Privacy Policy

Last updated: May 2026 · Effective date: May 1, 2026

Table of Contents

  1. Overview
  2. Information We Collect
  3. How We Use Your Information
  4. Data Storage & Security
  5. API Response Data
  6. Data Sharing
  7. Cookies & Tracking
  8. Your Rights
  9. Data Retention
  10. Children's Privacy
  11. Changes to This Policy
  12. Contact Us

1. Overview

The short version: We collect only what we need to run Endpoint Tracker. We never sell your data. We never store your actual API response bodies — only the schema structure. Your client data stays yours.

Endpoint Tracker ("we", "us", "our") is a software-as-a-service product that monitors external API endpoints for schema changes. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website at endpointtracker.com, our application at app.endpointtracker.com, or our API.

By using Endpoint Tracker, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Account Information

When you create an account we collect:

  • Your name and email address
  • A hashed password (we never store your plain-text password)
  • Your plan type (Starter, Pro, or Enterprise)
  • Account creation timestamp

Endpoint Configuration

When you add an endpoint to monitor we store:

  • The endpoint URL
  • HTTP method (GET, POST, etc.)
  • Request headers you provide (encrypted at rest using AES-256)
  • Your chosen check frequency
  • The endpoint name you assign

Schema Snapshots

When we poll your endpoints we store:

  • The inferred JSON schema of the response (field names and types only)
  • A fingerprint hash of the schema for change detection
  • The timestamp of the check
  • We do NOT store the actual response body or any values

Usage & Technical Data

We automatically collect:

  • IP address (used for rate limiting and security, not profiling)
  • Browser type and version
  • Pages visited and timestamps
  • Error logs for debugging

Payment Information

Payments are processed by Paystack. We do not store your card details. We receive only a transaction confirmation and your subscription status from Paystack.

3. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Endpoint Tracker service
  • Send you drift detection alerts via email, Slack, or webhook
  • Process your subscription and manage billing
  • Respond to support requests sent to support@endpointtracker.com
  • Improve the product based on usage patterns
  • Detect and prevent abuse, fraud, or security incidents
  • Send transactional emails (account verification, password reset, payment receipts)

We do not use your data for advertising, sell it to third parties, or use it to train AI models.

4. Data Storage & Security

Your data is stored on servers hosted by Railway (railway.app) in secure data centres. We implement the following security measures:

  • Encryption at rest: All sensitive data including API headers and tokens are encrypted using AES-256
  • Encryption in transit: All connections use TLS 1.2 or higher (HTTPS)
  • Password hashing: Passwords are hashed using bcrypt with a minimum of 12 rounds
  • Session security: Session tokens are stored as SHA-256 hashes — raw tokens are never stored
  • Rate limiting: All authentication endpoints are rate limited to prevent brute force attacks
  • CSRF protection: All state-changing requests require CSRF tokens

While we take security seriously, no system is 100% secure. If you discover a security vulnerability please email support@endpointtracker.com immediately.

5. API Response Data

Important: We only store the structural schema of API responses — not the actual data values. When we poll your endpoint and receive a response like {"amount": 2000, "currency": "usd"}, we store only {"amount": "number", "currency": "string"} and immediately discard the values.

This means:

  • We never see your customers' personal data even if it appears in API responses
  • We never store payment amounts, email addresses, or any PII from API responses
  • Your API response payload never touches our long-term storage

6. Data Sharing

We share data only with the following categories of service providers, and only as necessary to operate the service:

  • Railway — infrastructure and database hosting
  • Resend — transactional email delivery
  • Paystack — payment processing

We do not sell, rent, or trade your personal information with any third party for marketing purposes. We may disclose information if required by law or to protect the rights and safety of our users.

Team Workspaces

If you invite team members to a workspace, they will be able to see the endpoints, snapshots, diffs, and alerts within that workspace. You are responsible for who you invite to your workspaces.

7. Cookies & Tracking

We use the following cookies:

  • Session cookie: A secure, httpOnly cookie to keep you logged in. This is required for the service to function.
  • CSRF token: A cookie used to prevent cross-site request forgery attacks.

We do not use advertising cookies, third-party trackers, or analytics cookies that track you across websites. The landing page at endpointtracker.com does not use any cookies unless you log in.

8. Your Rights

You have the right to:

  • Access: Request a copy of all personal data we hold about you
  • Correction: Update your name or email address via the Profile page
  • Deletion: Delete your account and all associated data at any time via Profile → Danger Zone, or by emailing support@endpointtracker.com
  • Portability: Export your endpoint configurations and drift history as CSV or JSON (Pro/Enterprise plans)
  • Objection: Object to processing of your data by contacting us

To exercise any of these rights, email support@endpointtracker.com. We will respond within 30 days.

9. Data Retention

We retain your data for as long as your account is active. Specifically:

  • Account data: Retained until you delete your account
  • Schema snapshots: 7 days (Starter), 90 days (Pro), 1 year (Enterprise)
  • Diff logs: Same as snapshots based on plan
  • Payment records: 7 years (required for tax and legal compliance)
  • Server logs: 30 days maximum

When you delete your account, all personal data is permanently deleted within 30 days, except payment records which are retained as required by law.

10. Children's Privacy

Endpoint Tracker is not directed at children under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email and by updating the "Last updated" date at the top of this page. Your continued use of Endpoint Tracker after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Questions about your privacy?

We're happy to answer any questions about how we handle your data.

support@endpointtracker.com