Privacy Policy

This ALETHEIA Privacy Policy is a product-level companion to the HQ Data Policy, which is the controller-level source of truth across the Holistic Quality ecosystem. Where this notice provides additional implementation detail, it is consistent with the HQ Data Policy on controller identity, subprocessors, retention, and rights. In the event of a conflict, the HQ Data Policy governs.

1. Overview and Scope

This Privacy Policy describes how Holistic Quality LLC ("Holistic Quality," "we," "us," "our") collects, uses, discloses, and retains personal data in connection with the ALETHEIA chemical safety reference API, related SDKs, documentation, and the websites aletheia.holisticquality.io and safety.holisticquality.io (collectively, the "Service").

ALETHEIA is a business-to-business API. It is designed for use by developers, researchers, and organizations, and it does not knowingly process data of individuals under 18. Because the Service is primarily a data-returning API with narrow personal-data surface, this Privacy Policy is intentionally scoped to the categories of personal data the Service actually processes.

This Privacy Policy is incorporated into the ALETHEIA Terms of Service (the "Terms") by reference. Capitalized terms not defined here have the meanings given in the Terms. In the event of a conflict between this Privacy Policy and the Terms, this Privacy Policy governs solely with respect to the processing of personal data. In the event of a conflict between this Privacy Policy and the Disclaimer, this Privacy Policy governs solely with respect to the processing of personal data, and the Disclaimer governs with respect to all other matters.

2. Personal Data We Collect

2.1 For users accessing the Service through RapidAPI

When you access the Service through the RapidAPI marketplace, RapidAPI is the primary collector of your account and billing information and processes that data under its own privacy policy. The information we receive from RapidAPI in connection with your use is limited to:

• a hashed API-key identifier associated with your RapidAPI account
• request metadata (endpoint called, timestamp, request-level parameters, rate-limit tier)
• response metadata (status code, latency, error details where applicable)

We do not receive your RapidAPI account email address, password, payment card details, or billing address.

2.2 For users with a direct-issued API key

For users issued an API key directly by Holistic Quality (if offered), we collect:

• the email address provided at the time of key issuance
• the organization name, if provided
• the API key itself, stored as a one-way hash
• request and response metadata as described above

2.3 For visitors to our websites

When you visit aletheia.holisticquality.io or safety.holisticquality.io, our hosting provider (currently Vercel) and our CDN (currently Cloudflare) process technical information in server logs, including:

• IP address
• browser type, version, and User-Agent string
• referring URL
• pages visited, time and date of visit
• request and response metadata, including error details where applicable

This technical information is logged by our service providers primarily for infrastructure reliability, security, and abuse prevention under their respective privacy policies. For our own analytics, we access aggregated or anonymized data only.

A current list of subprocessors and core service providers that may process personal data on our behalf is maintained at /privacy/subprocessors. We also use cookies and similar technologies only as described in our Cookie Notice.

2.4 Data we do not collect

We do not collect, store, or process:

• payment card or bank account information (handled by RapidAPI or other payment processors)
• government-issued identifiers (SSN, national ID, passport, etc.)
• biometric or health data
• precise geolocation beyond IP-level inference
• data about individuals who are not our users

3. How We Use Personal Data

We process personal data only for the following purposes:

• Providing the Service: authenticating API calls, enforcing rate limits, and routing requests.
• Operational reliability: debugging errors, monitoring performance, and preventing abuse (such as credential stuffing, scraping, or denial-of-service attempts).
• Aggregate analytics: understanding usage patterns in aggregate to improve the Service. We do not use identifiable request-level data to profile individual users. Request parameters (such as chemical identifiers, CAS numbers, and material compositions) may constitute sensitive business information; we do not use query patterns for competitive intelligence purposes, and we do not share them with third parties except as required for Service operation or by law.
• Communications: responding to support requests and sending service-related notices (outages, security advisories, material changes to the Terms or this Privacy Policy).
• Legal and compliance: complying with applicable law, responding to lawful requests from authorities, and enforcing our Terms.

We do not sell personal data. We do not use personal data for advertising or behavioral targeting. We do not share personal data with advertisers.

4. Legal Bases (for users in the EEA, UK, and similar jurisdictions)

Where applicable law requires a legal basis for processing personal data, we rely on:

• Contract performance — for data processing necessary to provide the Service to you.
• Legitimate interests — for operational reliability, fraud prevention, and aggregate analytics, where our interests are not overridden by your rights.
• Legal obligation — where processing is required by law.
• Consent — for any processing for which we specifically ask for and obtain your consent.

