Data protection for integrators
How SDKey processes personal data for your end users, and which APIs support GDPR access and erasure when you are the controller.
Roles
For developer accounts, Cesery LLC (96383 Bay View Dr, Fernandina Beach, FL 32034; operator of SDKey) is the controller. For end-user data sent through client register/login/upgrade and license validate (username, email, HWID, IP, security logs), you are typically the controller and Cesery LLC is the processor under our Terms (Processor Addendum).
You must provide your own privacy notice and legal basis to end users before collecting their data through your app.
What we store for end users
app_users— username, optional email, password hash, last IP/HWID, linked licenselicenses— HWID binding, last seen IPsecurity_logs— IP, country, HWID, event metadata (~90 day retention, then purged)application_bans— banned IP or HWID values
Helping with data-subject requests
Use these authenticated dashboard / Bearer API endpoints:
- Export users —
GET /api/v1/apps/:id/users/export - Delete a user —
DELETE /api/v1/apps/:id/users/:userId - List / search users —
GET /api/v1/apps/:id/users
curl -sS https://api.sdkey.dev/api/v1/apps/$APP_ID/users/export \ -H "Authorization: Bearer $SDKEY_TOKEN"
curl -sS -X DELETE https://api.sdkey.dev/api/v1/apps/$APP_ID/users/$USER_ID \ -H "Authorization: Bearer $SDKEY_TOKEN"
Deleting a user removes the app_users row. It does not automatically revoke the linked license or clear historical security logs (logs expire via retention). Ban a license separately if needed.
Developer account rights
Developers can export or delete their own account under Settings, or via GET /api/v1/account/export and POST /api/v1/account/delete. See also the public Privacy Policy on sdkey.dev.
Subprocessors
Cloudflare provides hosting, edge compute, D1, KV, Turnstile, and sampled observability. Fonts are self-hosted. Details: Privacy Policy on sdkey.dev.