Privacy Policy
Last updated: 18 July 2026
This Privacy Policy explains how Cesery LLC (“SDKey”, “we”, “us”), the operator of sdkey.dev, dash.sdkey.dev, docs.sdkey.dev, and api.sdkey.dev, processes personal data under the EU General Data Protection Regulation (GDPR) and related ePrivacy rules.
Controller: Cesery LLC, 96383 Bay View Dr, Fernandina Beach, FL 32034, United States. Contact for privacy requests: [email protected]. We aim to respond within 30 days.
1. Roles
- Cesery LLC is the controller for developer accounts (name, email, password hash, account settings, API key metadata, session cookies).
- Cesery LLC is the processor for end-user data that your applications send through our API (usernames, optional emails, HWIDs, IPs, security events), processed on your instructions. You are typically the controller for that data — see our Data Protection docs and Terms (Processor Addendum).
2. Data we process
- Developer account: name, email, password hash/salt, account mode, vault check blob, license mask defaults.
- Session: HttpOnly cookie
sdkey_session(JWT subject id, 7 days). - Developer API keys: name, prefix, hash, created/last-used/revoked timestamps (plaintext shown once).
- License inventory: key hashes/prefixes, optional notes, HWID bindings, last seen IP, status/tier.
- End users (processor): username, optional email, password hash, last IP/HWID, linked license.
- Security logs: event type, IP, country (CF-IPCountry), HWID, metadata — retained ~90 days then purged.
- Abuse controls: short-lived rate-limit counters keyed by IP in KV; Cloudflare Turnstile tokens on login/register.
- Infrastructure: Cloudflare Workers, Pages, D1, KV, and Observability (sampled) as subprocessors.
3. Purposes and legal bases (Art. 6)
- Contract (Art. 6(1)(b)) — create and operate your developer account, dashboard, and license APIs.
- Legitimate interests (Art. 6(1)(f)) — security, fraud/abuse prevention (Turnstile, rate limits, bans, security logs), service integrity. You may object where applicable.
- Legal obligation (Art. 6(1)(c)) — where we must retain or disclose data under applicable law.
- For end-user data as processor, the customer’s legal basis applies; we process only on documented instructions (API usage + Terms).
4. Cookies and similar technologies
See the Cookie notice. We do not use advertising or analytics cookies. Fonts are self-hosted (no Google Fonts CDN).
5. Recipients and international transfers
Primary infrastructure is Cloudflare, Inc. / Cloudflare entities (edge network may process requests globally). We rely on Cloudflare’s Data Processing Addendum and Standard Contractual Clauses / adequacy mechanisms as applicable. Turnstile verification is provided by Cloudflare. We do not sell personal data.
6. Retention
- Developer account data: until you delete the account or it is otherwise closed.
- Security logs: approximately 90 days, then automated purge.
- Rate-limit KV entries: ~60 seconds TTL.
- Session cookie / JWT: 7 days (or until logout).
- Consumed nonces: until expiry, then purged by the retention job.
- End-user and ban records: until you delete them or delete the parent application/account.
7. Your rights
Subject to GDPR conditions, you may request access, rectification, erasure, restriction, portability, and objection. Developers can use Settings → Export data / Update profile / Delete account, or email [email protected]. Customers (controllers) should use the Users export/delete APIs for their end users. You may lodge a complaint with your supervisory authority.
8. Security
Passwords are salted and hashed; API keys and Private-mode license keys are hashed at rest; session cookies are HttpOnly, Secure (HTTPS), SameSite=Lax. No security measure is perfect — report issues responsibly.
9. Children
The service is directed at developers and businesses, not children. Do not create accounts for anyone under 16 without appropriate authority.
10. Changes
We may update this policy; the “Last updated” date will change. Material changes will be highlighted on the site where practical.