Privacy Policy

Last updated: April 20, 2026

1. Introduction

NAPSPAN, owned and operated by Roman Kotenko ("we", "us", "our"), respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use the NAPSPAN API, website, developer portal, and related services (the "Service").

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name
• Company name (optional)
• Password (stored as a bcrypt hash; we never store plaintext passwords)

2.2 API Usage Data

When you use the API, we automatically collect:

• API key identifier (hashed; we do not store your full API key)
• Request endpoints and timestamps
• Daily request counts per endpoint
• IP address (for rate limiting; not stored long-term)

2.3 Payment Information

Payment processing is handled entirely by Paddle.com, our merchant of record. We do not collect, store, or have access to your credit card number, bank account details, or other payment instruments. Paddle may share with us:

• Paddle customer ID and subscription ID
• Subscription status and plan information
• Transaction history (amounts and dates)

2.4 Website Analytics

We may use basic server-side analytics (access logs) to understand traffic patterns. We do not use third-party tracking cookies or advertising pixels.

3. How We Use Your Information

We use your information to:

• Provide and maintain the Service
• Authenticate your API requests
• Enforce rate limits and quotas per your subscription plan
• Process billing and manage subscriptions (via Paddle)
• Send transactional emails (account verification, password reset, billing notices)
• Monitor and improve Service reliability and performance
• Respond to support requests
• Detect and prevent abuse or unauthorized access

4. What We Do NOT Do

• We do not sell your personal information to third parties
• We do not share your data with advertisers
• We do not use tracking cookies or third-party analytics scripts
• We do not profile you for marketing purposes
• We do not store your full API keys (only SHA-256 hashes)

5. Data Sharing and Sub-processors

We share your information only with the following sub-processors, each of which has its own security and privacy controls:

• Paddle.com Market Limited (Ireland / United Kingdom) — payment processor and merchant of record; handles checkout, billing, invoicing, tax collection, and payment disputes. Receives: name, email, company, billing country, card data (stored by Paddle, never by us). Paddle's privacy policy: paddle.com/legal/privacy.
• Zoho Corporation (SMTP / Zoho Mail) — transactional email delivery (verification, password reset, trial reminders, billing notices). Receives: email address and message content. Zoho's privacy policy: zoho.com/privacy.html.
• Cloud infrastructure provider — hosts the application servers and PostgreSQL database. Data is processed under a standard data-processing agreement.
• Law enforcement — if required by a binding legal process (court order, subpoena). We publish no transparency report at this time.

We do not share your data with any other third parties. We do not use analytics, advertising, or retargeting vendors.

If you are located in the EEA or United Kingdom, you can reach us at [email protected] to request details of sub-processor transfers and the legal mechanism governing each one (typically Standard Contractual Clauses).

6. Data Retention

• Account data: Retained while your account is active. You can request deletion at any time.
• API usage logs: Aggregated daily usage statistics are retained for up to 12 months. Individual request logs are not stored.
• Application logs: Error and warning logs are automatically pruned after 7 days.
• Deleted accounts: Account data is permanently deleted within 30 days of a deletion request.

7. Data Security

We implement appropriate technical measures to protect your data:

• All API and website traffic is encrypted via HTTPS/TLS
• Passwords are hashed with bcrypt
• API keys are stored as SHA-256 hashes (the full key is shown only once at creation)
• Database access is restricted and authenticated
• Webhook payloads are signed with HMAC-SHA256

8. Your Rights

You have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate information via the developer portal
• Deletion: Request deletion of your account and associated data
• Export: Request an export of your usage data
• Objection: Object to processing of your data for specific purposes

To exercise these rights, contact us at [email protected].

9. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children.

10. International Data

The Service is operated from servers located in the European Union (Frankfurt, Germany). By using the Service, you consent to the transfer and processing of your data in this jurisdiction.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the website. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related questions or requests, contact us at [email protected].