Privacy Policy

Last updated: 2026-05-06

This is a placeholder Privacy Policy. Replace with text reviewed by legal counsel before going to production. The text below is a starting outline only and does not constitute legal advice.

1. What we collect

• Account info: email and (optional) name when you register.
• Usage: per-API-key call counts, status codes, latency. No request bodies are stored.
• Payment: handled entirely by Stripe; we never see your card number.
• Server logs: IP, user agent, response codes, retained 30 days.
• Cookies: a single session cookie issued by Auth.js, plus Cloudflare's bot-detection cookie.

2. How we use it

• Operate the Service and enforce plan quotas.
• Bill paid plans (Stripe handles processing).
• Respond to support requests.
• Detect abuse (rate limiting, signup throttling).

3. Who we share it with

We share data only with sub-processors necessary to operate the Service:

• Stripe — payment processing
• Cloudflare — CDN, WAF, Turnstile bot challenge
• Supabase — managed Postgres database
• Upstash — managed Redis cache
• Vercel — Next.js hosting
• Fly.io — API + workers hosting

We do not sell your data and do not share it for advertising.

4. Your rights (GDPR / CCPA)

You can request export or deletion of your account data by emailing support. Account deletions are processed within 30 days. Aggregated, anonymised usage statistics may be retained for analytics.

5. Data retention

• Account data: until you delete the account, plus 30 days for backup expiry.
• Usage logs: rolling 30-day window for daily counts.
• Server logs: 30 days.

6. Security

• All traffic encrypted with TLS 1.3.
• API keys stored as HMAC-SHA256 hashes (never plaintext).
• Passwords stored with argon2id.

7. Contact

Privacy questions or data requests: contact us.