API-served technical companion. This is the technical companion document for API consumers. For the primary, canonical, human-readable Privacy Policy for the Holistic Quality ecosystem, see holisticquality.io/data-policy. The ALETHEIA product-level Privacy Notice is at aletheia.holisticquality.io/privacy. Where this page and those pages describe the same practice, the canonical pages govern.
Holistic Quality LLC ("we", "us") operates the ALETHEIA Safety Database API at api.aletheia.holisticquality.io.
Privacy contact: privacy@holisticquality.io · General inquiries: Enterprise Inquiry Form · Security/vulnerability reports: security@holisticquality.io
| Collection Point | Data | Purpose | Legal Basis |
|---|---|---|---|
| API key trial signup | Email address | Key delivery, trial management | Contract (Art. 6(1)(b)) |
| Stripe checkout | Email, payment info (via Stripe; we never receive card numbers) | Subscription billing | Contract (Art. 6(1)(b)) |
| Enterprise inquiry | Name, email, company, message | Sales inquiry response | Legitimate interest (Art. 6(1)(f)) |
| API request metadata | Timestamp, endpoint, HTTP status, one-way hashed API key, IP truncated to /24 subnet | Rate limiting, abuse prevention, security audit | Legitimate interest (Art. 6(1)(f)) |
| API request/response bodies and query parameters | Never logged or stored (processed transiently in memory only) | N/A | N/A — not collected |
Full canonical retention matrix with GDPR Art. 6 legal basis per category: HQ Data Policy §Data Retention. Summary:
| Data | Retention | Mechanism |
|---|---|---|
| Email + hashed API key (active) | Duration of active trial/subscription (max 24 months idle on paid keys) | Contract (Art. 6(1)(b)) |
| Email + hashed API key (post-cancellation) | 90 days baseline; up to 120 days if open Stripe chargeback/dispute applies | Auto-TTL + chargeback extension |
| Trial signup flag | 30 days | Auto-TTL |
| Enterprise inquiry data | 30 days | Auto-TTL |
| Request metadata (endpoint, timestamp, key hash, /24-truncated IP, status) | 90 days active logs; no identifiable archival tier | Auto-TTL |
| Rate limit counters | 24 hours | Auto-TTL |
| Security audit logs (hashed/minimized identifiers only) | 90 days | Auto-TTL (Art. 6(1)(f)) |
| Encrypted backups (Upstash snapshots) | Roll off within 35 days of source-record deletion | Upstash-managed |
| Verified erasure requests | Processed without undue delay (typically within 30 days) | Art. 17 |
| Aggregated or anonymized analytics | May be retained longer (no longer identifies a person) | Not personal data once anonymized |
| Stripe billing data | Per Stripe's retention policy | Managed by Stripe |
Canonical list (mirrors the HQ Data Policy v2.0 exactly):
| Service | Jurisdiction | Purpose | Data Transferred |
|---|---|---|---|
| Cloudflare | US (global edge) | DNS, CDN, edge security, DDoS protection, bot management | IPs, security cookies, TLS session metadata |
| Upstash | EU (eu-west-1, Ireland) | Serverless Redis — hashed API key storage, rate limiting | Hashed API keys, email, usage counters, metadata |
| Vercel | US | Serverless compute, hosting, infrastructure logs | Request logs (IP /24-truncated), function execution metadata |
| Resend | US | Transactional email delivery | Email address, email content (28-day retention) |
| Stripe | US | Payment processing (direct-issued only) | Email, payment info (we never receive card numbers) |
RapidAPI is an independent data controller (not a subprocessor) for users who access ALETHEIA through the RapidAPI marketplace.
Per-processor DPA status and international transfer documentation (2021 EU SCCs, DPF participation): /api/compliance.
You have the right to:
GET /api/keys/status (with your API key)POST /api/keys/erasure with your email. A verification code will be sent to confirm.POST /api/keys/erasure with {"email": "your@email.com"}POST /api/keys/erasure with {"email": "your@email.com", "code": "123456"}Note: Security audit logs (containing hashed identifiers only) are retained for 90 days under legitimate interest for fraud prevention (Art. 6(1)(f)).
The ALETHEIA API does not use cookies. The dashboard uses localStorage to remember your API key for convenience (opt-in, client-side only). No third-party trackers, pixels, or advertising SDKs are used.
We implement: HTTPS-only transport, AES-256-GCM encryption for webhook secrets, SHA-256 admin authentication with timing-safe comparison, rate limiting, audit hash chains with tamper detection, and CSP headers on all pages.
Security issues: security@holisticquality.io (see security.txt)
We may update this policy. Material changes will be noted in the API changelog (GET /api/changelog).
ALETHEIA Safety Database · Holistic Quality LLC · API Root · Terms of Use