Privacy Policy

1. Introduction

This Privacy Policy describes how Nitrotech Inc. ("Nitrotech", "we", "us", or "our"), the operator of ApexApi ("the Service"), collects, uses, and protects information when you use our API gateway service. We are committed to protecting your privacy and handling your data transparently.

For personal data of individuals in the European Economic Area (EEA) and the United Kingdom, Nitrotech Inc. acts as the data controller for account, billing, and dashboard data. Where you submit content through the API on behalf of your own end users, you act as the controller of that content and we process it on your behalf as a processor.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and authentication credentials (via third-party OAuth providers such as GitHub or Google).

Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or full payment details. We receive and store Stripe customer IDs and transaction records.

API Usage Data

We store the following metadata for each API request:

• Timestamp and request duration
• Model used and token counts
• API key used (hashed, not plaintext)
• HTTP status code and error type (if any)

By default we do not store the content of your requests (your prompts) or responses (the model's output). If you explicitly enable request logging in your dashboard, we store your request content so you can inspect it; it is deleted within 30 days (see Data Retention below). We do not store response content.

Your IP address and User-Agent are processed transiently to enforce rate limits, detect abuse, and secure the Service. They are not retained in your request logs.

Dashboard Usage

We collect standard web analytics data including pages visited, browser type, approximate location derived from IP address, and session duration on our dashboard and marketing pages.

3. Legal Bases for Processing (EEA/UK)

If you are in the EEA or UK, we process your personal data under the following legal bases:

• Performance of a contract: to provide the Service, manage your account, and process payments.
• Legitimate interests: to secure the Service, prevent fraud and abuse, debug errors, and improve reliability, balanced against your rights.
• Consent: for optional marketing communications and non-essential analytics, where required. You may withdraw consent at any time.
• Legal obligation: to comply with tax, accounting, and other legal requirements.

4. How We Use Your Information

• To provide and maintain the Service
• To process payments and manage your credit balance
• To enforce rate limits and prevent abuse
• To calculate billing and generate usage reports
• To debug errors and improve service reliability
• To communicate important service updates
• To comply with legal obligations

5. Data Retention

• Request content (your prompts, only when you opt into request logging): deleted within 30 days
• Usage metadata (model, token counts, costs, status, timestamps): Retained for the lifetime of your account
• Account information: Retained until account deletion
• Payment records: Retained as required by tax and financial regulations

We retain personal data only for as long as necessary for the purposes described in this policy or as required by law, after which it is deleted or anonymized.

6. How We Share Information

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising. We disclose data only to:

• AI Providers: Your API request content is forwarded to the selected upstream provider to fulfill your request. Each provider has its own privacy policy.
• Stripe: Payment information for billing processing.
• Infrastructure providers: Hosting, database, caching, email, and monitoring vendors that process data under contract solely to operate the Service on our behalf (sub-processors).
• Corporate transactions: In connection with a merger, acquisition, financing, or sale of assets, data may transfer to a successor entity, subject to this policy.
• Legal compliance: When required by law, court order, or governmental request, or to protect our rights, users, or the public.

8. AI Model Training

We do not use your API request or response data to train AI models. Your content is used solely for request fulfillment, billing, and debugging purposes. Upstream providers may have their own data usage policies, which you should review.

9. International Data Transfers

We operate from the United States and use service providers and AI Model Providers located in the United States and other countries. When we transfer personal data from the EEA or UK to a country that has not received an adequacy decision, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum), to protect that data. You may contact us for more information about these safeguards.

10. Security

We implement industry-standard security measures including:

• API keys are SHA-256 hashed before storage
• All data in transit is encrypted via TLS
• Database connections use encrypted channels
• Access to production systems is restricted and audited

No method of transmission or storage is completely secure. In the event of a data breach affecting your personal data, we will notify you and any relevant authorities as required by applicable law.

11. Your Privacy Rights

Depending on where you live, you may have some or all of the following rights regarding your personal data:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and associated personal data
• Export or port your usage data
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent
• Opt out of non-essential communications

EEA/UK (GDPR)

If you are in the EEA or UK, you may exercise the rights above and also have the right to lodge a complaint with your local data protection supervisory authority. We will respond to verified requests within the timeframe required by law (generally one month).

California (CCPA/CPRA)

California residents have the right to know what personal information we collect and how it is used and disclosed, to access and delete that information, to correct inaccurate information, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information. You have the right not to receive discriminatory treatment for exercising these rights.

To exercise any of these rights, contact us at privacy@apexapi.dev. We may need to verify your identity before fulfilling your request. You may use an authorized agent to submit a request on your behalf.

12. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising or cross-site tracking cookies, and we do not use session-replay technology. Analytics cookies are used only on marketing pages and can be disabled in your browser settings.

13. Children

The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or dashboard notification at least 30 days before taking effect. The "Last updated" date above reflects the most recent revision.

15. Contact

For privacy-related questions or requests, contact Nitrotech Inc. at privacy@apexapi.dev.