Plain-language summary: We collect the minimum data reasonably needed to run accounts, payments, API routing and support. Marketing measurement requires a separate choice. API content may be processed by the selected upstream route, so sensitive workloads need a route-specific assessment.
1. Scope and data user
This Privacy Policy explains how ApiCredits collects, holds, processes, uses and discloses personal data when you use our website, dashboard, checkout, support channels and API gateway.
For data handled through the Service, ApiCredits acts as the data user responsible for deciding why and how that data is processed. ApiCredits is based in Kowloon Bay, Hong Kong.
2. Data we collect
- Account and contact data: email address, account identifiers and information you provide to support.
- Transaction data: selected plan, amount, currency, payment method, provider references, status, refund and chargeback information. Payment providers process full payment credentials.
- Technical data: IP address, device and browser data, timestamps, security events, API key identifiers, request routing, token usage, model selection and diagnostic logs.
- Campaign data: landing page, UTM parameters, fbclid, and Meta identifiers when marketing measurement is permitted.
- Communications: messages, attachments and other information sent through support or a volume request.
3. API request and response content
Request and response content may pass through ApiCredits systems and selected upstream services so the request can be routed, generated, secured, metered and troubleshot. Provider-specific processing and retention rules may differ by route.
Do not submit secrets, regulated records or highly sensitive personal data unless you have assessed the selected route and have a lawful basis and appropriate safeguards. Contact support before deploying a regulated or confidentiality-sensitive workload.
4. Why we use data
- create and secure accounts, wallets and API keys;
- process, confirm and reconcile payments and refunds;
- route API requests and calculate model-specific usage;
- provide support, investigate errors and communicate service notices;
- prevent fraud, abuse, chargebacks and security incidents;
- meet accounting, legal and regulatory obligations;
- measure marketing performance only where required permission has been given.
7. International data transfers
Providers and infrastructure may operate outside Hong Kong. Where data is transferred across borders, we use contractual, technical and organisational measures intended to protect it consistently with this Policy and applicable data protection requirements.
8. Retention
We retain personal data only for as long as reasonably needed for the purposes above, including account operation, security, dispute handling, payment reconciliation and legal recordkeeping. Retention varies by data type, payment provider, selected model route and legal obligation. Data no longer required is deleted, anonymised or isolated from routine use where reasonably practicable.
9. Security
We use access controls, credential protection, server-side payment verification, logging and other reasonable safeguards. No online system is completely secure. You must protect your account email and API keys and report suspected compromise promptly.
10. Access, correction and other requests
Subject to applicable law, you may request access to or correction of your personal data and may ask questions about retention, deletion or processing. We may need to verify identity and may retain information required for security, accounting, disputes or law.
Send a request to the Data Protection Contact, ApiCreditsthrough support. Include the account email and enough information to identify the relevant data, but never send an API key or payment credential in a message.
11. Direct marketing
We will obtain the required consent before using personal data for direct marketing. You may withdraw consent or opt out at any time at no cost through the method in the message or by contacting support. Operational, security and transaction messages are not promotional marketing.
12. Children
The Service is intended for adults and business users. We do not knowingly collect personal data from children under 18. Contact support if you believe a child has provided data to us.
13. Changes to this Policy
We may update this Policy when our product, providers or legal obligations change. The date at the top identifies the current version. Material changes will be communicated where reasonably practicable.