Privacy Policy

1. Information We Collect

We collect the minimum information necessary to provide, secure, and improve the Service:

• Account information: Email address and hashed password (Argon2id) provided during registration.
• API keys: We store a SHA-256 hash of your API key and a short prefix for identification. The full key is shown only once at creation and is never stored in plaintext.
• Usage metrics: Request counts, error counts, bytes transferred, and endpoint access patterns, aggregated hourly per API key.
• Server logs: IP addresses, user agent strings, request timestamps, and response status codes recorded in server access logs.
• Payment information: Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other payment credentials. We store only your Stripe customer ID and subscription ID for billing management.
• OAuth profile data: If you sign in via GitHub, we receive your email address from GitHub. We do not access your repositories, code, or other GitHub data.

2. How We Use Your Information

• Authentication: Verifying your identity and authorizing API access.
• Billing: Calculating subscription fees, metered overage charges, and processing payments through Stripe.
• Rate limiting: Enforcing per-key request limits based on your subscription tier.
• Abuse prevention: Detecting and preventing unauthorized access, credential stuffing, denial-of-service attacks, and Terms of Service violations.
• Service improvement: Analyzing aggregate usage patterns to improve API performance, reliability, and feature prioritization. We do not sell, rent, or share individual usage data with third parties.
• Communication: Sending transactional emails related to your account (e.g., password resets, billing receipts, service status notifications). We do not send marketing emails without your explicit opt-in consent.

3. Data Retention

• Server access logs: Retained for 90 days, then automatically deleted.
• API usage metrics: Retained for the lifetime of your account.
• Account data: Retained until you request account deletion.
• Database backups: Rolling 30-day retention. Older backups are automatically deleted.
• Stripe records: Payment and invoice records are retained by Stripe in accordance with their data retention policies and applicable financial regulations.

4. Third-Party Service Providers

We share data with the following third-party processors solely to operate the Service:

• Stripe (San Francisco, CA): Payment processing, subscription management, and invoice generation.
• Hetzner (Germany): Infrastructure hosting for API servers, databases, and application services.
• Vercel (San Francisco, CA): Website hosting and content delivery.
• GitHub (San Francisco, CA): OAuth authentication provider (optional, only if you choose to sign in via GitHub).

We do not sell, rent, or share your personal data with data brokers, advertisers, or any other third parties.

5. Cookies and Local Storage

• Session cookies: We use a session cookie set by NextAuth.js for authentication. This cookie is strictly necessary for the Service to function and expires when your session ends or after 24 hours.
• No tracking cookies: We do not use advertising cookies, analytics cookies, or any third-party tracking technologies.
• No fingerprinting: We do not use browser fingerprinting or any other persistent identification techniques beyond session cookies.

6. Data Security

We implement industry-standard security measures to protect your data:

• All API traffic is encrypted in transit using TLS 1.2+.
• Passwords are hashed using Argon2id with per-user random salts.
• API keys are stored as SHA-256 hashes — the plaintext key is never retained after initial creation.
• Authentication tokens use HMAC-SHA256 (HS256) with configurable secrets.
• Administrative access uses constant-time comparison to prevent timing attacks.
• Infrastructure is protected by firewall rules (UFW), intrusion detection (fail2ban), and regular security updates.

7. Your Rights

You have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your account and associated personal data. Contact support@hyperlightapi.xyz to initiate account deletion. We will process your request within 30 days.
• Data portability: Your API usage data is accessible via the API itself. You may export your usage history at any time through the authenticated usage endpoint.
• Withdraw consent: Where processing is based on consent, you may withdraw consent at any time by contacting us.

8. European Users (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

• Lawful basis: We process your personal data under the following legal bases: (a) contract performance — providing the API service you subscribed to; (b) legitimate interest — abuse prevention, security, and service improvement; (c) legal obligation — financial record keeping.
• Data residency: Infrastructure is hosted on Hetzner in Germany (EU). Database backups remain within the EU.
• Data Processing Agreement: A DPA is available upon request for Enterprise customers. Contact support@hyperlightapi.xyz.
• Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

9. Age Restrictions

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete the information promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account at least 30 days before taking effect. Continued use of the Service after changes become effective constitutes acceptance of the revised policy. The “Last updated” date at the top of this page reflects the most recent revision.