Privacy Policy

Last Updated: May 29, 2026

This Privacy Policy explains how FrontKey LLC ("Frontkey," "we," "us," or "our") collects, uses, discloses, and otherwise processes information when you visit frontkey.app or docs.frontkey.app, use app.frontkey.app, communicate with us, or otherwise interact with our websites, applications, and related services (collectively, the "Services").

1. Scope and Role Clarification

Frontkey provides software and related services. Our customers decide what files, documents, records, and personal information they upload to the Services.

When a customer uploads information about tenants, applicants, residents, owners, guarantors, contractors, vendors, or other third parties, the customer generally controls what is uploaded and why. As between Frontkey and the customer, the customer is responsible for providing any required notices, obtaining any required consents, permissions, authorizations, or other lawful bases, deciding what information to retain or delete, and complying with laws that apply to that information. Frontkey processes that information to provide, secure, maintain, and support the Services.

This Privacy Policy applies to information Frontkey processes in connection with the Services. It does not govern information processed by third parties under their own privacy policies, including payment processors, analytics providers, identity providers, or external websites and integrations.

2. Information We Collect

We may collect the following categories of information.

A. Information you provide directly

• account registration information, such as your name, email address, organization name, mailing address, phone number, and login credentials;
• profile information, settings, notification preferences, summary delivery time zone selections, and subscription selections;
• Customer Content you choose to upload, submit, store, send, or otherwise make available through the Services;
• communications you send to us, including support requests, messages, feedback, surveys, and other correspondence; and
• billing and transaction-related information, such as plan type, billing contact details, and limited payment information received from payment processors.

B. Information we collect automatically

• device, browser, and connection information, such as IP address, browser type, device type, operating system, language, time zone, and approximate location derived from IP;
• usage information, such as pages or screens viewed, features used, actions taken, referring URLs, dates and times of access, and crash or performance data;
• authentication, audit, security, and diagnostic logs, such as login attempts, account access events, administrative actions, session data, error logs, fraud signals, and troubleshooting records; and
• cookies, pixels, local storage, and similar technologies used for website functionality, preferences, analytics, security, and performance.

C. Information from third parties

• payment confirmation and limited transaction details from payment processors;
• information from service providers that help us operate the Services;
• information from identity, authentication, support, analytics, communications, infrastructure, storage, security, or productivity vendors that support our operations; and
• information another user provides about you if they invite you to the Services, add you to a property, unit, or tenancy record, send you property-related workflow communications, share content with you, or identify you in a record.

3. Customer-Controlled Sensitive Data

The Services may permit customers to upload files or records containing sensitive or high-risk information ("Customer-Controlled Sensitive Data"), such as:

• Social Security numbers and other government-issued identifiers;
• driver's license numbers, passport numbers, and tax IDs;
• bank account numbers, routing numbers, payment card details, and other financial account information;
• credit reports, tenant screening reports, background checks, consumer reports, criminal history reports, and eviction history reports;
• deeds, titles, legal records, and other documents containing personal information; and
• other information the customer chooses to upload that may be confidential, regulated, or sensitive.

Frontkey does not require customers to upload any particular category of Customer-Controlled Sensitive Data unless a specific feature expressly requests it. Customers decide whether to upload that information, and customers are responsible for the legality, necessity, accuracy, retention, deletion, and disclosure of that information.

Because customers control that information, if you are a tenant, applicant, resident, owner, guarantor, contractor, vendor, or other third party whose information was uploaded by a Frontkey customer, you should direct most privacy requests to that customer first. Frontkey will assist customers as required by law and contract.

4. How We Use Information

We may use information to:

• provide, operate, host, administer, maintain, and improve the Services;
• create and manage accounts and subscriptions;
• authenticate users and authorize access;
• process transactions and send billing, administrative, invitation, service, support, reminder, summary, and security communications;
• secure the Services, detect and prevent fraud, abuse, spam, and unauthorized activity, and investigate incidents;
• administer available notification preferences, summary time zone selections, and other communication settings;
• provide customer support and troubleshoot issues;
• monitor performance, debug problems, conduct analytics, and improve usability and reliability;
• publish and deliver shared Passport content and time-limited share links as directed by customers;
• comply with legal obligations, enforce our agreements, protect rights and safety, and respond to lawful requests; and
• create aggregated or de-identified information that does not reasonably identify a person, which we may use and disclose for lawful business purposes.

