Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and password (stored as a secure hash). If you subscribe to a paid plan, we collect billing information through our payment processor (Stripe). We do not store full credit card numbers on our servers.

1.2 API Usage Data

We automatically log API requests including timestamps, endpoints accessed, response codes, request volume, and your API key identifier. This data is used for rate limiting, billing, analytics, and service improvement.

1.3 Device and Browser Information

When you visit our website, we may collect your IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, and other diagnostic data.

1.4 Cookies and Similar Technologies

We use cookies and similar tracking technologies to maintain sessions, remember preferences, and analyze usage. See our Cookie Policy for details.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process transactions and manage subscriptions
• Monitor and enforce API rate limits and usage quotas
• Send transactional emails (account confirmation, billing receipts, security alerts)
• Analyze usage patterns to improve the Service
• Detect, prevent, and address technical issues, fraud, or abuse
• Respond to your inquiries and support requests
• Comply with legal obligations

We do not sell your personal information to third parties. We do not use your data for automated decision-making or profiling that produces legal effects.

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

• Contract performance: Processing necessary to provide the Service you requested (account management, API access, billing).
• Legitimate interests: Analytics, fraud prevention, and service improvement, where your rights do not override our interests.
• Consent: Where you have given explicit consent (e.g., marketing emails, non-essential cookies).
• Legal obligation: Where processing is required by applicable law.

4. Data Sharing and Third Parties

We may share your information with the following categories of third parties, strictly for the purposes described:

4.1 Payment Processor

We use Stripe to process payments. When you subscribe to a paid plan, your payment information is transmitted directly to Stripe and governed by their Privacy Policy.

4.2 Analytics Services

We use Google Analytics and Microsoft Clarity to understand how users interact with our website. These services may collect data such as pages viewed, session duration, and general geographic location. Data is aggregated and anonymized where possible.

4.3 Infrastructure Providers

Your data is hosted on cloud infrastructure providers that maintain industry-standard security certifications. We ensure that all providers process data in compliance with applicable data protection laws.

4.4 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect our rights, safety, or property.

5. Cookies and Tracking

We use essential cookies for authentication and session management, and optional analytics cookies to improve the Service. You can control cookie preferences through your browser settings. For a comprehensive overview, please refer to our Cookie Policy.

6. Data Storage and Security

We take the security of your data seriously and implement appropriate technical and organizational measures, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Secure password hashing (bcrypt)
• API key authentication with hashed storage
• Regular security audits and dependency updates
• Access controls and principle of least privilege
• Database backups with encryption

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously work to improve our security practices.

7. Data Retention

We retain your data according to the following guidelines:

• Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion request.
• API usage logs: Retained for 90 days for operational purposes, then aggregated and anonymized.
• Billing records: Retained for the duration required by applicable tax and financial regulations (typically 7 years).
• Analytics data: Retained in aggregated, anonymized form indefinitely for trend analysis.

8. Your Rights (GDPR)

If you are located in the EEA, United Kingdom, or a jurisdiction with similar privacy laws, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data ("right to be forgotten").
• Right to restriction: Request that we limit the processing of your data.
• Right to data portability: Receive your data in a structured, machine-readable format (JSON or CSV).
• Right to object: Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at support@inciapi.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: Request deletion of your personal information.
• Right to opt-out: We do not sell personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link.
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at support@inciapi.com.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from your jurisdiction. When we transfer personal data internationally, we implement appropriate safeguards in accordance with applicable law, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.

11. Children's Privacy

Our Service is not directed to children under 13 years of age (or under 16 in the EEA). We do not knowingly collect personal information from children. If we discover that a child has provided us with personal data, we will promptly delete it. If you believe a child has provided us with personal information, please contact us at support@inciapi.com.

12. Applicable Law and Data Controller Jurisdiction

The data controller is an autónomo (sole proprietor) established in Spain. This Privacy Policy is governed by Spanish law and EU GDPR (Regulation 2016/679). Any data protection complaint may be filed with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD, www.aepd.es). The competent courts for disputes are those of the Canary Islands, Spain.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we may also send a notification to your registered email address. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions or concerns about this Privacy Policy, or wish to exercise your privacy rights, please contact us: