Privacy Policy
This Privacy Policy explains what data 1F collects, why, and how to exercise your rights.
1. What we collect
- Account data: email address, hashed password, display name, plan, Stripe customer ID, account creation + last-login timestamps.
- Usage data: per-call API endpoint, status code, latency, credits consumed, request timestamp. Stored for billing, abuse-prevention, and product analytics.
- Investigation case data: case names, addresses you investigate, audit log of your actions. Visible only to your account and any team members you invite.
- Webhook configuration: URLs and HMAC secrets you register for screen-subscribe alerts.
We do not collect or store: your government ID, banking information beyond the Stripe customer reference, location data beyond signup IP, or biometric data.
2. Why we collect it
- To provide and bill the Service (legitimate interest, contract performance);
- To detect abuse and meet our own legal obligations (legitimate interest);
- To respond to valid law-enforcement requests (legal obligation);
- For product analytics in aggregated, non-identifying form.
3. Sharing
We share data with:
- Stripe (payment processing — they handle card data, we never see it);
- Cloud hosting providers under standard data-processing agreements;
- Law enforcement, when compelled by valid legal process.
We do not sell personal data, ever.
4. Your rights (GDPR, CCPA, similar regimes)
You may at any time:
- access your data —
GET /api/auth/me; - export your case bundles and audit logs —
GET /api/cases/{id}/export; - delete your account and associated data —
DELETE /api/auth/account; - request a copy of all data we hold about you — email privacy@1f.ai.
Deletion is permanent and takes effect within 30 days. We retain billing records as required by tax law (typically 7 years).
5. Security
Passwords are hashed with a per-user salt before storage. Stripe webhook signatures are verified before any account state is changed. API keys are random 36-character UUIDs; only the key hash is shown in usage logs. Server-side secrets are stored in environment variables, never in source control.
6. International transfers
Data may be processed in the United States or the European Union. Where required, we rely on Standard Contractual Clauses for cross-border transfers.
7. Children
The Service is not directed to children under 16. We do not knowingly collect data from children. If we discover such collection we will delete it.
8. Changes
Material changes will be announced via email or a banner on the website at least 14 days before they take effect.