Legal

Privacy Policy

How Zillapi collects, uses, and protects information about developers who use the Zillapi developer API and dashboard.

This is a template document. Review with qualified legal counsel before relying on it for compliance purposes.

This Privacy Policy describes how Zillapi (“Zillapi”, “we”, “us”) collects, uses, and shares information when you visit our website, sign up for an account, or use the Zillapi developer API (the “Service”). It applies to information about you, the developer or organization that holds a Zillapi account. It does not describe what Zillow Group, Inc. does with data on zillow.com.

1. Information we collect

Account information. When you sign up we collect your email address. Authentication uses one-time magic-link tokens delivered to that email; we store hashed token state, not the token itself once consumed.

API usage logs. When your account makes a request to the Service we record the timestamp, the endpoint and HTTP method, the response status, the originating IP address, the API key identifier, the request size, and the response size. We use these logs to meter usage, enforce rate limits, detect abuse, debug errors, and bill correctly.

Payment metadata. When you subscribe to a paid plan, Stripe collects and stores your payment card details directly. We receive only a customer ID, the last four digits of the card, the brand, the country, the subscription plan, and invoice records. We do not see or store full card numbers, CVV codes, or bank account numbers.

Communications. If you email us we retain the message and any reply for support and recordkeeping purposes.

Cookies and similar technologies. Our marketing pages use a small number of first-party cookies for session continuity and to remember whether you have logged in. We do not use third-party advertising cookies. The dashboard uses a session cookie issued by Supabase Auth.

2. How we use information

We use the information above to:

Provide, operate, secure, and improve the Service.
Authenticate you and authorize your API requests.
Meter usage against your plan and generate invoices.
Detect, investigate, and prevent fraud, abuse, and violations of our Terms.
Send transactional email (magic links, receipts, security notices, breaking changes).
Respond to support requests sent to nikhil@landkit.pro.
Comply with our legal obligations.

We do not sell personal information, and we do not use your account email or usage logs to train machine learning models.

3. Third-party processors

Zillapi relies on a small set of subprocessors to run the Service. Each one is bound by its own contractual obligations regarding the data we send them:

Supabase — authentication and database hosting. Stores account records, hashed token state, and operational tables.
Stripe — payment processing and subscription billing. Stores payment instruments and invoices.
Cloudflare — edge network, DDoS protection, and Workers compute. Sees request metadata in transit; logs are configured for operational use only.

We may update this list when we add or remove a processor; material changes will be reflected on this page with an updated “dateModified”.

4. Cookies and tracking

We do not run third-party analytics, advertising, or social-media tracking pixels on the dashboard. Marketing pages may include a privacy-respecting first-party analytics pageview counter that does not set persistent cross-site identifiers. You can disable cookies in your browser; the dashboard requires session cookies to function.

5. Data retention

Account record. Retained for the life of your account, then deleted within [REVIEW: 30 / 60 / 90 days — confirm internal policy] of account closure, except where retention is required by law.
API usage logs. Retained for [REVIEW: 90 days suggested — confirm internal policy], then deleted or aggregated into anonymized totals.
Invoices and tax records. Retained for [REVIEW: 7 years suggested — confirm with tax counsel] as required by applicable tax and accounting law.
Support email. Retained for [REVIEW: 24 months suggested].

6. Your rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Delete your data (“right to be forgotten”), subject to legal retention requirements above.
Export your data in a portable format.
Object to or restrict certain processing.
Withdraw consent where processing is based on consent.

To exercise any of these rights, email nikhil@landkit.pro from the address on your account. We will respond within [REVIEW: 30 days suggested — confirm with counsel for GDPR/CCPA timelines].

If you are in the European Economic Area or the United Kingdom, our legal basis for processing your personal data is (a) performance of the contract you entered into when you accepted our Terms, (b) our legitimate interest in operating, securing, and improving the Service, and (c) compliance with legal obligations. You may lodge a complaint with your local supervisory authority. International transfers of personal data out of the EEA or UK rely on the European Commission’s Standard Contractual Clauses, where applicable.

8. CCPA (California residents)

If you are a California resident, you have the right to know what categories of personal information we collect, the right to delete personal information we hold about you, the right to correct inaccurate information, and the right not to be discriminated against for exercising these rights. We do not “sell” or “share” personal information as those terms are defined under the California Consumer Privacy Act.

9. Children

The Service is not directed at children under 13 (or under 16 in the EEA / UK). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

10. Data location

Our infrastructure is hosted in the United States. By using the Service from outside the United States, you consent to your data being transferred to and processed in the United States.

11. Security

We use industry-standard technical and organizational measures to protect personal data, including TLS for data in transit, encryption at rest for the primary database, scoped credentials for infrastructure access, and multi-factor authentication on administrative accounts. No system is perfectly secure; we cannot guarantee absolute security.

12. Breach notification

If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify affected account holders without undue delay and, where required by law, within 72 hours of becoming aware, with the information required by the applicable regulator.

13. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email or with a notice on this page; the “dateModified” field above will reflect the most recent revision.

14. Contact

Privacy questions or requests: nikhil@landkit.pro.