Legal
Privacy Policy
Last updated: April 22, 2026
1. Introduction & Scope
This Privacy Policy explains how APIHub.io ("APIHub," "we," "us," or "our") collects, uses, stores, and protects information when you use our platform. APIHub is a marketplace where AI agents discover, pay for, and consume APIs. Payments are processed on-chain using USDC on the Base blockchain via the x402 protocol.
This policy applies to all users of APIHub, including API providers who list services, agent developers who create and manage AI agents, and autonomous agents that interact with the platform programmatically. By using APIHub, you agree to the practices described in this policy.
2. Data We Collect
Information You Provide
- Email address (for account creation and magic link authentication via Resend)
- Display name and profile details for your provider or developer account
- API listings, descriptions, pricing, and OpenAPI specifications submitted by providers
- Support inquiries and communications submitted through our contact page
Wallet Data
- Public wallet address when you connect via MetaMask, Coinbase Wallet, Rabby, Phantom, Trust, or Frame
- Wallet connection is handled through Coinbase OnchainKit and wagmi
- Transaction signatures you approve for USDC payments on Base
- We never have access to your private keys, seed phrases, or the ability to initiate transactions without your explicit approval
Automatically Collected Data
- API request metadata: endpoints called, request timestamps, response times, HTTP status codes
- Transaction records: amounts in microdollars, wallet addresses, payment methods, receipt hashes
- API key metadata: prefix (first 8 characters) and SHA-256 hash (never the full plaintext key)
- Rate limit counters tied to your API key prefix and endpoint
- IP address (used for rate limiting and abuse prevention at the edge; not stored long-term)
- API health metrics: uptime, latency percentiles, error rates (aggregated, not tied to individual users)
Third-Party Data
- Blockchain transaction data from the Base network (public by nature)
- Wallet provider metadata shared during wallet connection (varies by provider)
What We Do Not Collect
- Private keys, seed phrases, or wallet recovery information
- Passwords (we use magic link authentication, so no passwords exist)
- Third-party tracking cookies or advertising identifiers
- Browsing history outside of APIHub
- Biometric data
- Content of API request or response bodies proxied through the platform
3. How We Use Your Data
We use collected information for the following purposes:
- Authenticate your account via magic link email and manage your sessions
- Process, record, and audit API transactions and credit purchases
- Maintain prepaid credit balances and wallet state
- Provide usage analytics and dashboards to providers and agent developers
- Enforce rate limits and detect abuse or fraudulent activity
- Calculate and display API quality metrics (uptime, latency, reliability scores)
- Send transactional emails for credit purchases and service alerts
- Route API requests through our proxy to upstream providers
- Resolve disputes and respond to support requests
- Comply with legal obligations
We do not use your data for advertising, profiling, or selling to third parties.
4. Data Storage & Infrastructure
All data is stored on Cloudflare's global infrastructure. Here is where each type of data lives:
| Storage System | Data Stored | Details |
|---|---|---|
| Cloudflare D1 (SQLite) | Accounts, API listings, transactions, credit balances, API keys (hashed) | Primary database, encrypted at rest |
| Cloudflare KV | Session tokens (24h TTL), rate limit counters (120s TTL), API key lookup cache (60s TTL) | Globally replicated, eventual consistency |
| Cloudflare R2 | Audit logs, balance snapshots, provider assets | Object storage, no public access |
| Durable Objects | Real-time wallet balances, active session metering | Strongly consistent, single-writer |
All data in transit is encrypted via TLS. API keys are stored exclusively as SHA-256 hashes. The plaintext key is shown to you exactly once at creation and cannot be recovered by APIHub.
5. Data Sharing & Disclosure
We do not sell, rent, or trade your personal information to advertisers, data brokers, or any third parties for marketing purposes.
We may share limited data in the following circumstances:
- Infrastructure providers: Cloudflare processes your requests as part of hosting and delivering the platform
- Email delivery: Resend processes your email address to deliver magic link authentication emails and transactional notifications
- Wallet services: Coinbase (via OnchainKit/CDP) processes wallet connection data according to their privacy policies
- Upstream API providers: When your agent makes a paid API call, the request is proxied through APIHub. The upstream provider receives the API request content but does not see the agent's IP address or API key
- Legal requirements: We may disclose information when required by law, court order, subpoena, or to protect the rights, safety, or property of APIHub or its users
- Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction with equivalent privacy protections
6. Blockchain Data Transparency
APIHub processes payments using USDC on the Base blockchain via the x402 protocol. It is important to understand the following about blockchain data:
- Blockchain transactions are public and immutable by design. Once a USDC payment is recorded on Base, it cannot be deleted, modified, or hidden.
- Your public wallet address and transaction history on-chain are visible to anyone with a block explorer.
- APIHub does not control the Base blockchain and cannot alter or remove on-chain data.
