Privacy Policy

2. Information we collect

Depending on how you use ApiCLay, we may process:

• Account and profile data: such as name, email, username, password hashes, profile or avatar references, and preferences you provide
• Authentication: one-time passcodes or similar verification data when email OTP login is used, and session or JWT-related identifiers needed to keep you signed in or authorize API calls
• Vendor and listing data: company and API listing details you submit (descriptions, categories, OpenAPI/Swagger sources, custom HTTP route definitions, public field metadata, and configuration needed to proxy requests-excluding buyer-supplied secrets where the product is designed to keep them client-side)
• Transactions and billing: subscription and payment records, Razorpay identifiers and event metadata, wallet or balance transactions, and top-up orders as implemented in our application
• API usage: trial and daily (or periodic) usage counters and related logs used to enforce limits and billing
• Support and feedback: support tickets, optional API ratings, and ticket messages when those features are enabled
• Technical data: IP address, device and browser type, timestamps, and diagnostic logs; information from cookies or similar technologies as described below

When buyers call vendor APIs through our gateway, request and response content may transit our systems. We do not use this policy to override specific contractual terms between vendors and their customers where those apply.

3. How we use information

We use personal and technical information to:

• Provide, operate, and improve the Service (hosting listings, authentication, dashboard, discover, playground, and backend API)
• Process payments and subscriptions, prevent fraud, and maintain financial records
• Enforce request policies, trials, and rate limits; generate internal analytics and reliability metrics
• Communicate about the Service, security, and billing
• Respond to support requests and optional ratings or tickets
• Meet legal obligations and protect rights, safety, and integrity of users and the platform

4. Legal bases (EEA, UK, and similar regions)

Where GDPR or similar laws apply, we rely on appropriate bases such as: performance of a contract with you, legitimate interests (for example securing the Service, analytics, and product improvement-balanced against your rights), consent where required (for example certain cookies or marketing), and legal obligation.

5. Storage and security

Application data is stored in MongoDB (connection configured via environment). We use industry-typical measures such as access controls, hashing for passwords, encryption in transit (HTTPS), and careful handling of secrets in configuration. No method of storage or transmission is completely secure.

6. Payment processing

Payments are processed by Razorpay. Card and bank payment details are handled according to Razorpay’s practices and PCI requirements; we typically receive transaction metadata rather than full card numbers. Razorpay’s privacy policy also applies to payment data they process.

7. Cookies and similar technologies

We use cookies and related mechanisms for sessions, security (for example CSRF where applicable), and preferences. We may use analytics to understand usage. Where required by law, we will obtain consent before non-essential cookies or tracking.

8. Third-party services and subprocessors

We use service providers as needed to run ApiCLay, which may include:

• Cloud database and hosting (MongoDB and application hosting)
• Payment processing (Razorpay)
• Email delivery (for example SMTP or SendGrid when configured)
• Object storage or CDN for media such as avatars (for example S3-compatible storage when configured)
• API gateway or infrastructure that proxies buyer traffic to vendor upstreams when deployed

These providers process data only to deliver the Service and are bound by appropriate contractual or legal safeguards where required.

9. International transfers

Our providers may process data in countries other than your own. Where required, we use approved transfer mechanisms (such as standard contractual clauses) in addition to technical and organizational measures.

10. Retention

We retain information for as long as your account is active, as needed to provide the Service, and as required for legal, tax, accounting, or dispute resolution purposes. Usage and log retention follow operational needs and legal requirements; some aggregates may be kept in de-identified form.

11. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal data, and to withdraw consent where processing is consent-based. You may also lodge a complaint with a supervisory authority. To exercise rights, contact us via the Contact page; we may verify your identity before responding.

12. Vendors and buyers

Vendors who process personal data of end users through their APIs act as independent controllers (or processors to their customers) for that data. Buyers should review vendor documentation and terms. ApiCLay processes marketplace account, billing, usage, and platform data as described here.

13. Children

The Service is not directed to children. We do not knowingly collect personal information from children under the age required by applicable law. If you believe we have collected such information, contact us so we can delete it.

14. Security incidents

If we become aware of a breach affecting personal data, we will investigate, mitigate, and notify affected users and regulators as required by applicable law.

15. Changes to this policy

We may update this policy from time to time. We will post the new version on this page and revise the “Last updated” date. For material changes, we may provide additional notice as appropriate.

16. Contact

For privacy-related requests or questions, use the contact options on our Contact page (including the email address listed there).