1. Data Controller
The data controller is ChinaAPI Global Ltd., Hong Kong SAR, China. Contact: privacy@chinaapi.com
2. Data We Collect
- Account data: Email, name, password hash (bcrypt)
- API usage metadata: Model name, token count, latency, status codes
- Payment data: Processed by Stripe; we do not store card numbers
- Technical data: IP address (hashed), browser type for security
3. Data We Do NOT Collect
We do NOT store:
- API prompt/message content
- AI model responses
- System prompts
- Credit card numbers (handled by Stripe)
- Plaintext passwords (bcrypt hash only)
4. Legal Basis (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)): Account creation, API access, billing
- Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention
- Consent (Art. 6(1)(a)): Marketing communications (opt-in)
- Legal obligation (Art. 6(1)(c)): Tax records retention (7 years)
5. Data Retention
- Account data: Until deletion + 30 days
- API usage metadata: 90 days
- Billing records: 7 years (legal requirement)
- Support tickets: 12 months after closure
- IP access logs: 30 days
6. International Data Transfer
Your API requests are forwarded to AI model providers in China. This is necessary for service provision. We do not store the content of these requests.
7. Your Rights
- Right of Access: Request a copy of your data
- Right to Rectification: Correct inaccurate data
- Right to Erasure: Request account deletion
- Right to Portability: Export data in machine-readable format
- Right to Object: Object to processing based on legitimate interest
To exercise your rights, contact privacy@chinaapi.com. We respond within 30 days.
8. Data Security
We use TLS 1.2+ encryption in transit, AES-256 at rest, and bcrypt for passwords. In the event of a data breach, we will notify affected users within 72 hours.
9. Cookies
We only use essential session cookies for authentication. We do not use advertising or tracking cookies.
10. Contact
For privacy-related questions, contact privacy@chinaapi.com or use our Help & Feedback page. EU/EEA users may also lodge complaints with their local data protection authority (DPA).