CardAPI

Privacy Policy

Last updated: March 2026

This Privacy Policy describes how CardAPI (“we,” “us,” or “our”) collects, uses, and protects information when you use the CardAPI service, including our website at cardapi.dev and our REST API.

Information We Collect

When you create an account using an OAuth provider (Google or GitHub), we receive and store the following information:

  • Email address — used to identify your account and send transactional communications.
  • Name — as provided by your OAuth provider, used to personalize your account.
  • API usage logs — we log which API endpoints are called and the timestamps of those calls for rate limiting, billing, and abuse prevention.

API Keys

API keys issued to you are stored in our database as SHA-256 hashes. We never store your API key in plaintext. This means we cannot retrieve your key after it is issued — if you lose it, you must generate a new one.

How We Use Your Information

  • To authenticate you and manage your account
  • To enforce rate limits and tier-based access controls
  • To calculate billing for paid plans
  • To detect and prevent abuse of the API
  • To send essential account communications (e.g., billing receipts)

Data We Do Not Collect or Sell

We do not sell, rent, or trade your personal data to any third party. We do not use your data for advertising purposes. We do not collect payment card numbers — all payment processing is handled directly by Stripe.

Cookies

We use a single authentication session cookie set by Supabase to keep you logged in to the developer portal. We do not use tracking cookies or third-party advertising cookies.

Data Retention

API usage logs (endpoint calls and timestamps) are automatically purged after 90 days. Account data (email, name) is retained for as long as your account is active. You may request deletion of your account and associated data at any time by contacting us.

Third-Party Services

We rely on the following third-party services to operate CardAPI:

  • Supabase — authentication and database hosting. Your account data and hashed API keys are stored on Supabase infrastructure.
  • Stripe — payment processing for Pro and Enterprise plans. Stripe handles all payment card data; we never see your card number.
  • Google / GitHub — OAuth providers used for sign-in. We receive only the profile information you authorize (name and email).

Each of these providers has its own privacy policy governing how they handle your data.

Security

We use industry-standard practices to protect your data, including encrypted connections (TLS), hashed credential storage, and access controls on our database. No system is perfectly secure; if you discover a vulnerability, please report it to contact@cardapi.dev.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Continued use of CardAPI after changes are posted constitutes your acceptance of the updated policy.

Contact

Questions about this Privacy Policy? Reach us at contact@cardapi.dev.

← Back to CardAPI