Privacy Policy

1. What We Collect

• Email address (for account login and communication)
• Password (stored as an Argon2id hash -- we never store plaintext)
• API request logs: timestamps, endpoints called, response times
• IP addresses (for rate limiting and abuse prevention, not tracking)
• Stripe customer ID (links your account to your payment history)

2. How We Use It

Your data is used for: account authentication, API access authorization, usage analytics (aggregate, not individual tracking), abuse prevention, and billing reconciliation.

3. Third-Party Services

Stripe processes payments. When you purchase credits, Stripe receives your email and payment information under their privacy policy. We never see or store your card number.

Resend delivers transactional emails (verification codes, password resets). They receive your email address under their privacy policy.

We do not use Google Analytics, Facebook Pixel, or any third-party tracking or advertising services.

4. Data Retention

• Account data: retained while your account is active
• API request logs: retained for 90 days
• After account deletion request: all data deleted within 30 days

5. Cookies

We use one essential httpOnly session cookie for authentication. No tracking cookies, no analytics cookies, no third-party cookies. See our Cookie Disclosure for details.

6. Your Rights -- GDPR

If you are in the European Economic Area, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Port your data to another service
• Restrict processing of your data
• Object to processing of your data

To exercise any of these rights, email support@apimesh.xyz.

7. Your Rights -- CCPA

If you are a California resident, you have the right to:

• Know what personal information we collect and how it's used
• Delete your personal information
• Opt out of the sale of personal information (we do not sell your data)

We do not operate financial incentive programs tied to personal data.

8. Data Security

We protect your data with: Argon2id password hashing, HTTPS-only connections, per-IP rate limiting, CSRF protection, httpOnly secure session cookies, and regular security reviews.

9. International Transfers

Data is stored on Hetzner servers. If you are outside the server's jurisdiction, your data may be transferred internationally. We rely on standard contractual clauses where applicable.

10. Children

APIMesh is not intended for use by anyone under the age of 13. We do not knowingly collect data from children.

11. Changes

We will notify you of material changes via email at least 30 days before they take effect.

12. Contact

For privacy inquiries: support@apimesh.xyz

Data Protection Officer: privacy@apimesh.xyz