5. Sharing and Disclosure

We share personal data only with:

• Service providers who process personal data on our behalf under contracts that require them to use the data only to provide services to us: hosting (Vercel), CDN and edge security (Cloudflare), and operational tooling (including, for users with direct-issued accounts, transactional email and payment processors). A current list is maintained at /privacy/subprocessors.
• RapidAPI, which is an independent data controller for its marketplace users' accounts and billing data and operates under its own terms and privacy policy rather than as a processor for Holistic Quality. We receive only the limited information described in Section 2.1 from RapidAPI.
• Successors in the event of a merger, acquisition, reorganization, or sale of assets, with notice to you where required.
• Authorities and third parties when required by law, subpoena, or court order, or where necessary to protect rights, property, or safety.

We do not share personal data with any other third party without your consent.

6. Data Retention

We retain personal data only for as long as needed to provide the Service and for the purposes described in Section 3, or longer where retention is required by law. The full canonical retention matrix (with GDPR Art. 6 legal basis per category) is maintained in the HQ Data Policy. The categories most directly relevant to the Service are:

• Request and response metadata (timestamp, endpoint, key hash, /24-truncated IP, status) is retained for up to 90 days in active logs. We do not maintain a separate identifiable archival tier.
• Request and response bodies, query parameters, and payload contents are never logged or stored — they are processed transiently in memory only.
• Account data (email, organization, hashed API key) is retained while your subscription is active and, after cancellation, for a baseline of 90 days, extended to a maximum of 120 days only if an open Stripe chargeback or dispute window applies. After that window it is deleted or de-identified unless a legal, fraud, or security hold requires temporary preservation.
• Rate-limit counters auto-expire after 24 hours.
• Encrypted backups (Upstash snapshots) roll off within 35 days of source-record deletion.
• Verified erasure requests are processed without undue delay after verification (typically within 30 days) and always shorter than the normal post-cancellation window.
• Aggregated or anonymized analytics data may be retained indefinitely, as it no longer identifies individuals.

7. Security and Breach Notification

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal data, including transport encryption (TLS), hashed storage of API keys, and access controls. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.

Breach notification. If we become aware of a breach affecting your personal data, we will notify you without undue delay, and we will notify applicable authorities within 72 hours (or such shorter period) where required by applicable law. For breaches affecting RapidAPI-routed users, we will coordinate with RapidAPI in good faith.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• access the personal data we hold about you;
• correct inaccurate personal data;
• delete your personal data, subject to legal and contractual retention requirements;
• restrict or object to certain processing;
• portability — receive a copy of your personal data in a structured, machine-readable format;
• withdraw consent, where processing is based on consent;
• lodge a complaint with a supervisory authority in your jurisdiction.

To exercise any of these rights, contact us at the address in Section 12. We will respond within the timeframe required by applicable law, provided that for users accessing through RapidAPI, primary responsibility for rights requests lies with RapidAPI, and our ability to fulfill certain rights (such as portability or deletion of request metadata) is limited by technical and operational constraints inherent to a small-scale B2B API operator.

Users accessing through RapidAPI should direct rights requests concerning their RapidAPI account information to RapidAPI directly. We will coordinate with RapidAPI in good faith for data under our shared responsibility.

9. California Privacy Rights (CCPA / CPRA)

This Section supplements the rest of this Privacy Policy with disclosures and rights specific to residents of California, as required by the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"). It applies only to California residents and only to the extent the CCPA applies to our processing of your personal information ("PI"). Capitalized terms used in this Section but not otherwise defined have the meanings given in the CCPA.

9.1 Categories of personal information we collect

Within the past twelve (12) months, we have collected the following CCPA-enumerated categories of PI from California residents in connection with the Service:

• Identifiers — email address (for direct-issued account holders), hashed API-key identifier, IP address (truncated to /24 for retention).
• Customer records (Cal. Civ. Code § 1798.80(e)) — organization name and email address, where you provide them.
• Commercial information — subscription tier and billing-related metadata received from RapidAPI or Stripe.
• Internet or other electronic network activity — request and response metadata (endpoint called, timestamp, status, latency, User-Agent, referring URL).
• Geolocation data — coarse, IP-derived only. We do not collect precise geolocation.
• Inferences — none. We do not draw inferences from your PI to create a profile reflecting your preferences, characteristics, behavior, or aptitudes.

We do not collect the following CCPA categories: biometric information; sensory data (audio, visual, thermal, olfactory); professional or employment-related information; education information; or characteristics of protected classifications under California or federal law.

9.2 Sensitive personal information

We do not knowingly collect "Sensitive Personal Information" as defined in CCPA § 1798.140(ae) (e.g., government identifiers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, health data, or contents of personal communications). Accordingly, the right to limit the use of Sensitive PI does not have practical effect because we do not use Sensitive PI.

