Privacy Policy

1. Who we are

This Privacy Policy explains how APIblaze LLC, a Delaware limited liability company with its principal place of business in Birmingham, Michigan (“APIblaze,” “we,” “us,” or “our”), handles personal information in connection with the APIblaze website, dashboard, CLI, APIs, and the managed API gateway we operate (the “Service”). It works alongside our Terms of Service.

APIblaze is a gateway: you point us at your own APIs and we proxy traffic to them. That means there are two very different kinds of data here — information about you as an APIblaze customer, and the traffic that flows through the proxies you configure. We treat them differently, and this policy is specific about which is which.

2. Information we collect

Account and identity information. When you sign up — typically through GitHub OAuth — we receive your name, email address, and provider account identifier, and we store your team memberships and the invitations you send or accept.

Configuration you create. The proxies, products, projects, tenants, OpenAPI specifications, domain names, branding, IAM users and groups, and other settings you create on the Service.

Credentials. We store API keys only as one-way (SHA-256) hashes — we never store or log the raw key. OAuth tokens and provider secrets needed to operate your proxies are encrypted at rest.

Abuse-prevention and operational logs. To keep the Service safe we record metadata about activity such as proxy creation, including a hashed (not raw) form of the originating IP address, the target host, and timestamps, plus audit logs of actions taken on your account.

Traffic samples (opt-in). For the development environment, if you turn on sampling, we capture limited request and response samples to help generate documentation and transform rules. These samples are stripped of secrets before storage — we remove raw tokens, API-key values, and cookie values, store only decoded non-sensitive claims and a key prefix and length, cap bodies in size, and keep samples scoped to your team. You can delete them.

Website and analytics data. When you use our website we collect standard technical information such as IP address, browser and device type, and pages viewed, including through analytics tools, and any details you submit through contact or support forms.

3. What we deliberately do not collect

We designed the Service to hold as little sensitive data as possible. Unless you opt into development traffic sampling, we do not store the request and response bodies that pass through your production proxies — that traffic is forwarded, not retained. We do not store raw API keys, the credentials of your upstreams, or your end users’ cookie values. We are not in the business of reading your traffic.

4. How we use information

We use the information above to:

• Provide, operate, secure, and maintain the Service, including routing and authenticating traffic to your proxies.
• Detect, investigate, and prevent abuse, fraud, security incidents, and violations of our Terms — this is why we keep hashed IPs, target hosts, and audit logs.
• Apply and enforce rate limits and quotas.
• Communicate with you about your account, security, support requests, and material changes to the Service.
• Understand and improve how the Service is used, including through aggregated and de-identified analytics.
• Comply with legal obligations and enforce our agreements.

We do not sell your personal information, and we do not use the content of your proxy traffic to build profiles or to advertise to anyone.

5. Legal bases for processing

Where the GDPR or similar laws apply, we process personal information on these bases: to perform our contract with you (providing the Service); our legitimate interests (securing the Service, preventing abuse, and improving the product, balanced against your rights); your consent (for example, optional traffic sampling, which you can withdraw); and compliance with legal obligations.

6. How we share information

We share personal information only as needed to run the Service:

• Service providers and subprocessors who host and operate the Service on our behalf — including infrastructure and edge/gateway hosting (Cloudflare), website hosting (Vercel), rate-limiting (Upstash), transactional email (AWS SES), identity (GitHub OAuth), and analytics and threat intelligence (Google, including Web Risk) — and our contact-form tooling. These providers may process data only for us and under confidentiality obligations.
• Authorities and other parties when we reasonably believe disclosure is required by law or legal process, or is necessary to enforce our Terms or protect the Service, our users, or the public.
• A successor in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.

When you connect an upstream or integration, data necessarily flows to that destination — you choose those destinations, and their handling of data is governed by their own policies, not ours.

7. Data retention

We keep account and configuration data for as long as your account is active. When you delete a resource we use a soft-delete grace period and then permanently remove it, cascading to associated proxies, keys, IAM records, and any traffic samples. We retain abuse-prevention and audit logs for as long as reasonably necessary to secure the Service, resolve disputes, and meet legal obligations, after which we delete or de-identify them. Opt-in traffic samples are retained until you delete them or the retention you configure elapses.

8. Security

We use reasonable technical and organizational measures to protect personal information: encryption in transit (HTTPS), encryption at rest for tokens and provider secrets, one-way hashing of API keys and originating IPs, access controls, and isolation between teams as a hard boundary. No system is perfectly secure, and we cannot guarantee absolute security; you are responsible for safeguarding your own credentials and for the security of the upstreams you connect.

9. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, export (port), or restrict the processing of your personal information, to object to certain processing, and to withdraw consent. You can exercise many of these directly in the dashboard, or by emailing privacy@apiblaze.com. We will respond as required by applicable law and will not discriminate against you for exercising your rights.

California residents: we do not sell or “share” personal information as those terms are defined under California law, and we honor the rights described above. EEA/UK residents: you may also lodge a complaint with your local data-protection authority. You can opt out of marketing emails at any time using the unsubscribe link.

10. International transfers

We and our providers may process personal information in the United States and other countries whose data-protection laws may differ from yours. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.

11. Cookies and analytics

Our website uses cookies and similar technologies for essential functionality and to understand usage through analytics. You can control cookies through your browser settings; disabling some cookies may affect how the site works.

12. Children

The Service is for users who are at least 18 years old and is not directed to children. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us personal information, contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. If we make material changes, we will update the date below and, where appropriate, provide additional notice. Your continued use of the Service after a change takes effect means you accept the updated policy.

14. Contact us

Questions about this policy or your data? Reach out.