4.1 Invitations, Notifications, and Shared Pages

Frontkey customers may provide a recipient's email address to invite that person to a property, unit, or workflow. We may send invitation or follow-up operational emails to that recipient before the recipient creates a Frontkey account.

After account creation, available notification settings may allow users to enable or disable certain email categories, such as reminder emails or weekly summary emails. Frontkey may also apply default reminder or workflow settings to new accounts or roles and allow users to change available settings later. Some operational or security messages may remain non-optional where needed to provide the account, invitation, or workflow.

Frontkey customers acting as landlords or property managers may direct Frontkey to send tenants transactional property notices, such as scheduled maintenance, repair, or access notices, in connection with a property or tenancy. These notices are transactional and may be sent regardless of a tenant's optional calendar-event reminder preferences, subject to applicable suppression, lifecycle, plan, and rollout controls. Tenants may manage their own calendar reminders through available reminder settings or calendar feeds. Tenants are informed of this when they accept a property invitation.

Weekly summary emails may include property identifiers, event or reminder titles or types, and scheduled dates or times relevant to the recipient's enabled summary. Weekly summary emails are oriented to owner or staff accounts and are not sent to tenant-only accounts.

Customers may publish Passport content and create time-limited share links. Anyone with an active link can view the published shared page until the link expires or is revoked. Shared Passport responses are based on a published snapshot rather than a live draft view.

Customers are responsible for deciding what information to upload, publish, share, or send through these workflows and for obtaining any required notices, permissions, consents, authorizations, certifications, or other legal bases.

5. How We Disclose Information

We may disclose information:

• to vendors and service providers that perform services on our behalf, such as hosting, cloud storage, authentication, payment processing, customer support, email delivery, communications, security, analytics, and infrastructure providers;
• to your Authorized Users, invitation recipients, share-link recipients, and other persons or entities you instruct us to share information with through the Services;
• to professional advisors, auditors, insurers, lenders, and acquirers in connection with financing, due diligence, mergers, acquisitions, reorganizations, asset sales, or similar transactions;
• to law enforcement, courts, regulators, government authorities, or other third parties if we believe disclosure is required by law or reasonably necessary to protect rights, property, safety, or the Services;
• to investigate, prevent, or address fraud, abuse, security issues, or violations of law or our agreements; and
• with your consent or at your direction.

We do not sell or rent Customer Content.

6. Cookies and Similar Technologies

We use cookies and similar technologies to operate our websites, remember preferences, support security features, understand usage, and improve performance.

You can manage cookies through your browser settings. If we make a cookie preference tool available, you may use that tool to manage certain non-essential cookies. Disabling cookies may affect website functionality.

7. Product Analytics

We use PostHog as a product analytics service provider/subprocessor to understand how people use Frontkey and to improve the Services. The current app analytics project is configured for PostHog's U.S. Cloud.

After accepted analytics consent, PostHog product analytics receive only explicit, allowlisted usage events and limited service context, such as masked route patterns, the part of the Services being used, the service environment, dates and times of use, and pseudonymous identifiers. For signed-in app analytics, the identity is a server-generated analyticsId, not a Firebase UID, email address, name, or operational account identifier.

We do not use PostHog product analytics to collect raw IP addresses, GeoIP fields, postal codes, latitude/longitude, raw user agent strings, full URLs, query strings, referrer URLs, raw route IDs, property IDs, unit IDs, lease IDs, tenant IDs, ticket IDs, document IDs, invite tokens, share tokens, names, email addresses, phone numbers, account display names, page contents, form contents, documents, ticket content, message content, event notes, filenames, payment details, screen or viewport dimensions, exact browser or operating system versions, session replay, automatic click capture, automatic form capture, or automatic page-content capture.

PostHog may use first-party browser storage, such as localStorage or cookies, to remember analytics consent or capture state and a pseudonymous analytics identifier. This analytics storage is consent-gated according to Frontkey's analytics consent contract. It must not contain names, email addresses, operational IDs, ticket content, document content, full URLs, or precise location.

You can control product analytics through available cookie preferences. Browser-level controls may also limit cookies or similar technologies.

Product analytics records are retained for 12 months in PostHog. When you delete your account, Frontkey attempts to delete or suppress person-level PostHog data associated with your pseudonymous analytics identifier after local account deletion completes. Aggregate or deidentified analytics rollups may be retained.