9.3 Sources of personal information

We collect PI directly from you (when you create a direct-issued account, contact us, or submit a form on our websites), from RapidAPI (limited to the categories described in Section 2.1), and from your interactions with the Service (request and response metadata).

9.4 Business and commercial purposes

We use PI for the business purposes described in Section 3 (Providing the Service, operational reliability, aggregate analytics, communications, and legal and compliance). We do not use PI for any other commercial purpose.

9.5 Disclosure of PI to third parties

In the past twelve (12) months we have disclosed PI to the categories of service providers and third parties listed in Section 5 (Sharing and Disclosure), for the business purposes described in Section 3. The current list of subprocessors is maintained at /privacy/subprocessors.

9.6 We do not "sell" or "share" personal information

We do not sell PI as that term is defined in the CCPA, and we do not share PI for cross-context behavioral advertising. We do not have actual knowledge of selling or sharing PI of consumers under sixteen (16) years of age. Because we neither sell nor share PI, we do not maintain a "Do Not Sell or Share My Personal Information" link; this Section serves as the disclosure of that fact.

9.7 Your California privacy rights

Subject to verification and the limitations below, California residents have the following rights under the CCPA:

• Right to Know — request the categories and specific pieces of PI we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties to whom we have disclosed PI.
• Right to Delete — request deletion of PI we have collected from you, subject to legally permitted exceptions (e.g., to complete a transaction, comply with a legal obligation, or detect and prevent security incidents).
• Right to Correct — request correction of inaccurate PI we maintain about you.
• Right to Opt-Out of Sale or Sharing — not applicable. We do not sell or share PI (see Section 9.6).
• Right to Limit Use of Sensitive PI — not applicable. We do not collect Sensitive PI (see Section 9.2).
• Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights, including by denying service, charging different prices, or providing a different level or quality of service. We do not offer financial incentives for the collection of PI.

9.8 How to exercise your rights

To submit a request to know, delete, or correct, contact us at privacy@holisticquality.io. For deletion requests we will use the verified-erasure flow at /api/keys/erasure, which sends a one-time verification code to the email address associated with the account being erased. We will respond to verifiable consumer requests within forty-five (45) days, with one extension of up to forty-five (45) additional days where reasonably necessary, as permitted by the CCPA.

Authorized agents. You may designate an authorized agent to make a request on your behalf. We may require the agent to provide written permission signed by you and, for verification, may contact you directly. We may also require proof of the agent's identity and the existence of the agency relationship.

Limitations. Our ability to fulfill certain rights is constrained by the technical and operational realities of a small-scale B2B API. For users accessing the Service through RapidAPI, the primary controller of your account information is RapidAPI; please direct related rights requests to RapidAPI. We retain certain PI for the periods described in Section 6 even after a deletion request to the extent permitted by the CCPA's permitted-purposes exceptions (security, legal compliance, completion of transactions).

9.9 Notice of financial incentives

We do not offer any financial incentive or price difference in exchange for the collection, sale, sharing, or retention of PI.

9.10 Metrics

The CCPA requires businesses that buy, sell, or share the PI of 10,000,000 or more California residents per calendar year to publish certain request-handling metrics. We do not approach that threshold and are therefore not required to publish those metrics.

10. International Transfers

Holistic Quality LLC is based in Ohio, USA. Core ALETHEIA account and hashed-API-key records are stored in Upstash Redis on AWS eu-west-1 (Ireland), inside the European Union. Other subprocessors (Vercel, Cloudflare, Stripe, Resend) may process personal data in the United States or across global networks. Where applicable law requires safeguards for cross-border transfers, we rely on contractual protections including the European Commission's 2021 Standard Contractual Clauses, which are incorporated by reference in each subprocessor's Data Processing Addendum. Per-processor transfer-mechanism status (SCC execution, EU-US Data Protection Framework participation) is tracked at /api/compliance.

For B2B customers who require a signed processor agreement, see the Data Processing Agreement — it is Article 28 GDPR-compliant, incorporates the EU SCCs (Module Two, Controller-to-Processor) and the UK IDTA by reference, and applies to every Customer of the Service.

11. Children

The Service is not directed to children under 18, and we do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, contact us and we will take reasonable steps to delete it.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be announced at least thirty (30) days before taking effect, through the Service website, the RapidAPI listing, or, for users with direct-issued accounts, via email to the address associated with your account. Continued use of the Service after the effective date of a change constitutes acceptance of the updated Privacy Policy.

13. Contact

Questions about this Privacy Policy or our data practices, including requests to exercise the rights described in Sections 8 and 9:

Holistic Quality LLC
Lebanon, Ohio
privacy@holisticquality.io