Legal

Privacy Policy

The short version: we practise strict data minimisation. Free tier users can use the service completely anonymously. We collect nothing beyond Cloudflare infrastructure logs. No analytics. No tracking. No cookies.

OriginsAPI is operated by Sociable Studio, located at 11 Bogert Ave, Toronto, Ontario M2N 0H4, Canada. By using OriginsAPI you agree to the practices described in this policy.

1. How you use OriginsAPI determines what we collect

A. Free tier users and website visitors (anonymous)

Access to our free API requires no registration. We do not collect your name, email, or usage habits. You can use the service completely anonymously.

B. Paid plan users (authenticated)

If you sign up for a paid plan we collect details necessary to run your account and process payments:

  • Account credentials — email address, securely hashed password, organisation name, and generated API keys. Legal basis: performance of a contract.
  • Billing details — billing name, billing address, tax/VAT ID if applicable, and a Stripe Customer ID. Legal basis: performance of a contract and legal obligation.

We never see, process, or store your credit card number or CVV. All financial transactions are handled directly by Stripe.

C. Infrastructure logs (automated, all traffic)

All traffic to originsapi.com passes through Cloudflare's network. Cloudflare automatically logs: IP address, requested URL, HTTP status code, referrer URL, user agent, and timestamp. This is standard infrastructure logging. Cloudflare Analytics is disabled. We do not use these logs for profiling or marketing. Legal basis: legitimate interests.

D. Contact form submissions (voluntary)

When you submit our contact form we collect your name, email address, subject, and message. Legal basis: consent.

2. Cookies and tracking

  • Free users and visitors — zero cookies placed on your device. You can browse completely untracked.
  • Paid plan users — strictly essential session cookies only, used solely to keep you securely logged into your account dashboard. These do not track behaviour across other websites.
  • No marketing third parties — we do not use advertising networks, tracking pixels (Meta, Google Analytics, or similar), or device fingerprinting of any kind.

3. Third-party service providers

We do not sell, rent, or trade your data. We use exactly two trusted partners to run our infrastructure:

Provider Purpose Data processed
Cloudflare, Inc. DNS, CDN, edge computing, DDoS protection, database storage Infrastructure logs, contact form data, account data (paid tier)
Stripe, Inc. Payment processing, subscription management, invoicing Billing details and payment information (paid tier only)

Cloudflare's privacy policy: cloudflare.com/privacypolicy. Stripe's privacy policy: stripe.com/privacy.

4. Data storage, retention, and transfers

Storage. Account data is managed via Cloudflare's global edge network. Financial and billing records are processed and stored with Stripe.

Retention:

  • Operational data — if you cancel your paid plan or request deletion, login credentials, team access settings, and API keys are permanently deleted within 30 days.
  • Invoices and financial records — retained for up to 10 years to comply with global tax frameworks, statutory accounting laws, and anti-fraud regulations. The right to erasure does not apply to these records.
  • Infrastructure logs — held and automatically deleted by Cloudflare under their own retention policies. We do not copy or export these logs.
  • Contact form data — retained only as long as needed to resolve your enquiry.

International transfers. Data may be processed outside your home country via Cloudflare and Stripe. Both use Standard Contractual Clauses (SCCs) to ensure high-level data protection. Canada's privacy framework (PIPEDA) is recognised by the EU as providing adequate protection.

5. Widget embedders and your visitors

When a visitor views a page that embeds the OriginsAPI widget, their browser fetches content directly from our servers, generating the infrastructure logs described in section 1C.

  • We never use widget traffic to track visitors, serve advertising, or build cross-site profiles.
  • You are responsible for informing your users in your own privacy policy that their browser makes a direct request to originsapi.com to load widget content.

6. Your privacy rights (GDPR, CCPA, PIPEDA)

Under global privacy rules including the EU/UK GDPR, California's CCPA/CPRA, and Canada's PIPEDA, you have rights to access, correct, or delete your personal data.

Free and anonymous users. Because we do not collect accounts or tracking cookies on our free tier, we have no way to link an IP address to a specific individual. We hold no personal data to access or delete.

Paid account users and contact form submissions. Email hello@originsapi.com to exercise your rights. We will verify your identity via your registered account email and fulfil your request within 30 days.

California notice. We do not "sell" or "share" your personal data under California law.

7. Contact

For privacy questions or data rights requests, email hello@originsapi.com or use our contact page.

Sociable Studio — Attn: Privacy
11 Bogert Ave
Toronto, Ontario M2N 0H4
Canada