Privacy Policy

• Account data: name, email, hashed password, OAuth identifiers from Google or GitHub when you use social sign-in.
• Usage data: API calls with timestamp, endpoint, status code, duration, and source IP. Used for billing, quota enforcement, and abuse detection.
• Analytics: aggregate page views via Vercel Web Analytics, which is cookieless and does not profile or fingerprint visitors. We do not record session replays.
• Payment data: handled entirely by Stripe. We store the Stripe customer ID and subscription metadata; we never see card numbers.
• Email events: open and click tracking on transactional email via Resend. You can opt out by replying.

To operate the Service, enforce plan quotas, bill correctly, send transactional email (verification, receipts, password resets, security notifications), detect abuse, and improve the product in aggregate.

• Contract: running your account and the API you signed up for.
• Legitimate interests: abuse detection, product improvement, billing reconciliation.
• Consent: any marketing email beyond transactional.
• Legal obligation: retention of billing records.

Only the sub-processors listed on our Subprocessors page. We require each to meet a baseline of security and contractual privacy obligations.

We may disclose data to comply with law, enforce our Terms, or protect Pair, users, or the public.

• Usage logs: 90 days, then aggregated and the raw rows deleted.
• Account data: kept until you delete the account.
• Billing records: 7 years (US tax retention).

You can access, export, correct, or delete your data from the account page or by emailing hello@pair.directory. EU/UK users have the rights under GDPR (Articles 15–22); California users have the rights under CCPA/CPRA.

We respond within 30 days. If we deny a request we'll tell you why and how to escalate to a supervisory authority.

Our infrastructure runs in the United States. For users in the EEA or UK, transfers are covered by Standard Contractual Clauses and the UK Addendum where applicable. A DPA is available on request.

See /legal/security for our security practices and how to report a vulnerability.

The Service is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal data from them. If you believe a child has provided us data, email us and we'll delete it.

Material changes will be noted at the top of this page with an updated version stamp. We may notify active users by email when a change materially expands data use.