Privacy Policy

1. Overview

CrimeLayer respects your privacy. This Privacy Policy describes what personal data we collect when you use the CrimeLayer service, how we use that data, and your rights regarding your data.

2. Data We Collect

2.1 Account Data

When you sign in via Google, GitHub, or Apple OAuth, we receive:

• Your email address
• Your name (if provided by the OAuth provider)
• Your profile avatar URL (if provided)
• An opaque provider-specific ID

We store this data to create your CrimeLayer account and manage your access.

2.2 API Usage Metadata

When you make API requests, we log:

• The API endpoint called (e.g., /v1/safety/:city)
• The HTTP method and response status code
• Request latency
• A hashed identifier derived from your API key (not the key itself)

We do NOT log the request body, response body, or any query parameters.

2.3 Payment Data

Payment information (credit card numbers, billing addresses) is handled entirely by Stripe. We never see, store, or have access to your raw payment details. We only receive a Stripe customer ID and subscription status.

2.4 What We Do NOT Collect

• We do not track individual end users of your application
• We do not store the contents of your API responses
• We do not sell personal data to any third party
• We do not use tracking cookies on the marketing site (only a session cookie for authenticated dashboard access)

3. How We Use Your Data

• To authenticate you and provide access to the Service
• To enforce your plan's rate limits and monthly quotas
• To bill you via Stripe
• To send you transactional emails (account confirmations, billing receipts, security alerts)
• To detect and prevent abuse
• To improve the Service based on aggregate, anonymized usage patterns

4. Data Retention

• Account data — retained while your account is active, plus 90 days after deletion for audit purposes
• API usage logs — retained for 30 days
• Billing records — retained for 7 years per US tax law requirements

5. Sub-Processors

We share data with the following sub-processors strictly to operate the Service:

• Cloudflare, Inc. — hosting, CDN, DNS, DDoS protection
• Stripe, Inc. — payment processing and subscription management
• Google LLC — OAuth identity provider (if you use Google sign-in)
• GitHub, Inc. — OAuth identity provider (if you use GitHub sign-in)
• Apple Inc. — OAuth identity provider (if you use Apple sign-in)

We do not use analytics platforms (Google Analytics, Mixpanel, Segment, etc.) on the marketing site or dashboard.

6. Your Rights

6.1 If You Are in the European Union or United Kingdom (GDPR)

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion (right to be forgotten)
• Object to processing
• Export your data in a machine-readable format
• Lodge a complaint with your local data protection authority

6.2 If You Are in California (CCPA)

You have the right to:

• Know what personal information we collect about you
• Delete personal information we have collected
• Opt out of any sale of personal information (note: we do not sell personal information)
• Non-discrimination for exercising your rights

6.3 How to Exercise Your Rights

To exercise any of the above rights, email [email protected]. We will respond within 30 days. Most requests can also be self-served from your dashboard settings page.

7. Data Security

We use industry-standard security measures to protect your data, including TLS encryption in transit, at-rest encryption for persistent storage, and authentication via JWT tokens. Additional details on our security posture are available at /security.

8. International Data Transfers

CrimeLayer is operated from the United States. If you are located outside the US, by using the Service you consent to the transfer and processing of your data in the US, where data protection laws may differ from those in your jurisdiction.

9. Children's Privacy

The Service is not intended for children under 13 (or 16 in the EU). We do not knowingly collect data from children.

10. Changes to This Policy

We may update this Privacy Policy. Material changes will be announced via the Changelog and via your account email.

11. Contact

Privacy questions: [email protected]