Privacy Policy

Last updated: April 19, 2026

Summary

NoxKey does not collect, transmit, or store any personal data on our servers. Your secrets stay in the macOS Keychain on your device and never leave your Mac unless you explicitly export them.

Who We Are

NoxKey is built and operated by No Box Dev, an independent software studio based in the Netherlands. This Privacy Policy describes how the NoxKey app, CLI, MCP server, browser extension, and the noxkey.ai website handle information.

Data Storage on Your Device

All credentials are stored in the macOS Data Protection Keychain, protected by the Secure Enclave and gated by biometric authentication (or your device passcode as fallback). NoxKey does not have its own database, cloud service, or remote storage for your secrets.

Metadata such as organization and project names, secret types, and usage counts is stored locally in your app's sandboxed container. It never leaves your Mac.

Audit Log

NoxKey keeps a local audit log of secret access events on your Mac for your own review. This log is never transmitted and can be cleared at any time from the app.

Network Connections from the App

The NoxKey app is sandboxed without the network client entitlement. macOS blocks all outbound network connections from the app at the kernel level. The app cannot make HTTP requests, DNS lookups, or any other form of network communication on its own.

When you click "Register" or open a link in the app, it opens a URL in your default web browser. That is a browser navigation — not a connection initiated by the NoxKey app process.

Information We Collect When You Use noxkey.ai

The noxkey.ai website is served by Cloudflare. Cloudflare logs request metadata (IP address, user agent, URL path, timestamp) for security and abuse prevention in line with its privacy policy. We do not operate analytics, advertising trackers, cookies, or fingerprinting on the site.

Optional Email Registration

You may voluntarily register an email address on noxkey.ai to receive security alerts about NoxKey (for example, a disclosed vulnerability that requires an update). If you register:

• Your email is stored in our email capture database (Cloudflare D1) along with the signup source.
• Alerts are sent via Postmark, an email service provider.
• You can request deletion at any time by emailing [email protected].

Registration is entirely voluntary. NoxKey works without it.

What We Don't Collect

• No usage analytics or telemetry from the app
• No crash reports (unless you file one manually)
• No device identifiers or fingerprinting
• No secret values, key names, or usage metadata
• No location data

Your Rights (GDPR / EU Residents)

If you are in the European Economic Area or the United Kingdom, you have the right to access, correct, delete, or port any personal data we hold about you (which, in practice, is limited to a registered email address and Cloudflare request logs). You can exercise these rights by emailing [email protected].

Children

NoxKey is a developer tool and is not directed at children under 13. We do not knowingly collect personal information from children.

Third-Party Services

NoxKey does not integrate with any third-party analytics, advertising, or tracking services. Website hosting (Cloudflare) and optional email delivery (Postmark) are the only third parties that may process data we handle, and only for the limited purposes described above.

Open Source

NoxKey is open source under the MIT license. You can audit every line of code at github.com/No-Box-Dev/Noxkey.

Changes to This Policy

We may update this policy from time to time. Material changes will be reflected by updating the "Last updated" date. We will not retroactively reduce your rights without your consent.

Contact

Questions about this policy or your data: [email protected]