Privacy Policy

1. Introduction and Scope

2api, Inc., a Delaware corporation ("2api," "Company," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy ("Policy") describes how we collect, use, disclose, retain, and safeguard personal information when you access or use our website at https://2api.ai, our application programming interfaces ("APIs"), software development kits ("SDKs"), developer tools, documentation, and any other products or services we offer (collectively, the "Services").

This Policy applies to all users of our Services, including individual developers, businesses, and enterprises. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with this Policy, you must not access or use our Services.

For users in the European Economic Area ("EEA"), United Kingdom ("UK"), or Switzerland, 2api acts as the data controller for personal data collected through the Services. For users in California, this Policy includes disclosures required under the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA").

2. Definitions

For purposes of this Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, email address, IP address, device identifiers, and any other information that can be used to directly or indirectly identify an individual.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Customer Data" means data, including Personal Data, that you submit to the Services or that is processed on your behalf through your use of the Services.
• "Usage Data" means data collected automatically through the Services, including API call logs, performance metrics, and technical diagnostics.

3. Categories of Personal Data We Collect

3.1 Information You Provide Directly

• Account Registration Data: Name, email address, username, password (hashed), company name, job title, phone number, and billing address.
• Payment Information: Credit card numbers, bank account details, billing addresses, and tax identification numbers. Payment card data is processed by our PCI-DSS compliant payment processors and is not stored on our systems.
• Communications: Content of emails, support tickets, chat messages, and any other communications you send to us.
• User-Generated Content: API configurations, custom policies, webhook URLs, and other content you create within the Services.
• Survey and Feedback Data: Responses to surveys, questionnaires, and feedback forms.

3.2 Information Collected Automatically

• API Usage Data: API request and response metadata, including timestamps, endpoints accessed, HTTP methods, request headers (excluding authorization tokens), response codes, latency measurements, and error messages.
• Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and unique device identifiers.
• Log Data: Server logs containing access times, pages viewed, referring URLs, and actions taken within the Services.
• Cookies and Similar Technologies: Information collected through cookies, web beacons, pixels, and similar tracking technologies as described in Section 10.
• Geolocation Data: Approximate geographic location derived from IP address.

3.3 Information from Third Parties

• Third-Party Authentication: If you authenticate using third-party services (e.g., GitHub, Google), we receive profile information authorized by those services.
• Business Partners: Information from resellers, integration partners, and referral sources.
• Public Sources: Publicly available information from business registries, professional networks, and public websites.
• Fraud Prevention Services: Risk scores and fraud indicators from third-party verification services.

4. Purposes and Legal Bases for Processing

We process Personal Data for the following purposes and legal bases:

5. Data Sharing and Disclosure

We do not sell your Personal Data. We may share your information in the following circumstances:

5.1 Service Providers and Subprocessors

We engage third-party service providers ("Subprocessors") to perform services on our behalf, including cloud hosting, payment processing, analytics, customer support, and email delivery. All Subprocessors are bound by data processing agreements that require them to protect your data and process it only as instructed by us. A current list of Subprocessors is available upon request.

5.2 Third-Party API Providers

When you use our Services to access third-party APIs, we transmit necessary request data to those providers. Your use of third-party APIs is subject to those providers' privacy policies and terms of service. We are not responsible for the privacy practices of third-party API providers.

5.3 Legal Requirements and Protection of Rights

We may disclose your information if required to do so by law or in response to:

• Valid legal process (subpoenas, court orders, search warrants)
• Government or regulatory agency requests
• Enforcement of our Terms of Service or other agreements
• Protection of our rights, property, or safety, or those of our users or the public
• Investigation of potential violations of law or our policies

Where legally permitted, we will notify you of such requests unless prohibited by law or court order, or if notification would jeopardize an investigation.

5.4 Business Transfers

In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to a successor entity. We will notify you of any such change in ownership or control and any choices you may have regarding your information.

5.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5.6 Aggregated and De-Identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you for research, analytics, benchmarking, and other purposes.

6. International Data Transfers

2api is headquartered in the United States. Your Personal Data may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

For transfers of Personal Data from the EEA, UK, or Switzerland to countries not deemed adequate by the European Commission, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): We use the European Commission-approved SCCs for data transfers to third countries.
• UK International Data Transfer Agreement: For UK data subjects, we use the UK Addendum to the SCCs or UK International Data Transfer Agreement as appropriate.
• Supplementary Measures: We implement technical and organizational measures to supplement transfer mechanisms, including encryption, access controls, and security assessments.

You may request a copy of the applicable transfer mechanism by contacting us at privacy@2api.ai.

7. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary based on the type of data and purpose:

• Account Data: Retained for the duration of your account and for 30 days following account deletion, after which it is permanently deleted or anonymized.
• API Usage Logs: Retained for 90 days for operational purposes. Aggregated, anonymized usage data may be retained indefinitely.
• Billing Records: Retained for 7 years to comply with tax and accounting obligations.
• Support Communications: Retained for 3 years from the date of resolution.
• Marketing Data: Retained until you withdraw consent or unsubscribe, plus 30 days for processing.
• Security Logs: Retained for 1 year for security and fraud prevention purposes.

When Personal Data is no longer required, we securely delete or anonymize it using industry-standard methods.

8. Data Security

We implement comprehensive technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

• Encryption: All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256.
• Access Controls: Role-based access controls, multi-factor authentication, and least-privilege principles.
• Infrastructure Security: SOC 2 Type II certified data centers, network segmentation, intrusion detection, and 24/7 monitoring.
• Security Assessments: Regular penetration testing, vulnerability assessments, and third-party security audits.
• Employee Training: Security awareness training for all employees with access to Personal Data.
• Incident Response: Documented incident response procedures with defined escalation paths.

Despite our efforts, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your data.

9. Your Privacy Rights

9.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

• Right of Access: Obtain confirmation of whether we process your Personal Data and receive a copy of such data.
• Right to Rectification: Request correction of inaccurate or incomplete Personal Data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your Personal Data in certain circumstances.
• Right to Restriction: Request restriction of processing in certain circumstances.
• Right to Data Portability: Receive your Personal Data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests, including profiling and direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: File a complaint with your local data protection authority.

9.2 Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of Personal Data we collect, use, disclose, and sell.
• Right to Delete: Request deletion of your Personal Data, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate Personal Data.
• Right to Opt-Out of Sale/Sharing: We do not sell or share Personal Data for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: Limit use of sensitive Personal Data to specified purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

CCPA Categories Disclosure: In the preceding 12 months, we have collected the following categories of Personal Data: Identifiers; Commercial information; Internet or network activity; Geolocation data; Professional or employment information; Inferences drawn from the above.

9.3 Exercising Your Rights

To exercise any of these rights, please submit a request to privacy@2api.ai or through your account settings. We will verify your identity before processing your request. You may also designate an authorized agent to make requests on your behalf.

We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA), with possible extensions as permitted by law. We will provide information free of charge, except for manifestly unfounded or excessive requests.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our Services. Our use of these technologies is as follows:

• Essential Cookies: Required for the operation of our Services, including authentication, security, and load balancing. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our Services. We use privacy-focused analytics that do not track individual users across sites.
• Preference Cookies: Remember your settings and preferences, such as language and region.

We do not use third-party advertising or tracking cookies.

You can control cookies through your browser settings. Note that disabling essential cookies may impair functionality of the Services.

11. Children's Privacy

Our Services are not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect Personal Data from children. If we learn that we have collected Personal Data from a child, we will take steps to delete such information promptly. If you believe we have collected information from a child, please contact us at privacy@2api.ai.

12. Data Processing Agreement

For customers who require a Data Processing Agreement ("DPA") to comply with GDPR or other data protection laws, we offer a DPA that governs our processing of Customer Data on your behalf. Our DPA includes Standard Contractual Clauses and addresses the requirements of GDPR Article 28. To execute a DPA, please contact legal@2api.ai.

13. Third-Party Links and Services

Our Services may contain links to third-party websites, services, or applications. This Policy does not apply to third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our Services.

14. Data Breach Notification

In the event of a data breach affecting your Personal Data, we will notify affected users and relevant supervisory authorities as required by applicable law. For GDPR-covered data, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to your rights and freedoms. We will also notify you directly if the breach is likely to result in a high risk to your rights and freedoms.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will post the updated Policy on this page and update the "Last Updated" date. For material changes, we will provide prominent notice (such as by email or banner on our website) at least 30 days before the changes take effect. Your continued use of the Services after the effective date of the updated Policy constitutes your acceptance of the changes.

16. Contact Information

If you have questions, concerns, or requests regarding this Policy or our privacy practices, please contact us:

For EEA, UK, and Swiss residents, you may also contact our designated representative or lodge a complaint with your local data protection authority.

17. Supplemental Disclosures

17.1 Do Not Track

Our Services do not respond to "Do Not Track" signals. However, we do not engage in cross-site tracking or targeted advertising.

17.2 Automated Decision-Making

We may use automated systems for fraud detection and risk assessment. These systems do not make decisions that produce legal effects or similarly significant effects on you without human review. You have the right to request human intervention, express your point of view, and contest decisions based solely on automated processing.

17.3 California "Shine the Light"

California Civil Code Section 1798.83 permits California residents to request information about disclosure of Personal Data to third parties for direct marketing purposes. We do not disclose Personal Data to third parties for their direct marketing purposes.