Last updated: [DATE]
This Privacy Policy describes how [COMPANY / OPERATOR NAME] ("we", "us") handles personal data in connection with OrgIndex (the "Service").
1. What We Collect
- Account data: your email address and a securely hashed password (bcrypt) — we never store your password in plain text and cannot recover it if you forget it.
- Billing data: a Stripe customer ID and subscription status. Card details are handled entirely by Stripe; they never pass through our servers.
- API keys: a securely hashed API key plus a short, non-secret prefix so you can identify your own keys.
- Access data: request timestamps and IP addresses, retained briefly for rate-limiting and abuse prevention.
2. How We Use It
To operate your account and sessions, process subscription billing, enforce usage limits and prevent abuse, and communicate with you about your account.
3. Third Parties
- Stripe — payment processing and subscription management. See Stripe's privacy policy.
- Have I Been Pwned — at registration and password change, we check whether your chosen password appears in a known breach. Only the first five characters of a SHA-1 hash of the password are ever sent — never the password itself, and never enough to reconstruct it.
We do not sell your personal data to third parties.
4. Cookies
The Service sets a single functional session cookie used to keep you signed in. It is not used for advertising or cross-site tracking.
5. Data Retention
Account data is retained while your account is active. You can permanently delete your account and associated data at any time from your account settings, which also cancels any active subscription.
6. Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, or receive a copy of your personal data. You can exercise these directly:
- Access / portability: download your data as JSON at any time.
- Deletion: delete your account at any time.
- Correction: update your password from account settings; contact us for other corrections.
For anything not self-serviceable above, contact [CONTACT EMAIL].
7. Security
Passwords are hashed with bcrypt and never stored or logged in plain text. Sessions and API keys are stored as one-way hashes, so a database copy alone cannot be used to impersonate you. We apply rate limiting and account lockout to resist automated attacks.
8. Children's Privacy
The Service is not directed at children and we do not knowingly collect personal data from children under 13 (or the relevant minimum age in your jurisdiction).
9. Changes to This Policy
We may update this Policy from time to time; material changes will be reflected by an updated date above.
10. Contact
Questions about this Policy: [CONTACT EMAIL].