Legal / Privacy

Privacy Policy

Effective & Last Updated: July 1, 2026

This Privacy Policy describes how API Coleen ("we," "us," or "our") collects, uses, and protects your personal information when you use our website and services at apicoleen.com (the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

We are registered under the MSME/Udyam Registration scheme in India and operate in compliance with the Information Technology Act, 2000 and applicable rules thereunder.


1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored as a one-way bcrypt hash — we cannot recover your original password)
  • Subscription plan and billing history

1.2 API Keys You Provide

To use the proxy and cost-tracking features of the Service, you provide API keys from third-party LLM providers (such as OpenAI, Anthropic, Google, Groq, and OpenRouter).

Important: Your API keys are encrypted at rest using AES-256-GCM encryption before being stored in our database. The encryption key is stored separately from the encrypted data. We do not store your API keys in plaintext at any point. We do not use your API keys for any purpose other than forwarding your requests to the respective LLM provider on your behalf.

1.3 Usage Data

When you make API requests through our proxy service, we log:

  • Provider name and model used
  • Number of input and output tokens
  • Estimated cost in USD and INR
  • Request timestamp
  • Success or failure status

We do not log the content of your prompts or the content of AI responses. We only log metadata for cost-tracking purposes.

1.4 Technical Data

We automatically collect certain technical information when you use the Service:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent
  • Referral source

1.5 Payment Information

We use Razorpay as our payment processor. We do not store your card number, CVV, or full payment details on our servers. Razorpay processes and stores payment information in accordance with PCI-DSS standards. We receive only a transaction confirmation and payment reference ID from Razorpay.

1.6 Team and Collaboration Data

If you use team features, we collect the email addresses of team members you invite, and we log which API keys each team member is assigned to access.

1.7 Support Communications

If you contact us for support, we retain the content of those communications to resolve your issue and improve our service.


2. How We Use Your Information

We use your information for the following purposes:

PurposeLawful Basis
Providing the cost-tracking and proxy servicePerformance of contract
Processing payments and managing subscriptionsPerformance of contract
Sending budget alert notifications (email, Telegram, Discord, Slack, browser push)Performance of contract / Legitimate interest
Sending monthly cost reportsPerformance of contract
Sending team invitation emailsPerformance of contract
Improving and debugging the ServiceLegitimate interest
Complying with legal obligationsLegal obligation
Preventing fraud and abuseLegitimate interest

We will never sell your personal data to third parties. We will never use your data for advertising purposes.


3. Data Sharing and Third-Party Services

We share your data with the following third-party service providers only to the extent necessary to operate the Service:

ProviderPurposeData Shared
MongoDB AtlasDatabase hostingAll stored data
ResendTransactional email deliveryYour email address, email content
RazorpayPayment processingName, email, payment amount
OpenAI / Anthropic / Groq, etc.Forwarding your API requestsYour API requests as-is, using your own API key
Telegram / Discord / SlackAlert deliveryAlert message content, your configured channel/webhook

When we forward your requests to LLM providers, we are acting on your behalf using your own API key. The LLM providers' own privacy policies govern how they handle the content of your requests.

We do not share your data with any other third parties except where required by law.


4. Data Retention

Data TypeRetention Period
Account informationUntil you delete your account
API keys (encrypted)Until you revoke them or delete your account
Cost and usage recordsDuration of your subscription, plus 90 days after account deletion
Payment records7 years (as required by Indian tax law)
Support communications2 years
Server logs (IP, technical)90 days

When you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., payment records for tax compliance).


5. Your Rights

5.1 For All Users

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your account and associated personal data (subject to legal retention requirements)
  • Export your cost and usage data in CSV format (available from your dashboard)
  • Withdraw consent for optional communications at any time

To exercise these rights, contact us at: privacy@apicoleen.com

5.2 For Users in the European Economic Area (EEA) and United Kingdom

If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to restrict processing
  • Right to data portability
  • Right to object to processing based on legitimate interests
  • Right to lodge a complaint with your local supervisory authority

Our lawful basis for processing your data is performance of contract (Article 6(1)(b) GDPR) for core service delivery, and legitimate interests (Article 6(1)(f) GDPR) for service improvement and security.

5.3 For Users in India

Your personal data is protected under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. You have the right to review and correct your sensitive personal data we hold.


6. Data Security

We implement the following security measures:

  • API Key Encryption: AES-256-GCM encryption at rest
  • Passwords: bcrypt hashing with appropriate cost factor
  • Transport Security: All data transmitted over HTTPS/TLS
  • Access Control: Role-based access; team members can only access data from API keys explicitly assigned to them by the account owner
  • Admin Access: Separate authentication system from customer accounts, with shorter session expiry
  • Payment Data: Not stored on our servers; handled by PCI-DSS compliant Razorpay

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.


7. Cookies

We use the following cookies:

Cookie TypePurposeCan You Opt Out?
Strictly NecessaryAuthentication (JWT token in localStorage), session managementNo — the service cannot function without these
AnalyticsUnderstanding how users navigate the ServiceYes

We do not use advertising or tracking cookies.


8. Children's Privacy

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@apicoleen.com and we will delete it promptly.


9. International Data Transfers

Our servers are hosted in data centres that may be located outside your country of residence. By using the Service, you consent to the transfer of your information to these locations. We ensure that any such transfers comply with applicable data protection laws and that appropriate safeguards are in place.


10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

  • Posting the new policy on this page with an updated "Last Updated" date
  • Sending you an email notification (for material changes affecting how we use your data)

Your continued use of the Service after any changes constitutes your acceptance of the updated policy.


11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.