Privacy Policy

Account Information: When you create an account, we collect your email address, name (optional), and a hashed version of your password. We never store plaintext passwords.

API Keys: We store a SHA-256 hash of each API key and a display prefix (first 8 characters). The full key is shown once at creation and cannot be retrieved afterward.

Usage Data: We log API requests including timestamps, endpoints accessed, response codes, and IP addresses for security monitoring and rate limit enforcement.

Payment Information: If you subscribe to a paid plan, payment processing is handled by Stripe. We store your Stripe customer ID but never process or store card details directly.

Audit Logs: We maintain security audit logs recording actions such as login attempts, API key creation/revocation, MFA changes, and subscription updates.

We use collected information to:

• Provide, maintain, and improve the Service
• Authenticate your identity and authorise access
• Enforce plan limits and rate limits
• Process payments and manage subscriptions
• Detect and prevent fraud, abuse, and security incidents
• Send service-critical notifications (e.g., watchlist alerts, account security)
• Generate aggregated, anonymised usage statistics

We do not sell your personal information. We share data only with:

• Stripe: For payment processing (see Stripe's Privacy Policy)
• Infrastructure Providers: Our hosting and database services process data on our behalf under data processing agreements
• Legal Requirements: When required by law, court order, or to protect our legal rights

We implement industry-standard security measures including:

• Bcrypt password hashing with per-user salts
• SHA-256 hashing for API keys and MFA recovery codes
• TOTP-based multi-factor authentication support
• JWT tokens with 24-hour expiration
• TLS encryption for all data in transit
• Role-based access controls with admin separation

We retain account data for as long as your account is active. Usage logs are retained for 90 days. Audit logs are retained for 1 year. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Export your data in a portable format
• Object to or restrict processing
• Withdraw consent at any time

To exercise these rights, contact us at privacy@remtel.io.

We use a single essential cookie (authentication token stored in localStorage) to maintain your session. We do not use tracking cookies, advertising cookies, or third-party analytics that set cookies.

Your data may be processed in jurisdictions outside your country of residence. Where we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses where required under GDPR.

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

For privacy-related questions or requests:

privacy@remtel.io