Legal

Privacy Policy

Last updated: March 2026

1. Introduction

API Lens (“we”, “us”, “our”) is a SaaS tool for tracking AI API spending across providers such as OpenAI, Anthropic, Google Gemini, and others. This Privacy Policy explains what data we collect, how we use it, and how we protect it.

By using API Lens, you agree to the practices described in this policy. If you have any questions, contact us at privacy@apilens.tech.

2. What We Collect

We collect the minimum data necessary to provide the service:

  • Email address — required for authentication via Supabase.
  • Full name — optional, used only for your profile display.
  • API key credentials — any provider API keys you choose to add. These are encrypted before storage (see Section 5).
  • Usage records — token counts and cost data synced from provider APIs on your behalf.
  • Budget and alert preferences — thresholds and notification settings you configure.

3. What We Do NOT Collect

  • We do not collect payment card data — payments are handled entirely by Dodo Payments on their secure infrastructure.
  • We do not sell your data to third parties.
  • We do not use your data for advertising or marketing profiling.
  • We do not train AI models on your data.

4. How We Use Your Data

  • To provide the service — syncing usage records, rendering dashboards, and evaluating budget thresholds.
  • To send transactional emails — budget alerts, key rotation reminders, and account notifications — via Resend.
  • To process subscription payments via Dodo Payments.

5. Credential Encryption & Zero-Knowledge Architecture

This is the most important section of this policy. We want to be completely transparent about how your API keys are stored and protected.

All API keys you add are encrypted using AES-256-GCM before being written to the database. They are never stored in plaintext.

Each key gets its own unique Data Encryption Key (DEK), so a compromise of one key cannot expose others.

The DEK itself is encrypted with a master key stored as a write-only secret in Vercel's infrastructure — it is never exposed through any API or log.

Once set, this master key cannot be retrieved by anyone — including the API Lens founder.

This is a technical control, not just a policy promise: we are architecturally unable to read your stored credentials. There is no admin panel, no backdoor, and no override mechanism that would allow us to see your plaintext API keys.

Your keys are decrypted only in memory during automated sync operations, and are immediately discarded afterward. They are never logged, cached to disk, or transmitted to any third party.

We cannot comply with requests — including legal demands — to hand over your plaintext API keys, because we genuinely cannot read them. We can confirm a key exists; we cannot reveal its value.

6. Data Retention

  • Your data is retained as long as your account is active.
  • On account deletion, all your data — including encrypted credentials, usage records, and preferences — is permanently deleted.
  • Usage records older than 12 months may be archived to cold storage for billing integrity and are deleted within 90 days of account closure.

7. Third-Party Services

We use the following sub-processors to deliver the service. Each operates under its own privacy policy and data processing terms:

Supabase

Database & authentication

EU / US data centers. Your data is stored in the region you select at sign-up.

Dodo Payments

Payment processing

India-based payment gateway. Payment card data never touches our servers.

Resend

Transactional email

Used only for alerts, rotation reminders, and account emails.

Vercel

Hosting & edge compute

US-based infrastructure. Hosts the Next.js application and stores the master encryption key secret.

8. Your Rights

  • Export your data at any time from the Reports page inside the dashboard.
  • Delete your account and all associated data from Settings → Account.
  • Contact us at privacy@apilens.tech for any data requests, corrections, or concerns.

9. Contact

For privacy-related inquiries, email us at privacy@apilens.tech. We aim to respond within 5 business days.