Privacy Policy - Bonds API

1. Introduction

Bonds API ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website, API, dashboard, and related services (collectively, the "Service").

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

2.1 Information You Provide

Account information: name, email address, and password when you register.
Google OAuth data: if you sign in with Google, we receive your name, email, and profile picture from Google. We do not access your Google contacts, files, or other data.
Billing information: payment details are processed and stored by Stripe. We do not store your credit card numbers on our servers.
Communications: any information you provide when contacting our support team.

2.2 Information Collected Automatically

API usage data: endpoints called, request timestamps, response codes, and request volume per API key.
Log data: IP address, browser type, operating system, referring URLs, and access timestamps.
Device information: device type, screen resolution, and language preferences.
Cookies: session cookies for authentication and functional cookies for user preferences.

3. How We Use Your Information

We use the collected information for the following purposes:

Provide and maintain the Service: authenticate users, process API requests, manage subscriptions, and deliver customer support.
Billing and payments: process subscription charges, send invoices, and manage plan changes through Stripe.
Usage analytics: monitor API usage patterns to enforce rate limits, detect abuse, and improve the Service.
Communication: send transactional emails (account verification, password resets, billing notifications) and, with your consent, product updates.
Security: detect and prevent fraud, unauthorized access, and other malicious activities.
Legal compliance: comply with applicable laws, regulations, and legal processes.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your data with:

Stripe: for payment processing and subscription management. See Stripe's Privacy Policy.
Google: if you use Google OAuth for authentication. See Google's Privacy Policy.
Service providers: hosting, email delivery, and analytics services that process data on our behalf under strict confidentiality agreements.
Legal authorities: when required by law, court order, or governmental regulation, or to protect our rights and the safety of our users.

5. Cookies and Tracking

We use the following types of cookies:

Type	Purpose	Duration
Essential	Authentication, session management, CSRF protection	Session
Functional	User preferences and dashboard settings	1 year
Analytics	Aggregate usage statistics to improve the Service	1 year

You can configure your browser to refuse cookies, though some features of the Service may not function properly without them.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

Account data: retained until you delete your account.
API usage logs: retained for up to 24 months for analytics and abuse prevention.
Billing records: retained as required by tax and accounting regulations (typically 7 years).
Server logs: automatically deleted after 90 days.

Upon account deletion, we will remove or anonymize your personal data within 30 days, except where retention is required by law.

7. Data Security

We implement industry-standard security measures to protect your data, including:

TLS/SSL encryption for all data in transit.
Encrypted storage of passwords using bcrypt hashing.
API key hashing — we store only hashed versions of your keys.
Regular security audits and vulnerability assessments.
Access controls limiting employee access to personal data on a need-to-know basis.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. You use the Service at your own risk.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: request a copy of the personal data we hold about you.
Rectification: request correction of inaccurate or incomplete data.
Deletion: request deletion of your personal data ("right to be forgotten").
Portability: request your data in a structured, machine-readable format.
Objection: object to processing of your data for certain purposes.
Withdrawal of consent: withdraw consent at any time where processing is based on consent.

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

9. International Data Transfers

Your data may be processed in countries outside your own. We ensure appropriate safeguards are in place, including standard contractual clauses and compliance with applicable data protection frameworks, to protect your data during international transfers.

10. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing any personal information.

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the Service or sending an email. Your continued use of the Service after the changes take effect constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Bonds API — Privacy Team

Email: [email protected]