Privacy Policy

1.1 Account Information

When you create an account, we collect:

• Email address
• Name (optional)
• Hashed password (bcrypt, 12 rounds — we never store plaintext passwords) for password-based accounts
• Social login profile (GitHub or Google login — email and display name only) for social-login accounts

1.2 API Keys

API keys you generate are stored as SHA-256 hashes. We retain only the key prefix (e.g. kz_a1b2) for identification. The full key is shown once at creation and cannot be recovered.

1.3 Usage Data

We automatically collect:

• API request metadata: data source queried, response time, success/failure status
• Monthly request counts for plan enforcement
• IP addresses and user agent strings (for security audit logging)

1.4 Payment Information

If you subscribe to a paid plan, payment is processed by Stripe. We receive your email and subscription status but never see or store your card number, CVC, or billing address. See Stripe's Privacy Policy.

1.5 Cookies & Analytics

See our Cookie Policy for detailed information. In summary: we use essential cookies for authentication and optional analytics cookies (only with your consent).

• Provide the Service: Authenticate requests, enforce usage limits, serve data.
• Security: Detect abuse, prevent fraud, audit access to the API.
• Billing: Track usage, manage subscriptions via Stripe.
• Communication: Send transactional emails (account confirmation, security alerts, billing receipts). We do not send marketing emails without opt-in consent.
• Improvement: Analyze aggregate usage patterns to improve reliability and coverage.

We want to be explicit about what we do not collect or store:

• Query response bodies — we do not log the data returned to you
• Plaintext passwords — only bcrypt hashes
• Full API keys — only SHA-256 hashes and prefixes
• Payment card details — handled entirely by Stripe
• Your downstream usage — we don't track what you do with the data after you receive it

We do not sell your personal information. We share data only in these cases:

• Payment processing: Stripe processes your subscription payments. We share your email for checkout.
• Analytics (with consent): If you opt in to analytics cookies, aggregate usage data is processed by PostHog.
• Legal obligations: We may disclose data if required by law, subpoena, or court order.
• Business transfer: In the event of a merger, acquisition, or sale, user data may be transferred as part of the business assets.

We implement industry-standard security measures:

• API keys stored as SHA-256 hashes
• Passwords hashed with bcrypt (12 rounds)
• All traffic encrypted via TLS/HTTPS
• Comprehensive audit logging for security events
• Rate limiting to prevent brute-force attacks
• JWT tokens with 7-day expiry for session management

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for keeping your API keys and passwords secure.

• Account data: Retained for the lifetime of your account. Deleted upon account closure.
• Usage logs: Retained for 90 days for billing and debugging, then aggregated.
• Audit logs: Retained for 1 year for security purposes.
• Subscription history: Retained for 7 years for financial compliance.

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update or correct inaccurate data.
• Deletion: Request deletion of your account and associated data.
• Portability: Request your data in a machine-readable format.
• Objection: Object to processing of your data for certain purposes.
• Withdraw consent: Withdraw consent for optional data processing (e.g., analytics cookies) at any time.

To exercise these rights, contact privacy@katzilla.dev. We will respond within 30 days.

If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your data under the following legal bases:

• Contract: Processing necessary to provide the Service you signed up for.
• Legitimate interest: Security monitoring, fraud prevention, service improvement.
• Consent: Analytics cookies and optional marketing communications.
• Legal obligation: Financial record-keeping, responding to legal requests.

Data is stored on servers in the United States. By using the Service, you consent to data transfer to the US. We rely on Standard Contractual Clauses for lawful transfers.

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of the sale of personal information. We do not sell personal information.

To submit a CCPA request, contact privacy@katzilla.dev.

The Service is not directed at individuals under 18. We do not knowingly collect data from children. If you believe a child has provided us personal information, contact us and we will delete it promptly.

We may update this Privacy Policy periodically. Material changes will be communicated via email or a prominent notice on the website at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

For privacy-related inquiries: