Privacy Policy

1. Introduction

G8KEPR ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our API security platform and related services (collectively, the "Service").

We comply with applicable privacy regulations including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Data We Collect

2.1 Account Information

When you create a G8KEPR account, we collect:

• Email address
• Full name
• Organization name and size
• Password (hashed with bcrypt — never stored in plaintext)
• Billing address and tax identification number (where required)

2.2 Usage Data

To provide and improve our Service, we collect:

• API request logs (endpoints, methods, response times, status codes)
• Security event logs (blocked threats, rate limit violations, anomaly detections)
• Usage metrics (requests per day, quota consumption, feature adoption)
• Browser and device information (user-agent, screen resolution)
• IP addresses (for security, fraud prevention, and geographic routing)
• Dashboard interaction events (page views, feature clicks)

2.3 Payment Information

Payment transactions are processed by Stripe. We do not store full credit card numbers on our systems. We retain:

• Last four digits of your payment card (for display purposes)
• Billing address
• Stripe customer and subscription IDs
• Invoice history and payment records

3. How We Use Your Data

We use your information to:

• Service delivery: Process API requests, enforce rate limits, detect and block threats, and provide security analytics
• Billing: Process payments, issue invoices, and manage subscriptions via Stripe
• Security: Detect fraud, prevent abuse, respond to security incidents, and maintain audit trails
• Compliance: Satisfy legal and regulatory obligations, including SOC 2, HIPAA, and FedRAMP requirements
• Product improvement: Analyze aggregate usage patterns to improve performance, reliability, and features
• Communications: Send transactional emails, quota alerts, security notifications, and service updates
• AI processing: Route and analyze API requests through our AI gateway using Anthropic's models for threat detection and classification (see Third-Party Processors below)

4. Data Retention

We retain your data only as long as necessary to provide the Service and meet our legal obligations:

Upon account deletion, personal data is purged within 30 days. Anonymized aggregate data (with no personal identifiers) may be retained indefinitely for product analytics.

5. Third-Party Processors

We work with carefully selected sub-processors to deliver the Service. Each processor is bound by data processing agreements and appropriate safeguards:

We do not sell your data. Data is shared with processors only to the extent necessary to deliver the Service. We never share data with advertising networks or data brokers.

6. Your Rights

You have the following rights regarding your personal data. To exercise any right, email privacy@g8kepr.com. We will respond within 30 days (GDPR) or 45 days (CCPA).

6.1 GDPR Rights (EU/EEA Residents — Articles 15–20)

6.2 CCPA Rights (California Residents)

• Right to know: Request disclosure of personal information collected, used, disclosed, or sold in the past 12 months
• Right to delete: Request deletion of personal information we have collected from you
• Right to opt-out: We do not sell personal information. There is nothing to opt out of
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

To submit a verifiable consumer request, email privacy@g8kepr.com with "CCPA Request" in the subject line.

7. Data Security

We implement industry-standard security measures to protect your data:

8. International Data Transfers

G8KEPR operates from the United States. Your data may be transferred to and processed in the USA and other countries where our sub-processors operate. For transfers of personal data from the EU/EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable (e.g., UK-US Data Bridge, EU-US Data Privacy Framework)
• Contractual obligations with sub-processors to maintain equivalent protections

9. Cookies and Tracking

We use essential cookies necessary to operate the Service:

• Session cookies to maintain your authenticated session
• Preference cookies to remember your settings (theme, locale)
• Security cookies to prevent CSRF attacks and detect fraud

We do not use third-party advertising cookies or behavioral tracking cookies. Analytics cookies (PostHog) are first-party and anonymized. You may opt out of analytics via our cookie consent banner.

10. Children's Privacy

G8KEPR is not directed at or intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@g8kepr.com and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes via email and dashboard notification at least 30 days before they take effect. The "Last updated" date at the top of this page reflects when this policy was last revised. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

For questions, requests, or complaints regarding this Privacy Policy or our data practices:

Related Policies