Legal
Privacy Policy
Effective date: May 18, 2026 · Last updated: May 18, 2026
Your privacy matters. This policy explains what data APIlot collects, why we collect it, how it is used, and the rights you have over it — including those granted under the GDPR (EU/EEA), UK GDPR, and the CCPA (California).
1. Who We Are
APIlot ("we", "us", "our") operates the platform available at useapilot.com. We are the data controller for personal data collected through the Service.
Contact: [email protected]
2. Data We Collect
We collect the following categories of personal data:
| Account data | Name, email address, profile picture (from OAuth provider) |
| Authentication data | OAuth tokens from Google or GitHub (never your password) |
| Usage data | Pages visited, features used, integration prompts submitted, timestamps |
| Integration content | Prompts you enter, API names you connect, generated code (stored to enable re-run and history) |
| API credentials | Third-party API keys and secrets you provide (encrypted at rest using AES-256) |
| Billing data | Subscription tier, billing status (payment card details are processed by Polar — we never see raw card numbers) |
| Technical data | IP address, browser type, device type, referrer URL, error logs |
| Cookies | Session cookie (required), preference cookies (optional — see Section 7) |
3. How We Use Your Data
We use your data to:
- Provide the Service — authenticate you, process prompts, generate and deploy integrations (legal basis: contract performance)
- Process payments — manage subscriptions and billing via Polar (legal basis: contract performance)
- Improve the Service — analyse aggregate usage patterns to improve features (legal basis: legitimate interests)
- Security and fraud prevention — detect abuse, rate-limit, and protect infrastructure (legal basis: legitimate interests)
- Communications — send transactional emails (password reset, billing receipts) and, with your consent, product updates (legal basis: consent / contract)
- Legal compliance — comply with applicable laws and respond to lawful requests (legal basis: legal obligation)
We do not sell your personal data, use it for ad targeting, or share it with data brokers.
4. Third-Party Services We Use
| Polar | Subscription billing and payment processing | polar.sh/privacy |
| Google / GitHub OAuth | Authentication (optional sign-in method) | Respective privacy policies apply |
| PostHog | Optional analytics — only loaded with your consent (no ad tracking, no cross-site data) | posthog.com/privacy |
| Fly.io | Cloud infrastructure and hosting | fly.io/legal/privacy-policy |
| Neon / PostgreSQL | Database hosting (encrypted at rest) | neon.tech/privacy |
| Vercel / Next.js | Frontend rendering and CDN | vercel.com/legal/privacy-policy |
| Resend (or similar) | Transactional email delivery | Applicable provider policy |
We only share data with third parties to the extent necessary to deliver the Service. All processors are required to handle data in accordance with applicable law.
5. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Specifically:
- Account data: retained until account deletion + 30-day grace period
- Integration history: retained for the life of your account; you can delete individual integrations at any time
- API credentials: deleted immediately upon your request or account deletion
- Billing records: retained for 7 years to comply with financial regulations
- Server logs: retained for 90 days
6. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
| Access | Request a copy of the personal data we hold about you |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure (“right to be forgotten”) | Request deletion of your personal data (subject to legal retention obligations) |
| Portability | Receive your data in a structured, machine-readable format |
| Restriction | Ask us to restrict processing of your data in certain circumstances |
| Objection | Object to processing based on legitimate interests |
| Withdraw consent | Withdraw marketing consent at any time without affecting other processing |
| CCPA opt-out | California residents may opt out of any sale of personal information (we do not sell data) |
To exercise any right, email [email protected]. We will respond within 30 days (GDPR) or 45 days (CCPA). If you are in the EU/EEA, you also have the right to lodge a complaint with your local supervisory authority.
8. Data Security
We implement industry-standard security measures:
- All data in transit is encrypted with TLS 1.2+
- API credentials and secrets are encrypted at rest with AES-256
- Access to production systems is restricted to authorised personnel
- We conduct regular security reviews of our infrastructure
No system is 100% secure. If you discover a security vulnerability, please report it responsibly to [email protected].
9. International Data Transfers
APIlot is hosted on infrastructure primarily in the United States. If you are located in the EU/EEA or UK, your data may be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism.
10. Children's Privacy
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 14 days before the changes take effect. Your continued use after the effective date constitutes acceptance of the updated policy.
12. Contact and Data Controller
For privacy questions, data requests, or complaints:
APIlot
Email: [email protected]
Website: useapilot.com