Privacy Policy

Written By Nils Bremdal-Vinell

Last updated 3 months ago

Last updated: 17th March, 2026

This Privacy Policy explains how Key.Art ("Key.Art," "we," "us") processes personal data when you use our website (www.key.art) and our related application (www.key.art/app), services, tools and features (collectively, the "Services").

By using the Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree, please do not use the Services.

1. Controller and contact details

Data controller: Pentagram Film AB (Sweden), operating the Service under the Key.Art brand (until a dedicated operating company is established).

Address: Key.Art c/o Pentagram Film AB, Tre Liljor 3, 113 44 Stockholm, Sweden

Contact: support@key.art

Privacy contact: support@key.art

IP/Copyright contact: support@key.art

2. What personal data we collect

Depending on how you use the Service, we may collect:

2.1 Account data

  • Name (optional), email address

  • Username / account identifiers

  • Password (stored as a hash via our authentication provider)

2.2 Subscription and billing data

  • Plan type, subscription status, invoices/receipts

  • Payment confirmations and transaction references

Note: Payment details (such as full card numbers) are typically processed by our payment provider and/or merchant-of-record partner, not stored directly by us.

Payment provider / Merchant of record: Polar Software Inc.

2.3 Usage and device data

  • Log data (IP address, timestamps, pages viewed, feature usage)

  • Device and browser information

  • Approximate location derived from IP (country/city level)

2.4 Support and communications

  • Messages you send to support (email, chat)

  • Service emails we send (billing, security, account notices)

2.5 User content in the Service

  • Collections, saved searches, tags, notes, and other content you create in your account (not public unless you choose to share when sharing features exist).

3. Why we process personal data (purposes and legal bases)

We process personal data for the following purposes:

3.1 Provide the Service (contract)

  • Create and manage accounts

  • Authenticate users and provide features (collections, search, etc.)

  • Provide customer support

Legal basis: performance of a contract (or steps prior to entering a contract).

3.2 Security, fraud prevention, and service integrity (legitimate interests)

  • Prevent abuse, credential sharing, and unauthorized access

  • Maintain logs and detect incidents

Legal basis: legitimate interests in keeping the Service secure and reliable.

3.3 Billing and accounting (legal obligation / contract)

  • Process payments and maintain accounting records

  • Handle refunds where applicable

Legal basis: contract and/or legal obligation.

3.4 Improve and develop the Service (legitimate interests; consent where required)

  • Understand how the Service is used

  • Fix bugs and improve performance

Legal basis: legitimate interests; analytics cookies may require consent depending on your location and applicable law.

3.5 Marketing communications (consent or legitimate interests, depending on law)

  • Send product updates and offers where permitted

  • You can opt out at any time

Legal basis: consent or legitimate interests depending on context and applicable law.

4. How we share personal data

We share personal data only as necessary, including with:

  • Hosting / infrastructure providers: Supabase PostgreSQL database / DigitalOcean Spaces object storage

  • Authentication provider: Supabase Auth & Db

  • Analytics provider(s): Google Analytics / Polar Software Inc. 

  • Email / customer support tools: CORDNET OÜ (d/b/a “Featurebase”)

  • Payment providers / merchant-of-record: Polar Software Inc. 

  • Professional advisors (lawyers, auditors) as needed

  • Authorities if required by law or to protect rights/safety

We require service providers (processors) to protect personal data and use it only for providing services to us.

5. International transfers

If personal data is transferred outside the EU/EEA, we will use appropriate safeguards such as adequacy decisions or Standard Contractual Clauses (and additional measures where required).

6. Data retention

We keep personal data only as long as needed for the purposes described above, including while your account is active and as needed for legal, accounting, or dispute purposes.

7. Your rights

Depending on your location and applicable law (including EU/EEA users), you may have rights to:

  • access your personal data

  • correct inaccurate data

  • delete data

  • restrict or object to processing

  • data portability

  • withdraw consent (where processing is based on consent)

  • lodge a complaint with a supervisory authority

To exercise rights, contact support@key.art.

8. Security

We use appropriate technical and organizational measures to protect personal data. However, no system is 100% secure.

9. Children

The Service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided personal data to us, please contact support@key.art and we will take steps to delete such information.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date indicates when changes were made. If changes materially affect your rights, we will take reasonable steps to notify you.

11. Contact and complaints

Privacy questions: support@key.art

If you are in Sweden, you may also contact the Swedish supervisory authority (IMY) to lodge a complaint.