Legal

Privacy Policy

Last updated: March 2026

1. Information We Collect

When you use APIDrift ("Service"), we collect the following types of information:

  • Account information: When you sign in via OAuth (GitHub or Google), we receive your name, email address, and profile avatar from the identity provider.
  • Monitor configuration: API endpoints, schema specifications, and alert preferences you configure within the Service.
  • GitHub repository data: When you connect a GitHub repository, we access repository contents (code files) through the GitHub App to scan for API usage patterns and generate code patches. Repository code is processed in memory and not permanently stored. Only file paths and change descriptions are retained. You can disconnect repositories at any time from Settings.
  • Usage data: Information about how you interact with the Service, including pages visited, features used, and timestamps of activity. This data is collected automatically through server logs.

2. How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve the Service, including monitoring your configured API endpoints and delivering schema change detection.
  • Send you alerts and notifications about detected API changes via your configured alert channels (email, Slack, webhooks, Discord).
  • Perform AI-powered analysis of API schema changes, generate migration guides, and produce code patches using third-party AI services (NanoGPT). API schema diffs and change metadata are sent to AI providers for analysis. No customer source code is stored permanently by AI providers — it is processed in memory and discarded after analysis. AI-generated results (impact analyses, migration guides, code patches) are stored in our database.
  • Communicate with you about your account, billing, and service updates.
  • Analyze usage patterns to improve the Service and develop new features.

3. Data Storage

Your data is stored in a PostgreSQL database managed by Supabase. Our database infrastructure is hosted on servers located in the United States. We implement industry-standard security measures, including encryption in transit (TLS) and at rest, to protect your data.

4. Third-Party Services

We use the following third-party services to operate and improve the Service. Each service has its own privacy policy governing the use of your information:

  • Supabase — Database hosting, authentication, and backend infrastructure.
  • Dodo Payments — Payment processing for subscriptions. We do not store your credit card information; it is handled entirely by Dodo Payments.
  • NanoGPT — Third-party AI service used to analyze API schema changes, generate migration guides, and produce code patches.
  • GitHub — Repository integration for accessing code files, scanning API usage patterns, and creating auto-patch pull requests.
  • Resend — Transactional email delivery for alerts and account notifications.
  • Vercel — Application hosting and deployment.

5. Data Retention

We retain your personal information and account data for as long as your account remains active. AI analysis results (impact analyses, migration guides, and code patches) are retained for the duration of your account. Repository code accessed during auto-patch operations is processed in memory and is not stored. If you request deletion of your account, we will remove your personal data within thirty (30) days of receiving your request. Certain data may be retained for a longer period where required by law or for legitimate business purposes, such as fraud prevention or compliance with legal obligations.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct any inaccurate or incomplete personal data.
  • Deletion: Request that we delete your personal data, subject to certain legal exceptions.
  • Data portability: Request a machine-readable copy of your data.

To exercise any of these rights, please contact us at privacy@apidrift.com. We will respond to your request within thirty (30) days.

7. Cookies

APIDrift uses only essential cookies required for authentication and session management. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. The session cookie is set when you log in and is removed when you log out or when your session expires.

8. Children's Privacy

The Service is not directed to children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@apidrift.com.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the Service. We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

10. Contact

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@apidrift.com.