Privacy Policy

1. Data we collect

We collect the minimum necessary to operate the product:

• Account data. Email address and display name. Depending on your sign-in method, we also receive an authentication identifier from your identity provider: a Google account sub (Google OAuth), a Microsoft account identifier (Microsoft OAuth), or no third-party identifier (magic-link email sign-in).
• API usage data. Per-request records including endpoint path, HTTP status code, timestamp, and a request ID. The monthly-to-date (MTD) call count derived from these records enforces your plan quota and resets on the first of each calendar month UTC.
• Usage data. Pages visited, requests made, and timestamps. Used for product analytics and security monitoring.
• Technical data. IP address, user agent, and other request headers, retained for security and abuse prevention.
• Billing data. If you subscribe to a paid tier, Stripe (our payment processor) collects and stores your payment card data on our behalf. We receive only a tokenized reference and subscription status from Stripe. We do not store full card numbers, CVVs, or bank account details.

We do not collect bank account numbers, social security numbers, or other government identifiers. We do not run advertising trackers.

2. How we use your data

• To authenticate you and operate the product.
• To track API quota consumption and enforce plan limits.
• To manage your subscription and process billing via Stripe.
• To monitor security, prevent abuse, and debug failures.
• To communicate operationally (service updates, security notices, billing alerts).

We do not sell personal information. We do not share personal information with third parties except subprocessors (cloud hosting, analytics) acting on our behalf, or as required by law.

3. Retention

• Account data is retained while your account is active. After account closure, we delete personal data within 90 days, except where retention is required by law.
• API request logs and MTD usage counters are retained for up to 12 months for security, audit, and billing reconciliation purposes. MTD counters reset on the first of each calendar month UTC but the underlying log records are retained for the full 12-month window.
• Billing records (invoices, payment events received from Stripe) are retained for at least 7 years to comply with tax and accounting obligations.

4. Sharing

We share data only with operational subprocessors strictly necessary to run the service. Current subprocessors include: Amazon Web Services (hosting and infrastructure), Google (authentication — Google OAuth users only), Microsoft (authentication — Microsoft OAuth users only), and Stripe (payment processing — paid-tier subscribers only). We do not sell or rent personal information.

5. Your rights

Depending on where you live, you may have rights under the California Consumer Privacy Act (CCPA), the EU/UK General Data Protection Regulation (GDPR), or other privacy laws. These typically include the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your data.
• Object to or restrict certain processing.
• Receive a copy of your data in a portable format.

To exercise any of these rights, contact us at the address below. We will respond within the timeframe required by applicable law.

6. Children

The product is not directed at children under 16, and we do not knowingly collect data from them.

7. Security

We use industry-standard security controls (encrypted transport, encrypted storage, scoped access). No system is perfectly secure; we will notify affected users in the event of a breach involving their personal data, consistent with applicable law.

8. Changes

We may update this policy as the product and our legal obligations evolve. Material changes will be communicated via the product or by email. The “Last updated” date above reflects the most recent revision.

9. Contact

Questions or requests concerning this policy: hello@spokenalpha.com. Spoken Alpha is a sole proprietorship operating in New York.