- The connection between your APIHub account and your wallet address is stored in our private database, not published on-chain.
- Receipt hashes recorded in our database reference on-chain transactions for audit and dispute resolution purposes.
If privacy of transaction history is a concern, consider using a dedicated wallet address for APIHub interactions.
7. Data Retention
We retain data for different periods depending on its purpose and legal requirements:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion | Required for service operation |
| Transaction records | 7 years after creation | Financial audit and dispute resolution |
| Audit logs | 3 years | Security and compliance |
| Session tokens | 24 hours (auto-expire) | Authentication; deleted automatically via TTL |
| Rate limit counters | 120 seconds (auto-expire) | Abuse prevention; deleted automatically via TTL |
| API key lookup cache | 60 seconds (auto-expire) | Performance; deleted automatically via TTL |
| API quality metrics | 1 year (hourly aggregates) | Service quality scoring |
| Blockchain data | Permanent (immutable) | Inherent to blockchain technology |
Transaction records are append-only and immutable within our system. They are never modified after creation. This is a deliberate security measure for financial integrity and dispute resolution.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and associated data, subject to retention requirements for transaction records and audit logs
- Portability: Request your data in a machine-readable format
- Objection: Object to specific processing activities where applicable
- Revocation: Revoke API keys at any time through your dashboard. Revoked keys are removed from the database and cached lookups expire within 60 seconds
To exercise any of these rights, contact us through our contact page. We will respond to verified requests within 30 days.
Please note: account deletion will remove your profile, API listings, and API keys. However, transaction records are retained for the periods specified in the Data Retention section above, as required for financial audit purposes. On-chain blockchain data cannot be deleted.
9. Cookies & Local Storage
Cookies
We use a single authentication cookie containing a JWT session token. This cookie is configured with the following security attributes:
- HttpOnly: not accessible to JavaScript, preventing XSS-based session theft
- Secure: transmitted only over HTTPS
- SameSite=Lax: prevents cross-site request attachment in most scenarios
- Expires after 24 hours (sliding window)
We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.
Local Storage
We use your browser's localStorage for the following purposes:
- Theme preference: Stores your choice of light or dark mode
- Wallet connection state: wagmi and Coinbase OnchainKit store wallet connection details (such as selected wallet provider and connection status) in localStorage to persist your session across page reloads
You can clear localStorage at any time through your browser settings. Doing so will reset your theme preference to the system default and disconnect your wallet session.
10. Children's Privacy
APIHub is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us through our contact page and we will delete the information promptly.
11. International Data Transfers
APIHub operates on Cloudflare's global edge network. Your data may be processed in any country where Cloudflare maintains infrastructure. Cloudflare's network spans over 300 cities worldwide, and data is typically processed at the edge location closest to the user.
Blockchain transactions on the Base network are processed by a decentralized network of validators worldwide. This is inherent to the technology and outside of APIHub's control.
By using APIHub, you acknowledge that your data may be transferred to and processed in jurisdictions outside your country of residence, which may have different data protection laws.
12. Security Measures
We implement multiple layers of security to protect your data:
- All data in transit encrypted via TLS
- API keys stored as SHA-256 hashes only; plaintext is never stored or logged
- Magic link tokens are single-use and expire within 15 minutes
- Rate limiting at both the edge (Cloudflare WAF) and application level
- Separate worker architecture isolates the payment proxy from the public website and API, limiting blast radius if any component is compromised
- Security headers on all responses: HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options
- All user inputs validated with schema validation before processing
- All database queries use parameterized statements to prevent SQL injection
- SSRF protection: internal and reserved IP ranges are rejected for provider-submitted URLs
- API requests proxied through the platform so upstream APIs never see the requesting agent's IP address
- Immutable, append-only transaction logs for financial audit integrity
No system is perfectly secure. If you discover a security vulnerability, please report it through our contact page and we will investigate promptly.
13. Third-Party Service Privacy
APIHub integrates with the following third-party services. Each has its own privacy practices:
- Cloudflare (hosting, CDN, database, edge compute): Privacy Policy
- Resend (email delivery for magic links and notifications): Privacy Policy
- Coinbase (OnchainKit, CDP, Smart Wallet): Privacy Policy
- Base (blockchain network for USDC transactions): Privacy Policy
- Circle (USDC issuer): Privacy Policy
Wallet providers (MetaMask, Rabby, Phantom, Trust, Frame) each have their own privacy policies. Please review the privacy policy of your chosen wallet provider for details on how they handle your data.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this page.
For material changes that significantly affect how we handle your data, we will make reasonable efforts to notify you via email (if you have an account) or through a prominent notice on the platform.
Your continued use of APIHub after any changes to this policy constitutes acceptance of the updated terms.
15. Contact
If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how your information is handled, please reach out through our contact page.