The short version. We collect the minimum data needed to run Keyda: your account identifier, your notes (scoped to your account), encrypted BYOK API keys, AI request logs for usage analytics, and subscription/payment records. We don't read your keystrokes outside the AI features you trigger. AI Memory, your profile bio, profile photo, and clipboard history all stay on your device — they only travel to an AI provider when you actively make a call that needs them. On-device features (local models, image generation) stay on your device entirely.
"Keyda", "we", "us" and "our" refer to the operator of the Keyda keyboard application for iOS and Android and accompanying services (the "Service"). If you have questions about this policy, contact us at support@keyda.in or via the Contact page.
When you sign up with phone OTP, Sign in with Apple, or Google/Facebook (if enabled), we receive a stable provider identifier and, where you consent, your email, display name and phone number. We also generate a device identifier for your installation.
Keyda stores the following user content, always scoped to your authenticated user id:
user_notes table.The trial is opt-in: you must tap "Start Free Trial" inside the app. We then create a user_subscriptions row with status trialing, a 3-day window, and a 10-AI-use cap. We track:
When you have no active trial or paid plan, our backend returns a synthetic "no plan" entitlement (Cloud AI locked client-side) — no row is created until you tap Start Trial or purchase.
If you choose to use your own AI provider API key, we store it encrypted (AES-256-GCM) in our database tied to your user id. Decryption happens only at the moment we forward a request to your chosen provider. You can delete any stored key from the app at any time.
Each AI request you trigger (correction, rephrase, smart-assist, etc.) is logged with: provider, model, prompt, result, latency, success/failure, and your user id. These logs power usage analytics and your in-app "Token utilization" stats. Prompts and results are not shared with anyone outside the Service, and are not used to train any AI model.
Reading links you ask about. When you paste a web link and ask Keyda about it, our server fetches that publicly accessible page, extracts its text, and includes it in your AI request so the model can answer (for example, to summarise it). In the app, a small number of links that the page directly references may also be fetched; in the keyboard only the single page you paste is read. We fetch only the link you provide — we do not crawl the web or track your browsing — and the fetched text is processed exactly like any other prompt described above. This feature is on by default and can be turned off in Settings.
When you purchase a Lite or Pro plan, the transaction is processed by the Apple App Store (iOS) or Google Play (Android). We record the store-issued purchase identifier (such as the Apple original transaction id or Google purchase token), the product/plan code, billing period (monthly or yearly), and the purchase, renewal and expiry dates and status, which we validate against Apple's or Google's servers to keep your entitlement in sync. Your card, UPI, bank and other payment-instrument details are handled exclusively by Apple and Google — we never see or store them.
To diagnose issues and improve reliability we log activity events like sign-in, app foreground/background, theme change, and aggregated counts (e.g. characters corrected). These events are tied to your user id but do not contain the text you typed.
If you use the voice typing / voice assistant feature, Keyda accesses your microphone only while you are actively recording — you start it by tapping the mic, and it stops automatically after a short pause. Keyda never listens in the background. On iOS, Apple's platform rules prohibit third-party keyboards from accessing the microphone at all — a security restriction that applies to every keyboard on the system, not only Keyda. To comply with it, the recording is performed by the Keyda app, which transcribes your speech and hands only the resulting text back to the keyboard; the keyboard extension itself never touches the microphone. (On Android, where the platform permits it, recording happens within the keyboard, but the same data handling described below applies.)
Our marketing website keeps a simple, first-party visit log so we can see how many people reach the site and which pages and download buttons they use. For each visit we record the page path, referrer, any UTM campaign tags, your device/browser type, your IP address, and an approximate location (country, and where available region/city) that our server derives from that IP using an offline geo-IP database — there is no precise/GPS location, no location permission prompt, and no call to any third-party service. We use this only in aggregate to understand traffic and demand (for example, interest in the Android app before it launches). This applies to the website only and is unrelated to anything you type in the keyboard. The log uses no cookies and no third-party trackers, and honours your browser's Do Not Track signal.
| Purpose | Data used | Legal basis |
|---|---|---|
| Run the Service (auth, AI proxy, notes sync) | Account data, BYOK keys, AI logs | Performance of contract |
| Voice typing & voice assistant | Microphone audio (transcribed on-device/by Apple, not stored), resulting transcript | Consent (you tap the mic) |
| Process subscription payments | Apple App Store / Google Play purchase metadata | Performance of contract |
| Detect abuse, fraud, quota overruns | AI request logs, usage quotas | Legitimate interest |
| Improve product reliability | Activity events, error logs | Legitimate interest |
| Understand website traffic & demand | Page views, referrer/UTM, IP address & approximate (IP-derived) location | Legitimate interest |
| Respond to your support requests | Whatever you send us | Performance of contract |
We use a small number of processors strictly to deliver the Service. None of them are sold or rented your data.
We do not sell your personal data, and we do not run third-party advertising or behavioural-tracking SDKs.
Depending on where you live, you may have the right to access, correct, export or delete your personal data, restrict or object to certain processing, and withdraw consent at any time. To exercise any of these rights, email support@keyda.in. We respond within 30 days.
Indian users have these rights under the Digital Personal Data Protection Act, 2023 (DPDP Act). EU/UK users have them under the GDPR/UK GDPR. California users have them under the CCPA.
Keyda is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it.
We use HTTPS everywhere, AES-256-GCM at-rest encryption for BYOK keys, JWT-based authentication with short token lifetimes, and per-user data scoping so two accounts on the same device cannot read each other's content. We continuously monitor for vulnerabilities and apply security updates. No system is perfectly secure — please report any issue you discover to support@keyda.in.
Our servers may be located outside your country. By using the Service you consent to your data being processed in those regions, subject to the safeguards described in this policy.
We may update this policy. Material changes will be announced in-app and on this page. The "Last updated" date at the top of this page reflects the current version.
Questions or requests? Email support@keyda.in or use the Contact form.