Legal
Privacy Policy
Last updated July 10, 2026
1. Data Controller
This Privacy Policy explains how [LEGAL ENTITY NAME — NOT YET INCORPORATED], located at [COMPANY ADDRESS] ("we", "us"), as data controller, collects, uses, shares, and protects the personal data of Anveesa API Platform Users.
2. Data We Collect
- Account data: name, email address, company/organization name, password (hashed), and two-factor authentication (2FA) status.
- API usage data: number of calls, endpoints accessed, access times, response codes, and quota metrics: collected for billing, monitoring, and security.
- API Key metadata: we store a fingerprint (encrypted/unreadable representation) of the API Key, not its raw value.
- Payment data: processed by a third-party payment gateway (e.g., Xendit and/or Paddle); we only receive transaction status confirmation and data necessary for invoicing, not full card data.
- Technical and security data: IP addresses, account activity logs (audit logs), failed login attempt records, and data generated from automated security scans.
- Communication data: the content of a User's correspondence with our support team.
3. Basis and Purpose of Processing
- Contract performance: to provide API access, bill usage, and manage Accounts under the Terms and Conditions.
- Legitimate interest: to detect fraud and misuse and to maintain Platform security, including through audit logs and periodic security scanning.
- Legal obligation: for example, retaining transaction data for tax purposes under applicable law.
- Consent: for optional marketing communications, which may be withdrawn at any time.
4. Data Sharing
- With payment gateway providers (Xendit/Paddle or others), limited to data necessary to process payment.
- With third-party API Providers whose APIs are hosted on the Platform, limited to relevant API call metadata (e.g., call counts) for revenue-sharing billing purposes; we do not share a User's Account credentials with API Providers.
- With cloud infrastructure providers we use to host the Platform, limited to what is necessary to operate the service.
- With competent authorities where required by law, court order, or valid legal process.
- We do not sell Users' personal data to third parties for marketing purposes.
5. Data Security
- Mandatory two-factor authentication for every Account, with backup codes.
- API Keys are stored as fingerprints rather than plaintext, so they cannot be reused even in the event of a data breach.
- Encryption is applied to all data traffic between Users and the Platform.
- Tamper-evident audit logs record every significant Account action.
- Login-attempt lockout mechanisms to prevent brute-force attacks.
- Automated security scans are run periodically against the Platform.
That said, no method of electronic transmission or storage is 100% secure; we strive to apply reasonable technical and organizational measures in line with current technology.
6. Data Retention
Account and usage data is retained for as long as the Account is active and for a period thereafter as necessary for legal, billing, or dispute-resolution purposes. Note that legal/policy page content in our internal content management system stores only the latest version with no version history; we will separately document which policy version was in effect at the time a User accepted it, as evidence of consent.
7. User Rights Over Personal Data
In line with the UU PDP and generally applicable data-protection principles, Users have the right to:
- access and request a copy of their personal data;
- request correction of inaccurate data;
- request deletion of personal data, to the extent this does not conflict with a legal obligation requiring us to retain it;
- withdraw previously given consent, particularly for marketing communications;
- object to certain processing based on our legitimate interest.
Requests relating to the above rights may be sent to [PRIVACY CONTACT EMAIL].
8. International Data Transfers
As the Platform may use cloud infrastructure located outside the User's home country, User data may be processed on servers located in other jurisdictions. We will endeavor to ensure adequate safeguards for cross-border data transfer in accordance with applicable regulations.
9. Children's Privacy
This Platform is not directed at individuals under 18 years of age, and we do not knowingly collect personal data from children.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The version in effect is the latest version published on the Platform together with its "last updated" date.
11. Contact
Questions or requests relating to privacy may be directed to: [PRIVACY CONTACT EMAIL] / [COMPANY ADDRESS].