Separate from PostHog product analytics, Frontkey may process raw IP addresses and related request metadata in security, fraud, abuse-prevention, rate-limit, audit, diagnostic, and infrastructure logs when needed to protect the Services, investigate incidents, troubleshoot problems, enforce our agreements, or comply with law. Access to those logs is restricted, and they are retained for limited periods based on operational, security, legal, and compliance needs.

8. Error Monitoring and Diagnostics

We may use Sentry as an error monitoring and diagnostic service provider/subprocessor to help detect, investigate, and repair crashes, performance-impacting errors, and service reliability issues in the Services. Sentry diagnostics are treated as essential service, security, and stability processing rather than product analytics, and may run before analytics consent so that we can identify serious errors even when analytics is declined.

Browser error monitoring is configured to minimize personal information. The current app setup disables Sentry's default personally identifiable information collection, strips request headers, cookies, body data, query strings, and URL fragments from captured error payloads, removes email addresses, usernames, and IP address fields from attached user payloads, redacts token-bearing shared links, scrubs navigation breadcrumb URLs, and drops console and user-interface breadcrumbs that could capture page text or form values. We do not use Sentry for product analytics, advertising, session replay, profiling, or automatic form-content capture.

Sentry may process technical diagnostic information such as error messages, stack traces, browser and operating-system family/version context, service environment, release identifier, page route without query strings, event timestamps, and limited request metadata needed to troubleshoot reliability issues. We use this information to provide, secure, maintain, debug, and improve the Services.

9. Retention

We retain information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain account history, comply with law, resolve disputes, enforce agreements, detect and prevent abuse, and protect the Services.

Retention periods vary depending on the type of information and the reasons we need it. Customer Content may remain in backups, logs, or archival systems for a limited period after deletion from active systems. We may retain information longer when required or permitted by law.

Deleting an account or requesting deletion of certain information may remove the Auth account and some user-scoped records while leaving shared or property-scoped records, such as properties, memberships, invitations, tenancy groups, share links, logs, or backups, under the control of the relevant customer, property, or operational retention system until separately deleted, revoked, expired, archived, or retained as permitted or required by law.

10. Security

We use administrative, technical, and physical safeguards designed to protect information processed through the Services. These measures may include access controls, logging, encryption in transit, encryption at rest where implemented, authentication controls, vendor management, and other safeguards appropriate to the nature of the Services.

However, no method of transmission over the Internet, no cloud environment, and no electronic storage system is completely secure. We cannot guarantee absolute security.

If Frontkey identifies a security incident for which notice is required by applicable law, Frontkey will provide notice as required by law. Customers remain responsible for their own legal obligations relating to information they control, including obligations to evaluate, prepare, or send notices to tenants, applicants, residents, owners, guarantors, regulators, or others, to the maximum extent permitted by law.

11. Your Choices and Rights

Depending on how you interact with the Services and where you live, you may have some of the following choices or rights:

• access, update, or correct certain account information through the Services;
• opt out of marketing emails by using the unsubscribe link in those emails;
• request access to, correction of, deletion of, or a copy of certain personal information;
• request that we limit or object to certain processing where applicable law provides that right; and
• appeal a denial of a privacy request where applicable law requires an appeal process.

To submit a privacy request, contact contact@frontkey.app. We may need to verify your identity and authority before fulfilling a request. Some information may be exempt from a request under applicable law.

If you are making a request about information uploaded by one of our customers, we may direct you to that customer because the customer typically controls that information.

12. Marketing Communications

We may send you, or send at a customer's direction to a recipient identified by the customer, transactional, operational, support, security, invitation, reminder, and summary-related messages regarding an account, property, workflow, or the Services. Those messages are not promotional in nature, and you may not be able to opt out of them while they remain necessary to provide the relevant account, invitation, or workflow.

If you opt in to marketing communications, you can unsubscribe at any time using the instructions in the message.

13. Children's Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information directly from children under 13 through the Services.

14. International Use

Frontkey is based in the United States, and the Services are intended primarily for U.S. users. If you access the Services from outside the United States, your information may be transferred to, stored in, and processed in the United States and other countries where Frontkey or its service providers operate.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date above and, if required by law, provide additional notice.

We may also require acknowledgment or reacceptance of updated legal documents through the Services when appropriate.

16. Contact Us

FrontKey FrontKey LLC 2501 Chatham Rd #6541 Springfield, IL, 62704, USA Email: contact@frontkey.app