Privacy Policy

1. Controller

OneAPI Finance Ltd (Ireland) is the data controller for personal data processed in connection with the website at oneapi.finance and the API available at api.oneapi.finance. Contact: privacy@oneapi.finance.

2. What we collect

When you create an account: email address, hashed password, name (optional), company name (optional), VAT identification number (optional), and billing address (required for paid plans).

When you use the API: API key identifier, request timestamps, endpoint paths, response status codes, and request volume — for billing, security, and abuse prevention. We do not log query parameters by default; opt-in debugging mode logs full requests for 7 days for support purposes.

When you visit the website: IP address (truncated to /24 for IPv4 and /48 for IPv6 within 24 hours), referrer, user agent, and the page you visited. No cross-site tracking. No third-party advertising cookies.

3. Legal basis (GDPR Art. 6)

• Contract (Art. 6(1)(b)) — to provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f)) — for security logging, abuse prevention, and anonymous aggregate analytics.
• Legal obligation (Art. 6(1)(c)) — to retain billing and tax records as required by Irish and EU law.
• Consent (Art. 6(1)(a)) — only for our occasional product newsletter (you can opt out from any email).

4. How long we keep it

• Account data: while your account is active, plus 30 days after deletion for export-on-request.
• API request logs: 90 days, then aggregated for billing history and discarded.
• Billing records: 7 years (statutory requirement under Irish tax law).
• Web analytics: aggregated weekly, no raw IP retained beyond 24 hours.

5. Subprocessors

We rely on a small set of EU-first vendors. The current list is published at /legal/subprocessors and updated when we add or remove a vendor. Major subprocessors today:

• Cloudflare — CDN and DDoS protection.
• Hetzner — primary EU compute.
• AWS — secondary US-East compute (only for customers who opt in to multi-region).
• Stripe — payment processing.
• Resend — transactional email.
• Plausible — privacy-friendly web analytics (no cookies).

6. International transfers

EU customer data stays in EU-West (Ireland) by default. Multi-region failover to US-East requires explicit opt-in and is governed by Standard Contractual Clauses (SCCs) where applicable. We do not transfer personal data to non-adequate jurisdictions outside this framework.

7. Your rights (GDPR)

You have the right to:

• Access your personal data (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure ("right to be forgotten", Art. 17)
• Restriction of processing (Art. 18)
• Data portability — we provide a JSON export (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Lodge a complaint with the Irish Data Protection Commission

Email privacy@oneapi.finance to exercise any of these. We respond within 30 days (Art. 12).

8. Cookies

We use a single first-party cookie (or localStorage entry) to remember your theme preference (dark/light). We use no advertising or tracking cookies. Web analytics is cookieless (Plausible).

9. Security

Passwords are hashed with Argon2id. API keys are hashed at rest and only shown in plaintext at creation. All transit is TLS 1.3. We run annual third-party security reviews and publish the executive summary on request to enterprise customers.

10. Children

The service is not directed at children under 16 and we do not knowingly collect their personal data.

11. Updates

Material changes to this policy are emailed to all account holders with at least 30 days notice. The "effective" date at the top of this page reflects the most recent revision.