Privacy policy

What we collect

• Account: your email, name, and profile image from the identity provider you used (Google or magic link).
• Usage metadata: per API call — timestamp, API product, token / request counts, cost, latency, status, request ID, key prefix.
• Billing: Stripe customer ID and invoice metadata (Stripe handles card details, not OneAPIKey).
• Support messages: any message you send us.

What we do not collect by default

We do not store the bodies of your API requests or responses. Only the metadata listed above. You can opt into body logging for your own debugging — that data is private to your account and deleted on revocation.

How we use it

• Operate the service: authenticate you, route requests, bill usage.
• Send transactional email: sign-in links, invoice receipts, balance alerts, security notices.
• Analytics of aggregate usage (e.g., "top APIs this week").
• Fraud & abuse prevention (rate limits, IP allow-lists, key revocations).

Sharing

• Upstream API providers: your request body is passed through to the provider for the specific model you call.
• Stripe: for payment processing.
• Infrastructure: Vercel (hosting), Supabase/Neon (database), Upstash (rate limiting), Resend (email).
• We never sell your data or use your request bodies to train models.

Your rights

You can export your data at any time (usage CSV), update your profile at /settings, revoke keys at /keys, and delete your account on request to privacy@oneapikey.app.

Retention

Usage metadata is kept for 24 months for billing & analytics, then aggregated. Support messages are kept for 3 years. Deleted accounts are hard-deleted within 30 days.

Security

Upstream credentials are encrypted at rest (AES-256-GCM). API keys are stored only as HMAC-SHA256 hashes. Sessions use HttpOnly cookies. Webhook payloads are signed with HMAC-SHA256.

Children

OneAPIKey is not intended for users under 18.

Contact

Email privacy@oneapikey.app or use the contact form.