we set

We set remember_me cookies so you don’t need to login every time you use the Dashboard, which includes related cookies which determine how long the previously mentioned session cookie is valid for.
We use session data storage to keep you logged in and pass necessary data from one page to another inside of our website.
If you use our WordPress website, we use its standard cookies.
If you use our Hesk Help Center, we use its standard cookies.

Other cookies may be set by our trusted third-parties.

2.4. Disclosure of personal information

We do not sell, trade, or otherwise transfer your information to third-parties. This does not include sharing a limited subset of your information with trusted third-parties (our Subprocessors, which are outlined in 1.9.), who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to process this information in accordance with their DPA.

Personal Information may be disclosed in limited circumstances, including, but not limited to meeting any applicable law, regulation, legal process, or enforceable governmental request; the investigation of potential violations; addressing fraud, security, or technical issues; to protect and defend the rights or property of BatchKeys; or in an emergency threatening an individual’s life, health, or security. We reserve the right to disclose your personal information as required by law or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process.

2.5. Third-party content

Third-party content appearing on any of our websites may be delivered to users by partners, who may set cookies. These cookies allow the partner to recognize your computer each time you interact with the content to compile information about you or others who use your computer. This Privacy Policy covers the use of cookies by BatchKeys and does not cover the use of cookies by any partners.

2.6. COPPA compliance

We are in compliance with the requirements of COPPA (Children’s Online Privacy Protection Act), we do not collect any information from anyone under 13 years of age. The Act was passed by the U.S. Congress in 1998 and took effect in April 2000. COPPA is managed by the Federal Trade Commission (FTC). Our website, products and services are all directed to people who are at least 13 years old or older. If you are under 13 years old, you cannot use our services.

2.7. Business transfers

If BatchKeys, or substantially all of its assets were acquired, or in the unlikely event that BatchKeys goes out of business or enters bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of BatchKeys may continue to use your personal information as set forth in this policy.

2.8. Privacy Policy changes

We may change this privacy policy from time to time. We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice by adding a notice within the Services, your Dashboard, or by sending you an email notification. We will also keep prior versions of this Privacy Policy available for your review. We encourage you to review our privacy policy whenever you use the Services to stay informed about our information practices and the ways you can help protect your privacy.

If you disagree with any changes to this privacy policy, you will need to stop using the Services and deactivate your account(s), as outlined above.

2.9. Terms of Service

Please also visit our Terms of Service section establishing the use, disclaimers, and limitations of liability governing the use of our services.

2.10. Contact

If there are any questions regarding this document, you may contact us at legal@Batchkeys.com.

3. WordPress Content Related:

3.1 Who we are

Our website address is: https://batchkeys.com.

3.2 Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

3.3 Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

3.4 Content-Related Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

3.5 Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

3.6 Who we share your data with

If you request a password reset, your IP address will be included in the reset email.

3.7 How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

3.8 What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

3.9 Where your data is sent

Visitor comments may be checked through an automated spam detection service.