Privacy Policy

The categories below are exhaustive — every piece of personal information we hold fits in one of them. If you can identify a category not represented here that you think we hold, that is itself a finding we want to know about; write to privacy@apiksystems.com.

1. Identity and contact information. Name, email address, organization or affiliation, and any free-form text you send us when you write to one of our published inboxes, apply to a role, request access to a product, propose a research collaboration, or correspond with us in connection with a partnership or press inquiry. Collected directly from you at the moment you initiate the contact.
2. Account information (product users). For users of Apik products, the credentials and configuration associated with your account: email, hashed password (or federated-identity tokens where you use a third-party login), workspace metadata, role, billing identifiers, and the preferences you set inside the product.
3. Product input and output (product users). The prompts, files, and other content you submit to an Apik product, plus the outputs the product returns. Treated as customer property, not corpus. Default retention is short — fourteen days for product-tier users, zero days for enterprise-tier users on a no-retention contract — and longer retention requires explicit, account-level opt-in.
4. Usage and operational telemetry. Aggregated, de-identified counters about how the website and products are used — page paths, referrers, device class, error rates, latency, refusal rates. Used for operational debugging and capacity planning, not for individual-level profiling. Where the underlying data could be re-identified by combination, we aggregate or coarsen before storage.
5. Server logs. Standard request-level logs at the platform layer (IP address, timestamp, user agent, response code) needed to operate the service, detect abuse, and investigate security incidents. Retained on a 30-day rolling window unless tied to an active investigation.
6. Recruiting information (applicants). Any materials you send when you apply to a role: cover letter, prior work, references, and any subsequent correspondence. Held in our recruiting workflow and retained per the timelines below.
7. Inferred information.The discipline is to keep this category small. We do not run inference pipelines on visitor or user behavior to construct interest profiles, predict purchase propensity, or other behavioral targeting. The only inferences we hold are operational ones: a user's likely time zone from request timestamps, a user's tier from their account state, and similar functional metadata.

Each category above is collected for one or more of the purposes below. Where we process personal information of individuals in the European Economic Area, the United Kingdom, or other jurisdictions whose data-protection law requires a named legal basis, the basis is identified next to the purpose.

• To deliver the Services you have requested. This includes operating the website, fulfilling product requests, processing applications, and responding to inquiries. Legal basis: performance of a contract (GDPR Art. 6(1)(b)) and, where no contract yet exists, legitimate interests (Art. 6(1)(f)) in responding to people who have written to us.
• To meet legal and regulatory obligations. Tax, employment, export control, security-incident disclosure, and any other obligation we are subject to. Legal basis: legal obligation (Art. 6(1)(c)).
• To protect the security of the Services. Detect abuse, investigate suspected breaches, defend against attacks, and uphold the safeguards documented in our Responsible Development Policy. Legal basis: legitimate interests in operating a secure platform (Art. 6(1)(f)).
• To improve the website and our products. Analyze aggregate usage to identify friction, fix bugs, and tune capacity. Legal basis: legitimate interests in improving the service (Art. 6(1)(f)). The data used here is the aggregated and de-identified kind described in category 4 above; no individual-level profiling is performed under this basis.
• With your explicit consent. The only category of processing that requires explicit consent is opt-in to use customer-submitted product data for research or model improvement. Consent here is granular, revocable at any time without consequence, and does not affect the lawfulness of any processing that took place before withdrawal. Legal basis: consent (Art. 6(1)(a)).

We do not engage in solely-automated decision-making with legal or similarly significant effects on individuals (Art. 22). Where automated systems flag suspected abuse for human review, a human makes the action decision.

We keep personal information only as long as necessary for the purposes for which it was collected. The table below states the default retention windows by category. Where a longer retention is required by law (for example, tax records under applicable jurisdictional rules), the legal requirement governs; where a shorter retention is contractually agreed (for example, a no-retention enterprise contract), the contract governs.

We do not sell personal information. We share it only with the categories of recipients below, and only to the extent necessary for the purpose stated.

