Privacy Policy

1. Summary

The short version, for people who don’t want to read every section:

• We collect very little. Your email (from sign-in), an API key hash, what plan you’re on, and basic usage counts.
• We don’t sell your data. Ever. To anyone.
• We don’t track you across the web. No advertising cookies, no third-party trackers, no behavioral profiles.
• We use a small number of essential third-party services (Supabase for our database and authentication, Stripe for payments, Cloudflare and Vercel for hosting). Each is described below.
• You can delete your account at any time from the dashboard. When you do, your data is removed.
• You have rights under laws like GDPR (if you’re in the EEA/UK) and CCPA (if you’re in California). We honor them.

The long version follows.

2. Information We Collect

2.1 Information You Provide

Account information. When you sign in to the Service using GitHub or Google OAuth, we receive your email address and a unique identifier from the authentication provider. We do not receive your password, contacts, or other personal information from those providers.

Payment information. If you upgrade to a paid plan, our payment processor Stripe collects your name, billing address, payment method details (such as credit card number), and similar information needed to process the payment. We do not store your full payment card details on our servers. Stripe stores them and provides us only with non-sensitive identifiers such as the last four digits of your card and a customer ID. See Stripe’s privacy policy for details.

Communications. If you email us for support, we receive whatever you put in the email, including your email address and message contents.

2.2 Information We Generate About Your Account

• An API key that authenticates your requests. We store a SHA-256 hash of the key, not the key itself. The first 12 characters of the key are stored separately so you can identify it in your dashboard.
• Your subscription tier (free, Starter, Pro, or Business) and current subscription status.
• A Stripe customer ID linking your account to your billing record (only if you have upgraded to a paid plan).
• Usage counters: per-day, per-endpoint counts of how many requests your account has made. These power the usage charts in your dashboard. We do not log the contents of individual requests, your IP address per request, or response data.

2.3 Information Collected Automatically

Server logs. Like most web services, our infrastructure providers (Cloudflare, Vercel) log basic request metadata for operational and security purposes — IP address, user agent, request URL, response status code, and timestamp. These logs are typically retained for a short period (days to weeks) and are used to diagnose problems, detect abuse, and analyze aggregate traffic patterns. We do not associate these logs with individual user accounts unless we are investigating a specific incident.

Cookies. We use a small number of strictly necessary cookies for authentication (so you stay signed in to the dashboard) and for basic functionality. We do not use advertising cookies, behavioral tracking cookies, or third-party analytics cookies that follow you across websites.

2.4 Information We Do NOT Collect

For clarity, we want to be explicit about what we do not collect:

• We do not log the contents of API requests beyond aggregate counts.
• We do not collect, sell, or share data for advertising purposes.
• We do not use third-party advertising networks or behavioral analytics services.
• We do not track you across other websites.
• We do not collect biometric, health, or location data.
• We do not knowingly collect personal information from children under 13 (or under 16 in the EEA).

3. How We Use Information

We use the information we collect for the following purposes:

• To provide and operate the Service. Authenticating your account, validating your API key, enforcing rate limits, processing payments, and showing you usage in your dashboard.
• To communicate with you. Sending account-related emails (such as receipts, payment failures, or important Service updates). We do not send marketing emails by default. If we ever start, we’ll ask you to opt in first.
• To improve the Service. Looking at aggregate usage patterns to understand which features are popular, what errors are common, and what to build next.
• To prevent abuse and ensure security. Detecting and stopping unauthorized access, fraud, denial-of-service attacks, and API abuse.
• To comply with legal obligations. When required by law, court order, or other legal process.

4. Legal Bases for Processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR for processing your personal information:

• Performance of a contract. Most of our processing is necessary to provide the Service you signed up for.
• Legitimate interests. Operating, securing, and improving the Service in ways that you would reasonably expect.
• Consent. Where required, such as for any future marketing communications.
• Legal obligation. Such as retaining payment records for tax purposes.

5. How We Share Information

We do not sell your personal information. We share information only in the following limited circumstances:

5.1 Service Providers

We use a small number of third-party services to operate the Service. Each receives only the information necessary to perform its function:

Each of these providers is contractually bound to use the information only for the purposes described and to maintain appropriate security.

5.2 Legal Disclosures

We may disclose information if we believe in good faith that disclosure is necessary to:

• Comply with a law, regulation, court order, or other legal process
• Protect the rights, property, or safety of Vegh Labs, our users, or the public
• Investigate or prevent fraud, security issues, or API abuse

If we receive a government request for your data, and we’re not legally prohibited from doing so, we will attempt to notify you before complying.

5.3 Business Transfers

If Vegh Labs is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you (by email or a notice on the Service) before your information becomes subject to a different privacy policy.

6. Data Retention

We retain your information for as long as your account is active, plus a reasonable period afterward to comply with legal obligations and resolve disputes:

• Account data (email, API key hash, subscription tier): retained until you delete your account.
• Usage counters: retained for up to 12 months in aggregate form.
• Payment records: retained for 7 years after the transaction, as required by tax and accounting law.
• Server logs: retained for a short period (typically 30–90 days) by our infrastructure providers.

When you delete your account, we delete or anonymize your personal information from our databases within 30 days, except for information we are required to retain by law (such as billing records).

7. Your Rights

Depending on where you live, you may have the following rights regarding your personal information:

• Access. Request a copy of the personal information we hold about you.
• Correction. Ask us to correct inaccurate information.
• Deletion. Ask us to delete your personal information. (You can do this yourself by deleting your account from the dashboard.)
• Portability. Request a copy of your information in a machine-readable format.
• Objection. Object to certain types of processing.
• Withdrawal of consent. Where we rely on consent, you can withdraw it at any time.

If you are in California, the CCPA gives you specific rights including the right to know what personal information we collect, the right to delete it, and the right not to be discriminated against for exercising your rights. We do not sell personal information, so the CCPA “right to opt out of sale” does not apply.

To exercise any of these rights, email us at privacy@exerciseapi.dev. We will respond within the time required by applicable law (typically 30–45 days). We may need to verify your identity before fulfilling certain requests.

8. Security

We take reasonable measures to protect your information:

• API keys are stored as SHA-256 hashes, not in plain text.
• All connections to the Service use HTTPS / TLS encryption.
• We use established infrastructure providers (Supabase, Cloudflare, Vercel, Stripe) that implement industry-standard security controls.
• Access to production systems is limited to authorized personnel.

No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and the relevant authorities as required by law.

9. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where our service providers operate.

For users in the EEA, UK, or Switzerland, we rely on appropriate safeguards (such as Standard Contractual Clauses approved by the European Commission) for these transfers, where required.

10. Children’s Privacy

The Service is not directed to children under the age of 13 (or under 16 in the EEA), and we do not knowingly collect personal information from them. If you believe we have collected information from a child, please contact us at privacy@exerciseapi.dev and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service at least 30 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, contact us at:

Vegh Labs LLC
Email: privacy@exerciseapi.dev
Website: exerciseapi.dev