Privacy Policy
What we collect, why we collect it, and how to make us delete it.
1. What we collect
Account data
When you sign up: your email address, a hashed password (or a magic-link session token if you used the agent-signup flow), a randomly generated API key, and your chosen tier. We do not collect your name, phone number, address, or any other identity information unless you explicitly provide it during a billing or support interaction.
Billing data
If you upgrade to a paid tier we route payment through Stripe. Stripe sees your card details; we see only the customer ID, subscription ID, and the tier you're on. We do not store card numbers. See Stripe's privacy policy for what they retain.
Usage data
Every API call to a metered endpoint writes a row to our usage log: timestamp, API key (which maps to your account), endpoint path, HTTP status, response time, IP address, and user agent. We use this for billing (counting credits), debugging (which endpoints customers hit), and abuse detection (rate-limiting, fraud).
Cookies and local storage
The dashboard at parlay-api.com sets one session cookie (name session) when you log in. No third-party analytics cookies, no advertising trackers, no fingerprinting libraries. Our analytics is server-side Umami, which doesn't use cookies and doesn't collect personally identifying data.
2. Why we collect it
- Account data is necessary to authenticate you to the API and serve your dashboard.
- Billing data is necessary to charge you and stop charging you when you cancel.
- Usage data is necessary to bill correctly and to maintain the service (we can't keep it running for everyone if a single account is doing 10x its tier).
- Cookies are necessary to keep you signed in across page loads.
3. How long we keep it
- Account data: retained while your account is active, deleted within 30 days of account closure on request.
- Billing data: retained for 7 years per US tax law (subscription history, invoice records). Card details are never retained by us; ask Stripe.
- Usage data: aggregated rows kept for 12 months, raw per-request logs kept for 90 days.
- Cookies: session cookies expire after 7 days of inactivity.
4. Who we share it with
The short list:
- Stripe: payment processing. They see your card and email if you check out.
- Cloudflare: edge proxy and DDoS protection. They see request metadata (IP, user agent, headers) for every API call.
- Postmark / email provider: transactional emails (signup confirmation, magic links, billing receipts). They see your email address.
That's it. We do not sell data to anyone, ever. We do not share with advertising networks. We do not run a "data partnerships" program.
5. Your rights under GDPR (EU/UK) and CCPA (California)
You have the right to:
- Access the data we hold about you. Email [email protected] and we'll send a JSON dump within 30 days.
- Correct inaccurate data. Update your email or password in the dashboard, or email us for billing-record fixes.
- Delete your account and all associated data. Email [email protected]; we'll process within 30 days. Billing records that we're legally required to keep for tax reasons stay archived (the rest is purged).
- Export your data in a portable format (JSON). Same email contact.
- Object to processing for any reason other than service operation (e.g. transactional emails). We don't do non-essential processing so this is mostly moot, but the right exists.
- Opt out of sale (CCPA): we don't sell data, so opting out is automatic.
6. Children's data
ParlayAPI is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, email us and we will delete the account.
7. International transfers
Our servers are in the US (NJ). If you're in the EU, your data will be transferred to the US for processing. We rely on Standard Contractual Clauses for this transfer where required.
8. Security
Passwords are hashed with bcrypt. API keys are hashed in storage and shown only at signup time (you'll need to regenerate if lost). All connections require TLS 1.2+. We do not have access to your raw password. We do not log API keys in plain text.
9. Changes to this policy
If we change this policy in a way that affects what we collect or who we share it with, we'll email every active account. Cosmetic changes (rewording, formatting) we just publish. Last revision date is below.
10. Contact
Privacy questions: [email protected]. We respond within 7 days.