Privacy Policy
Last updated: March 4, 2026
PeekAPI ("we", "us", "our") operates the PeekAPI API analytics platform. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
1. What We Collect
We collect data in two categories:
Account data — provided when you sign up:
- Email address
- Organization name
- Password (hashed, never stored in plain text)
API request metadata — sent by our SDKs from your API servers:
- HTTP method, path, and status code
- Response time and response size
- Consumer identifiers (authorization headers are SHA-256 hashed before transmission — we never receive raw credentials)
- Timestamp and SDK version
We do not collect request bodies, response bodies, or any personally identifiable information (PII) from your API's end users.
Query string collection — by default, our SDKs strip query parameters from request paths before transmission. If you explicitly enable the collectQueryString option, sorted query parameters are included in the tracked path (e.g. /search?q=widget). This may capture user-supplied input. You are responsible for ensuring that sensitive values (tokens, passwords, PII) are not passed as query parameters when this option is enabled.
2. Legal Basis for Processing
We process your data under the following legal bases (GDPR Art. 6(1)):
- Account data — performance of contract (Art. 6(1)(b)). We need your email and organization name to create and maintain your account.
- API request metadata — performance of contract (Art. 6(1)(b)). We process this data on your behalf to provide the analytics service you subscribed to.
- Marketing page analytics — legitimate interests (Art. 6(1)(f)). We use cookie-free analytics (Plausible) on our marketing pages to understand traffic patterns and improve our website.
- Alert notifications — performance of contract (Art. 6(1)(b)). We send alerts you have configured as part of the service.
3. Controller and Processor Roles
PeekAPI as data controller. We are the data controller for account data (email, organization name, password hash) that you provide when signing up and using the platform.
PeekAPI as data processor. We act as a data processor for the API request metadata that your servers send to us via our SDKs. We process this data on your instructions, solely to provide the analytics service.
As a customer, you are responsible for establishing a legal basis to collect and transmit API request metadata from your end users to PeekAPI. A Data Processing Agreement (DPA) is available upon request for GDPR compliance.
4. How We Use Your Data
- To provide the PeekAPI analytics dashboard and alerting features
- To aggregate and display API traffic metrics, trends, and consumer activity
- To send alert notifications you have configured (email, Slack, Discord, Telegram, or webhook)
- To improve the reliability and performance of our service
5. Data Retention
API request metadata is retained according to your plan tier (7 days to 1 year). When the retention period expires, data is permanently deleted. Account data is retained for as long as your account is active. You may request deletion at any time.
6. Data Sharing
We do not sell your data. We share data only with the sub-processors listed below and as required by law. A full sub-processor list is maintained at our Sub-processors page.
- Supabase (EU — Ireland) — database and authentication. Processes account data and API request metadata on our behalf.
- Hetzner (Germany, EU) — dashboard hosting and Plausible analytics hosting. Processes web requests and marketing page analytics.
- Resend (US) — email alert delivery. Processes alert recipient email addresses only.
- Paddle (UK) — payment processing and merchant of record. Processes billing name, email, payment method, and transaction data.
- Legal obligations — if required by law, subpoena, or legal process.
Customer-configured integrations (Slack, Discord, Telegram, webhooks) are controlled by you and are not PeekAPI sub-processors. You are responsible for the privacy practices of those third-party services.
7. Cookies
We use essential cookies for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics scripts on the dashboard. For full details, see our Cookie Policy.
Cookies we set
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| sb-*-auth-token | Supabase authentication session | Essential | Session |
| sb-*-auth-token-code-verifier | PKCE auth flow verification | Essential | Session |
Plausible Analytics (marketing pages)
Our marketing pages use Plausible Analytics, a privacy-focused, cookie-free analytics tool. Plausible does not set any cookies and does not collect personal data. It collects aggregate data only: page URL, referrer, browser, operating system, device type, and country. This data cannot be used to identify individual visitors.
8. Security
All data is transmitted over HTTPS. Authorization headers are hashed (SHA-256) before leaving your servers. Our SDKs enforce HTTPS for all non-localhost connections and include SSRF protection against private IP ranges. Query parameters are stripped by default; if you opt in to query string collection, ensure your API does not pass sensitive data via URL parameters.
9. International Data Transfers
PeekAPI serves customers worldwide. Our primary infrastructure providers are Supabase (EU — Ireland, database and authentication) and Hetzner (Germany, EU — dashboard hosting and Plausible analytics). All core data is stored within the European Union. Data may be transferred across borders depending on your location and our infrastructure providers.
For residents of the European Economic Area (EEA) or the United Kingdom: transfers to countries without an adequacy decision are covered by Standard Contractual Clauses (SCCs) maintained by our sub-processors. By using PeekAPI, you consent to the transfer of data to the countries where our infrastructure operates.
10. Data Breach Notification
In the event of a personal data breach, PeekAPI will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- Notify affected customers if the breach involves their API request metadata processed on their behalf
11. Children's Privacy
PeekAPI is not intended for use by persons under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].
12. Your Rights
You have the right to:
- Access the data we hold about you and your organization
- Export your data in a structured, commonly used, machine-readable format (right to data portability, GDPR Art. 20)
- Request correction of inaccurate data
- Request deletion of your account and all associated data
- Object to processing of your data (GDPR Art. 21), including processing based on legitimate interests
- Request restriction of processing (GDPR Art. 18)
- Withdraw consent at any time by closing your account
Automated decision-making. We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
If you are in the European Economic Area (EEA), you also have the right to lodge a complaint with your local data protection authority. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
13. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
Categories of personal information we collect
- Identifiers (email address, organization name)
- Internet or electronic network activity (API request metadata, dashboard usage)
We do not sell or share your personal information as defined under the CCPA/CPRA.
Your California rights
- Right to know what personal information we collect and how it is used
- Right to delete your personal information
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of personal information
- Right to non-discrimination for exercising your privacy rights
To exercise these rights, contact us at [email protected]. We will respond within 45 days. You will not be discriminated against for exercising your rights.
14. Third-Party Links
Our dashboard and documentation may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those external sites. We encourage you to review the privacy policies of any third-party sites you visit.
15. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or a notice in the dashboard at least 30 days before they take effect.
16. Contact
For privacy-related questions or requests, contact us at [email protected].