KeyStack Privacy Policy

KeyStack is a native macOS application published by NerdSnipe Inc. (“we,” “us,” or “our”). This Privacy Policy explains how KeyStack handles information when you use the app.

We do not collect, transmit, sell, or share any information from KeyStack users. The app makes no network requests, requires no account, and includes no analytics, advertising, or tracking software. All data remains on your Mac under your control.

For App Store Connect purposes: KeyStack collects no data as defined by Apple's App Privacy requirements.

KeyStack does not collect any of the following categories of data:

• Contact information (name, email address, phone number)
• Identifiers (device ID, advertising ID, user ID)
• Location data
• Financial information
• Health or fitness data
• Browsing or search history
• Usage analytics, diagnostics, or crash reports sent to us
• User content transmitted to our servers

We have no backend infrastructure for KeyStack. There is no sign-up flow, no cloud sync, no telemetry pipeline, and no database on our side that receives information from the app.

To function, KeyStack stores data exclusively on your device. This data never leaves your Mac unless you explicitly export it (for example, by saving a .env file).

Secret values — macOS Keychain

Environment variable values (such as API keys and passwords) are stored in the macOS Keychain under the service identifier cc.nerdsnipe.keystack. The Keychain is encrypted and managed by macOS. KeyStack accesses the Keychain only after you authenticate with Touch ID or your Mac login password. Values are stored with the “accessible when unlocked” attribute.

Vault metadata — local database

Non-secret metadata is stored in a local SQLite database at ~/Library/Application Support/KeyStack/vault.db. This includes:

• Variable names and optional descriptions
• Environment tags (Development, Staging, Production, Custom)
• Project names and folder paths you associate with projects
• Rotation schedule settings and timestamps
• Links between variables and projects

Secret values are not written to this database. The database is created and maintained locally by the app and is not transmitted to NerdSnipe Inc. or any third party.

KeyStack makes zero outbound network requests. The app does not connect to the internet, does not use iCloud sync, and does not communicate with any server operated by NerdSnipe Inc. or any third party while you use it.

If you choose to open an external link from the About screen (for example, our website or social profiles), that action is handled by your default web browser and is subject to that service's privacy practices — not this policy.

KeyStack uses the following macOS capabilities, all processed on-device:

• LocalAuthentication — Touch ID or login password to unlock the vault for your current session. Biometric data is handled entirely by macOS and is never accessible to KeyStack.
• Keychain Services — Secure storage and retrieval of secret values, as described above.
• User Notifications— Optional local reminders when a secret's rotation interval is due. Notifications are scheduled and delivered by macOS; no notification content is sent to us.
• File access (sandbox) — KeyStack is App Store sandboxed. It can read and write files only in folders you explicitly select through the system file picker (for import and export). The app cannot browse your filesystem without your permission.
• Clipboard — When you copy a variable, KeyStack writes to the system clipboard. Copied secrets auto-clear from the clipboard after 30 seconds. Clipboard contents are managed by macOS and are not transmitted to us.

KeyStack includes GRDB, an open-source SQLite toolkit, for local database operations only. GRDB does not transmit data over the network as part of KeyStack's use. No third-party analytics, advertising, crash reporting, or tracking SDKs are included in the app.

Your purchase of KeyStack through the Mac App Store is processed by Apple. We do not receive your payment details. Apple's privacy policy governs that transaction.

You control your data entirely. You may export variables to .env files, delete individual entries, or remove the app. Uninstalling KeyStack removes the local database from Application Support. Keychain entries associated with KeyStack can be removed by deleting the app and its associated keychain items, or through Keychain Access on your Mac.

Because we do not collect data, we cannot retrieve, restore, or delete vault contents on your behalf. Your vault exists only on the Mac where you created it.

If you contact us through the KeyStack support page or by email, any information you voluntarily provide (such as your email address, macOS version, or a description of your issue) is used solely to respond to your request. That correspondence is separate from the KeyStack application itself and is not collected automatically by the app.

KeyStack is a developer tool rated 4+ and is not directed at children under 13. We do not knowingly collect personal information from anyone, including children.

Because KeyStack does not collect personal information, there is no personal data for us to access, correct, port, or delete on our systems. Data protection laws such as PIPEDA (Canada), GDPR (European Union), and CCPA/CPRA (California) may still apply to voluntarily submitted support correspondence; contact us using the details below to exercise applicable rights regarding that communication.

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. Material changes will be reflected here; continued use of KeyStack after an update constitutes acceptance of the revised policy.

Questions about this Privacy Policy or KeyStack's privacy practices: