Last updated: April 2026

Privacy Policy

This Privacy Policy describes how FR-APIaaS collects, uses, stores, and protects account, service usage, and billing-related information. For terms specific to biometric data processed through the API, see our Biometric Data Privacy Policy.

What We Collect

We collect the following categories of data when you use FR-APIaaS:

  • Account information — your name, email address, and organization name provided at registration.
  • Usage data — API call counts, timestamps, endpoint names, response times, HTTP status codes, and rate limit metrics. This data supports service operations, troubleshooting, abuse prevention, and usage reporting.
  • Billing information — billing address and payment method details, processed and stored securely by Stripe. We receive only a tokenized reference, never your full card number.
  • Cookies and analytics — session cookies required for authentication, and optional analytics cookies to understand how the dashboard is used (see the Cookies section below).
  • Support communications — messages you send to our support team by email or through future support channels we may provide.

How We Use Your Data

We use the data we collect to:

  • Provide, operate, secure, and maintain the FR-APIaaS platform and API.
  • Send transactional emails such as invoices, payment confirmations, plan change notifications, and account security alerts.
  • Respond to support requests and resolve technical issues.
  • Improve the platform by analyzing aggregated service patterns to prioritize product and reliability work.
  • Comply with legal obligations, including responding to lawful requests from government authorities.
  • Enforce our Terms of Service and detect abuse or fraudulent activity.

We do not use your data for materially different purposes without an appropriate legal basis and, where required, your consent.

What We Don't Do

For clarity, FR-APIaaS does not:

  • We do not sell your personal data to third parties.
  • We do not share your data with advertisers or data brokers.
  • We do not use your biometric data (face embeddings or images submitted via the API) to train or improve our recognition models without your explicit written consent.
  • We do not send you marketing emails unless you have opted in.
  • We do not use your data to build profiles for advertising purposes.

Cookies

We use two categories of cookies within the FR-APIaaS dashboard:

  • Strictly necessary cookies — required for authentication sessions and CSRF protection. These cannot be disabled while using the dashboard. They expire when your session ends or after 30 days of inactivity.
  • Analytics cookies (optional) — used to understand page views, feature usage, and navigation patterns within the dashboard. These are only set if you consent. You can opt out at any time from your account settings.

We do not use advertising cookies, and cookie-derived information is not shared with ad networks.

Data Retention

  • Account data is retained while your account is active and for 90 days after account deletion, to allow recovery in case of accidental deletion.
  • Biometric data (face embeddings and stored images) is deleted according to the retention policy you configure on each collection, or within 30 days of account termination — whichever comes first. See our Biometric Data Privacy Policy for details.
  • API access logs (request timestamps, endpoints, response codes) are retained for 90 days, then automatically purged.
  • Billing records are retained for 7 years to comply with financial reporting obligations.
  • Support communications are retained for 2 years after resolution.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

GDPR (EU/EEA residents):

  • Access — request a copy of the personal data we hold about you.
  • Portability — receive your data in a machine-readable format.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Restriction — request that we restrict processing while a dispute is resolved.
  • Objection — object to processing based on legitimate interests.

CCPA (California residents):

  • Know — know what personal data we collect and how it is used.
  • Delete — request deletion of your personal data.
  • Opt-out — opt out of the sale of personal data (we do not sell data, but this right is acknowledged).

To exercise these rights, contact us at privacy@fr-apiaas.io. We respond within 30 days.

Third-Party Services

We use the following third-party service providers, each of which maintains its own privacy notice:

Stripe — payment processing. Stripe Privacy Policy ↗

AWS / GCP — cloud infrastructure and data storage. Data residency is determined by the region you select at account creation. AWS Privacy ↗ / GCP Privacy ↗

Sentry — application error monitoring. Error events may include request metadata but are scrubbed of biometric payloads. Sentry Privacy ↗

We do not authorize these providers to use customer data for their own marketing purposes.

Security

We implement industry-standard technical and organizational controls to protect your data:

  • All data is encrypted in transit using TLS 1.3.
  • Data at rest is encrypted with AES-256.
  • API keys are hashed using a one-way algorithm and are never stored in recoverable plaintext form.
  • Access to production systems is restricted to authorized personnel with MFA enforced.
  • We conduct regular security audits and penetration tests.
  • All infrastructure access is logged and monitored for anomalies.

To report a security vulnerability, contact security@fr-apiaas.io.

Contact

For privacy inquiries, data subject requests, or questions about this policy:

Privacy Team: privacy@fr-apiaas.io

DPA requests: privacy@fr-apiaas.io

Security disclosures: security@fr-apiaas.io

For biometric-specific data handling, please also review our Biometric Data Privacy Policy.