← Back to Home

PRIVACY POLICY

Last updated: May 2, 2026

1. Privacy Philosophy

APIBuilderHQ is built on a no-login, privacy-first model. We collect as little data as possible, and we do not require an account to use the core Service.

2. Beta Notice

APIBuilderHQ is currently in beta. This Privacy Policy may evolve as the Service matures. Material changes will be communicated through the Service or by email to Pro subscribers.

3. No Account Required

Your collections, environments, request history, saved requests, and API keys are stored exclusively in your browser's localStorage. This data never leaves your device unless you explicitly send a request to a third-party API, in which case the request is transmitted through our serverless proxy to its intended destination.

4. Data We Collect

For free-tier users, we collect:

  • A SHA-256 hash of your IP address, used solely to enforce free-tier rate limits (3 AI generations per 30 days).
  • Standard server logs from our hosting provider (Vercel), which may include IP addresses, request timestamps, user agents, and HTTP status codes, retained per Vercel's standard retention policy.

For Pro subscribers, we additionally collect:

  • Your email address, provided at Stripe checkout.
  • Your Stripe customer ID.
  • An irreversible hash of your email address, mapped to your Stripe customer ID, stored in Upstash Redis to enable magic link account recovery.
  • Stripe payment metadata, processed and stored by Stripe (we never see your card details).

We do not collect or store usage analytics, telemetry, request bodies, request headers, or response data on our servers.

5. Third-Party Service Providers

We use the following third-party services to operate the Service. Each is bound by their own privacy practices:

  • Stripe, Inc. — payment processing, subscription management, customer data
  • OpenAI, L.L.C. — AI generation processing for Pro subscribers (your prompts are transmitted to OpenAI's API and processed under OpenAI's terms)
  • Resend, Inc. — transactional email delivery (magic link recovery emails to Pro subscribers)
  • Upstash, Inc. — Redis storage for rate-limit hashes, email-to-customer mapping (hashed), and short-lived magic link tokens
  • Vercel, Inc. — hosting, edge functions, server logs, and CDN

We do not share your information with any third parties beyond what is necessary to operate the Service as described above.

6. AI Generation Feature

When you use the AI Generate feature, the text prompt you enter is transmitted to OpenAI's API for processing. We do not store these prompts on our servers. OpenAI processes prompts under its own terms of service and privacy policy.

Important: Do not include real API keys, passwords, tokens, personal information, or any sensitive credentials in AI generation prompts. Use placeholder values such as {{API_KEY}} instead. We cannot prevent OpenAI from processing data you submit, and prompts containing real credentials may pose a security risk.

7. Magic Link Authentication

For Pro subscribers, we offer a magic link recovery system that allows you to restore your Pro access on a new device. When you request a magic link:

  • We send a one-time, single-use token to your email via Resend.
  • The token is stored in Upstash Redis with a fifteen (15) minute expiration and is deleted upon use.
  • We never store passwords; the email address you provide at Stripe checkout is used solely for delivery of the magic link.

8. Cookies and Local Storage

We use browser localStorage to store your authentication token (Pro subscribers), saved requests, environments, variables, and user preferences. This data stays on your device. We do not use tracking cookies or third-party analytics. We use Vercel Analytics, which is cookieless and does not track individual users.

9. We Do Not Sell Your Data

We do not sell, rent, lease, or trade your personal information to any third party for marketing or advertising purposes. We do not use your data to train AI models.

10. Data Retention

  • IP hashes (free tier rate limits): automatically expire 30 days after creation.
  • Email-to-customer mapping (Pro): retained while your Pro subscription is active; deleted within 90 days after cancellation.
  • Magic link tokens: automatically expire and delete within 15 minutes.
  • Stripe payment data: retained by Stripe per their retention policy.
  • Server logs (Vercel): retained per Vercel's standard policy (typically 30 days).

You may request deletion of your data at any time by emailing hello@apibuilderhq.com.

11. Your Rights

Regardless of where you are located, you may:

  • Request access to the data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Cancel your Pro subscription at any time through the Customer Portal.

To exercise these rights, email hello@apibuilderhq.com. We will respond within thirty (30) days.

12. EU/EEA and UK Users (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent laws, including:

  • The right to data portability.
  • The right to restrict or object to processing.
  • The right to lodge a complaint with your local data protection authority.

Our legal basis for processing your data is: (a) contract performance for Pro subscription billing and feature delivery; (b) legitimate interest for fraud prevention, rate limiting, and security; and (c) consent for any optional features that may be added in the future.

International data transfers occur because our service providers (Stripe, OpenAI, Resend, Upstash, Vercel) are located in the United States. These transfers are protected by Standard Contractual Clauses where applicable.

13. California Users (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to delete it, and the right to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise your rights, email hello@apibuilderhq.com.

14. Children's Privacy

The Service is not directed at children under thirteen (13) years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it.

15. Security

We use industry-standard security practices, including HTTPS encryption, hashed credentials, secure token storage, and minimal data collection. However, no system is perfectly secure. You are responsible for safeguarding your own API keys and credentials.

16. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated through the Service or by email.

17. Governing Law

This Privacy Policy is governed by the laws of the State of New York.

18. Contact

For privacy questions, data requests, or any concerns about how we handle your data:

hello@apibuilderhq.com