• Service providers (sub-processors). Vendors strictly necessary to operate the website and the products: hosting and edge platforms, transactional email, payment processing, identity providers, error and performance monitoring. Each is bound by a written agreement that imposes confidentiality, security, and processing-purpose constraints substantially equivalent to those in this policy. The current list is maintained at privacy@apiksystems.com and updated when sub-processors change; we notify enterprise customers in advance of material additions where their contract requires.
• Legal and regulatory recipients. When required by law, valid legal process, or to defend the legal rights of Apik or its users. We narrow disclosures to the specific information required, push back on overbroad requests where there is a basis to do so, and notify affected users where we are not legally prevented from doing so.
• In a corporate transaction. If Apik is involved in a merger, acquisition, financing, or asset transfer, the information we hold may be transferred as part of that transaction, subject to confidentiality obligations and applicable law. We will notify users of any such transfer that materially affects how their information is processed.

We do not share personal information with advertising networks, data brokers, or third parties that derive their business from re-identification or behavioral profiling.

Apik operates as a distributed company. Personal information may be processed in the United States, the European Economic Area, the United Kingdom, India, and other regions where our team and our sub-processors operate. Where information about individuals in the EEA, UK, or other jurisdictions with data-export restrictions is transferred to a country that has not received an adequacy decision, the transfer is conducted under Standard Contractual Clauses (or the UK's International Data Transfer Agreement, where applicable), supplemented by the operational and contractual measures described in our sub-processor agreements.

Customers under an enterprise contract may, where the contract specifies, restrict the regions in which their data is processed. Region-pinning of product input and output data is available on request for enterprise tiers.

We protect personal information using a combination of technical and organizational measures: encryption in transit (TLS 1.2 or above), encryption at rest for stored personal information and account credentials, role-based access control with least-privilege defaults, separate environments for production and non-production data, audit logging, secret management with hardware-backed key storage where available, and a documented incident-response procedure.

No system is invulnerable. We do not claim our practices are bulletproof; we claim that they reflect a serious engineering posture and that the gap between our claims and our reality is one we audit and disclose. Material security incidents are disclosed under the timeline and taxonomy described on the transparency framework page; vulnerability disclosures from external researchers are received at security@apiksystems.com under the responsible-disclosure program described in /.well-known/security.txt.

The rights you can exercise depend on the data-protection regime that applies to you. In every jurisdiction, you can write to privacy@apiksystems.com to make a request; we respond on the timelines below and at no charge.

• EEA / UK (GDPR / UK GDPR). Right of access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, and the right to withdraw consent without affecting the lawfulness of processing conducted before withdrawal. You may also lodge a complaint with your national supervisory authority. We respond within 30 days, with a 60-day extension possible for complex requests as permitted by Art. 12(3).
• California (CCPA / CPRA). Right to know, right to delete, right to correct, right to opt out of sale or sharing (we do not sell or share personal information for cross-context behavioral advertising), right to limit use of sensitive personal information, and the right to non-discrimination for exercising any of the above. We respond within 45 days; we will request enough information to verify the request before fulfilling it.
• India (DPDP Act 2023). Right to access information about personal data being processed, right to correction and erasure, right to grievance redressal through the channels described here, and the right to nominate a person to exercise rights in case of death or incapacity. We respond within 30 days.
• Other jurisdictions.Where your local data-protection law gives you rights not enumerated above, those rights apply and we will honor them on the local law's timeline.

We do not retaliate against any person for exercising a right, and we do not charge a fee for routine requests. Where a request is manifestly unfounded or excessive — for example, repeated requests in a short window — we may charge a reasonable fee or decline to act, with reasons.

The website uses a small number of strictly necessary cookies for session management and security, plus first-party analytics that count visits to pages without identifying individual visitors. We do not run third-party advertising cookies or behavioral-tracking pixels.

Where applicable law requires consent for non-essential cookies, the cookie banner is presented before the non-essential category fires. We honor the Global Privacy Control (GPC) signal where it applies, treating it as a valid opt-out under the CCPA. We do not respond to legacy "Do Not Track" headers, which the major browsers have effectively deprecated, but the same effect can be obtained by sending the GPC signal.

For privacy questions, data-subject requests, or to lodge a complaint with us before involving a supervisory authority, write to privacy@apiksystems.com. For security disclosures, write to security@apiksystems.com per our security.txt. The full contact map for other channels is on the contact page.

EEA / UK individuals may also lodge a complaint with their local supervisory authority. India residents may pursue grievance redressal under the DPDP Act through the Data Protection Board once it is operational; until then, our internal grievance officer can be reached at the privacy address above.