← Back

Privacy Policy

Effective 2026-04-16.

What we collect, who touches it, and how long we keep it.

1. What we collect

  • Email address — for sign-in and product-critical notifications. Not used for marketing unless you explicitly opt in.
  • Encrypted upstream API keys — see Security for the cryptographic details.
  • Endpoint metadata — the label you set, the provider, destination URL, and timestamps for create / rotate / revoke.
  • Request metadata — per-request status code, latency, and which endpoint served the request. Never the request body, response body, prompt, or completion.
  • Session data — an opaque session ID in an HTTP-only cookie, backed by a KV entry that expires after 30 days or on sign-out.

2. What we don’t collect

  • Request bodies, response bodies, prompts, completions.
  • Browser analytics or tracking cookies.
  • Payment data (billing is not yet live).

3. Sub-processors

  • Cloudflare — compute (Workers, Pages), database (D1), KV storage, DNS. Your encrypted data lives here.
  • Resend — transactional email delivery for magic-link sign-in messages.

4. Retention

  • Encrypted keys: until you delete the endpoint.
  • Endpoint metadata: until you delete your account.
  • Session entries: 30 days, or immediately on sign-out.
  • Rate-limit counters: 1 hour rolling.
  • Magic-link hashes: 15 minutes, or immediately on use.

5. Legal basis (GDPR)

For users in the EU/EEA/UK, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)) — processing your email, encrypted keys, endpoint metadata, and session cookie is necessary to deliver the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — request metadata (status codes, latency) and rate-limit counters are processed to keep the service running and to prevent abuse. You may object to this processing; see “Your rights” below.
  • Legal obligation (Art. 6(1)(c)) — where we must retain or disclose limited data to comply with law.

6. International transfers

Cloudflare and Resend operate globally; data may be processed in the United States or other countries outside the EU/EEA. We rely on the European Commission’s Standard Contractual Clauses (SCCs) and each provider’s published data processing terms for these transfers. Cloudflare is also GDPR-compliant and offers a DPA covering EU data.

7. Your rights

If you are in the EU/EEA or UK, you have the right to:

  • Access (Art. 15) — obtain a copy of your data.
  • Rectification (Art. 16) — correct inaccurate data.
  • Erasure (Art. 17) — request deletion of your data.
  • Restriction (Art. 18) — limit how we process your data.
  • Portability (Art. 20) — receive your data in a machine-readable format.
  • Object (Art. 21) — to processing based on legitimate interest.
  • Withdraw consent (Art. 7(3)) — where processing is based on consent.
  • Lodge a complaint (Art. 77) with your local supervisory authority.

Email privacy@strakelabs.com to exercise any of these rights. We respond within 30 days.

8. Breach notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours. Where the breach is likely to result in a high risk, we will notify affected users directly without undue delay.

9. Data controller

The controller responsible for your personal data is Dalton Solutions, LLC (operating Strake). For any controller-related correspondence, email privacy@strakelabs.com.

10. Children

Strake is not directed at users under 16 and we do not knowingly collect data from minors.

11. Changes

Material changes will be emailed to the address on file.

12. Contact

privacy@strakelabs.com