Introduction
GovernAPI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our API security and governance platform.
1. Information We Collect
Account Information
- Name, email address, and company information
- Billing information (processed securely through Stripe)
- Account credentials (passwords are encrypted)
Usage Data
- API endpoints and request patterns
- Security scan results and vulnerability data
- Performance metrics and analytics
- Log data (IP addresses, browser type, timestamps)
Technical Information
- Device and browser information
- Cookies and similar tracking technologies
- API keys and authentication tokens (hashed)
What We Do NOT Collect
GovernAPI performs external analysis only and does not require access to your infrastructure, credentials, or internal systems. Specifically, we do not collect:
- Credentials: We never store or collect your API keys, database passwords, server SSH keys, or any production credentials from the endpoints we scan.
- Internal systems: We do not require VPN access, agents installed on your servers, or any form of insider access to your infrastructure.
- Source code: We do not read or store your application code.
- User data from your APIs: We do not collect or retain end-user data that flows through the APIs we scan. Response bodies are analyzed for security patterns in memory and discarded.
- Sensitive personal data: We do not intentionally collect health information, financial account numbers, or other sensitive categories beyond what's needed to operate the service.
2. How We Use Your Information
- Provide, maintain, and improve our services
- Process transactions and send billing notifications
- Detect and prevent security threats
- Communicate with you about updates and features
- Comply with legal obligations
- Analyze usage patterns to improve performance
3. Third-Party Services & Data Sharing
We do not sell your personal information. We use the following third-party services to operate GovernAPI:
- Stripe — Payment processing and subscription billing. Stripe receives your billing email, payment method details, and subscription events. Stripe does not receive your scan data. Stripe Privacy Policy
- Resend — Transactional email delivery (weekly security reports, critical vulnerability alerts, password reset). Resend receives your email address and the email content we send you. Resend Privacy Policy
- Anthropic (Claude API) — AI-powered security advisor (Professional plan). When you use the AI advisor, your prompts and relevant scan context are sent to Anthropic for processing. Anthropic does not train models on API inputs by default. Anthropic Privacy Policy
- Hosting: Our application is hosted on a cloud VPS. Scan data and account information are stored in our managed PostgreSQL database.
- Legal Requirements: We may disclose information when required by law, subpoena, or to protect rights and safety.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, with advance notice.
4. Data Security
We implement industry-standard security measures:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication requirements
- Security best practices aligned with SOC 2 principles
- Regular backups and disaster recovery plans
5. Data Retention
We retain your information for as long as your account is active or as needed to provide services. You can request deletion of your data at any time. We may retain certain information for legal compliance (7 years for financial records).
6. Your Rights (GDPR & CCPA)
You have the right to:
- Access: Request a copy of your personal data
- Correction: Update inaccurate information
- Deletion: Request deletion of your data
- Portability: Receive your data in a structured format
- Opt-Out: Unsubscribe from marketing communications
- Object: Object to certain data processing
7. Cookies and Tracking
We use cookies for authentication, preferences, and analytics. You can control cookies through your browser settings.
- Essential: Required for login and security
- Analytics: Help us understand usage patterns (anonymized)
- Preferences: Remember your settings
8. International Data Transfers
Your data may be transferred to and processed in the United States. We rely on the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) as the lawful transfer mechanisms for personal data originating in the EEA, UK, and Switzerland.
9. Children's Privacy
Our service is not intended for children under 18. We do not knowingly collect information from children.
10. Changes to This Policy
We may update this policy periodically. We will notify you of material changes via email or dashboard notification. Continued use of the service constitutes acceptance of changes.
11. Contact Us
For privacy-related questions or to exercise your rights, contact us: