This Privacy Policy describes how API Coleen ("we," "us," or "our") collects, uses, and protects your personal information when you use our website and services at apicoleen.com (the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.
We are registered under the MSME/Udyam Registration scheme in India and operate in compliance with the Information Technology Act, 2000 and applicable rules thereunder.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Full name
- Email address
- Password (stored as a one-way bcrypt hash — we cannot recover your original password)
- Subscription plan and billing history
1.2 API Keys You Provide
To use the proxy and cost-tracking features of the Service, you provide API keys from third-party LLM providers (such as OpenAI, Anthropic, Google, Groq, and OpenRouter).
Important: Your API keys are encrypted at rest using AES-256-GCM encryption before being stored in our database. The encryption key is stored separately from the encrypted data. We do not store your API keys in plaintext at any point. We do not use your API keys for any purpose other than forwarding your requests to the respective LLM provider on your behalf.
1.3 Usage Data
When you make API requests through our proxy service, we log:
- Provider name and model used
- Number of input and output tokens
- Estimated cost in USD and INR
- Request timestamp
- Success or failure status
We do not log the content of your prompts or the content of AI responses. We only log metadata for cost-tracking purposes.
1.4 Technical Data
We automatically collect certain technical information when you use the Service:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and time spent
- Referral source
1.5 Payment Information
We use Razorpay as our payment processor. We do not store your card number, CVV, or full payment details on our servers. Razorpay processes and stores payment information in accordance with PCI-DSS standards. We receive only a transaction confirmation and payment reference ID from Razorpay.
1.6 Team and Collaboration Data
If you use team features, we collect the email addresses of team members you invite, and we log which API keys each team member is assigned to access.
1.7 Support Communications
If you contact us for support, we retain the content of those communications to resolve your issue and improve our service.
2. How We Use Your Information
We use your information for the following purposes:
| Purpose | Lawful Basis |
|---|---|
| Providing the cost-tracking and proxy service | Performance of contract |
| Processing payments and managing subscriptions | Performance of contract |
| Sending budget alert notifications (email, Telegram, Discord, Slack, browser push) | Performance of contract / Legitimate interest |
| Sending monthly cost reports | Performance of contract |
| Sending team invitation emails | Performance of contract |
| Improving and debugging the Service | Legitimate interest |
| Complying with legal obligations | Legal obligation |
| Preventing fraud and abuse | Legitimate interest |
We will never sell your personal data to third parties. We will never use your data for advertising purposes.
3. Data Sharing and Third-Party Services
We share your data with the following third-party service providers only to the extent necessary to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| MongoDB Atlas | Database hosting | All stored data |
| Resend | Transactional email delivery | Your email address, email content |
| Razorpay | Payment processing | Name, email, payment amount |
| OpenAI / Anthropic / Groq, etc. | Forwarding your API requests | Your API requests as-is, using your own API key |
| Telegram / Discord / Slack | Alert delivery | Alert message content, your configured channel/webhook |
When we forward your requests to LLM providers, we are acting on your behalf using your own API key. The LLM providers' own privacy policies govern how they handle the content of your requests.
We do not share your data with any other third parties except where required by law.
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until you delete your account |
| API keys (encrypted) | Until you revoke them or delete your account |
| Cost and usage records | Duration of your subscription, plus 90 days after account deletion |
| Payment records | 7 years (as required by Indian tax law) |
| Support communications | 2 years |
| Server logs (IP, technical) | 90 days |
When you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., payment records for tax compliance).
5. Your Rights
5.1 For All Users
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate personal data
- Delete your account and associated personal data (subject to legal retention requirements)
- Export your cost and usage data in CSV format (available from your dashboard)
- Withdraw consent for optional communications at any time
To exercise these rights, contact us at: privacy@apicoleen.com
5.2 For Users in the European Economic Area (EEA) and United Kingdom
If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation (GDPR):
- Right to restrict processing
- Right to data portability
- Right to object to processing based on legitimate interests
- Right to lodge a complaint with your local supervisory authority
Our lawful basis for processing your data is performance of contract (Article 6(1)(b) GDPR) for core service delivery, and legitimate interests (Article 6(1)(f) GDPR) for service improvement and security.
5.3 For Users in India
Your personal data is protected under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. You have the right to review and correct your sensitive personal data we hold.
6. Data Security
We implement the following security measures:
- API Key Encryption: AES-256-GCM encryption at rest
- Passwords: bcrypt hashing with appropriate cost factor
- Transport Security: All data transmitted over HTTPS/TLS
- Access Control: Role-based access; team members can only access data from API keys explicitly assigned to them by the account owner
- Admin Access: Separate authentication system from customer accounts, with shorter session expiry
- Payment Data: Not stored on our servers; handled by PCI-DSS compliant Razorpay
Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
8. Children's Privacy
The Service is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@apicoleen.com and we will delete it promptly.
9. International Data Transfers
Our servers are hosted in data centres that may be located outside your country of residence. By using the Service, you consent to the transfer of your information to these locations. We ensure that any such transfers comply with applicable data protection laws and that appropriate safeguards are in place.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting the new policy on this page with an updated "Last Updated" date
- Sending you an email notification (for material changes affecting how we use your data)
Your continued use of the Service after any changes constitutes your acceptance of the updated policy.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@apicoleen.com
- Website: apicoleen.com
- Registration: MSME/Udyam Registration, India
We aim to respond to all privacy-related inquiries within 30 days.