Privacy Policy

This ALETHEIA Privacy Policy is a product-level companion to the HQ Data Policy, which is the controller-level source of truth across the Holistic Quality ecosystem. Where this notice provides additional implementation detail, it is consistent with the HQ Data Policy on controller identity, subprocessors, retention, and rights. In the event of a conflict, the HQ Data Policy governs.

1. Overview and Scope

This Privacy Policy describes how Holistic Quality LLC ("Holistic Quality," "we," "us," "our") collects, uses, discloses, and retains personal data in connection with the ALETHEIA chemical safety intelligence API, related SDKs, documentation, and the websites aletheia.holisticquality.io and safety.holisticquality.io (collectively, the "Service").

ALETHEIA is a business-to-business API. It is designed for use by developers, researchers, and organizations, and it does not knowingly process data of individuals under 18. Because the Service is primarily a data-returning API with narrow personal-data surface, this Privacy Policy is intentionally scoped to the categories of personal data the Service actually processes.

This Privacy Policy is incorporated into the ALETHEIA Terms of Service (the "Terms") by reference. Capitalized terms not defined here have the meanings given in the Terms. In the event of a conflict between this Privacy Policy and the Terms, this Privacy Policy governs solely with respect to the processing of personal data. In the event of a conflict between this Privacy Policy and the Disclaimer, this Privacy Policy governs solely with respect to the processing of personal data, and the Disclaimer governs with respect to all other matters.

2. Personal Data We Collect

2.1 For users accessing the Service through RapidAPI

When you access the Service through the RapidAPI marketplace, RapidAPI is the primary collector of your account and billing information and processes that data under its own privacy policy. The information we receive from RapidAPI in connection with your use is limited to:

• a hashed API-key identifier associated with your RapidAPI account
• request metadata (endpoint called, timestamp, request-level parameters, rate-limit tier)
• response metadata (status code, latency, error details where applicable)

We do not receive your RapidAPI account email address, password, payment card details, or billing address.

2.2 For users with a direct-issued API key

For users issued an API key directly by Holistic Quality (if offered), we collect:

• the email address provided at the time of key issuance
• the organization name, if provided
• the API key itself, stored as a one-way hash
• request and response metadata as described above

2.3 For visitors to our websites

When you visit aletheia.holisticquality.io or safety.holisticquality.io, our hosting provider (currently Vercel) and our CDN (currently Cloudflare) process technical information in server logs, including:

• IP address
• browser type, version, and User-Agent string
• referring URL
• pages visited, time and date of visit
• request and response metadata, including error details where applicable

This technical information is logged by our service providers primarily for infrastructure reliability, security, and abuse prevention under their respective privacy policies. For our own analytics, we access aggregated or anonymized data only.

A current list of subprocessors and core service providers that may process personal data on our behalf is maintained at /privacy/subprocessors. We also use cookies and similar technologies only as described in our Cookie Notice.

2.4 Data we do not collect

We do not collect, store, or process:

• payment card or bank account information (handled by RapidAPI or other payment processors)
• government-issued identifiers (SSN, national ID, passport, etc.)
• biometric or health data
• precise geolocation beyond IP-level inference
• data about individuals who are not our users

3. How We Use Personal Data

We process personal data only for the following purposes:

• Providing the Service: authenticating API calls, enforcing rate limits, and routing requests.
• Operational reliability: debugging errors, monitoring performance, and preventing abuse (such as credential stuffing, scraping, or denial-of-service attempts).
• Aggregate analytics: understanding usage patterns in aggregate to improve the Service. We do not use identifiable request-level data to profile individual users. Request parameters (such as chemical identifiers, CAS numbers, and material compositions) may constitute sensitive business information; we do not use query patterns for competitive intelligence purposes, and we do not share them with third parties except as required for Service operation or by law.
• Communications: responding to support requests and sending service-related notices (outages, security advisories, material changes to the Terms or this Privacy Policy).
• Legal and compliance: complying with applicable law, responding to lawful requests from authorities, and enforcing our Terms.

We do not sell personal data. We do not use personal data for advertising or behavioral targeting. We do not share personal data with advertisers.

4. Legal Bases (for users in the EEA, UK, and similar jurisdictions)

Where applicable law requires a legal basis for processing personal data, we rely on:

• Contract performance — for data processing necessary to provide the Service to you.
• Legitimate interests — for operational reliability, fraud prevention, and aggregate analytics, where our interests are not overridden by your rights.
• Legal obligation — where processing is required by law.
• Consent — for any processing for which we specifically ask for and obtain your consent.

5. Sharing and Disclosure

We share personal data only with:

• Service providers who process personal data on our behalf under contracts that require them to use the data only to provide services to us: hosting (Vercel), CDN and edge security (Cloudflare), and operational tooling (including, for users with direct-issued accounts, transactional email and payment processors). A current list is maintained at /privacy/subprocessors.
• RapidAPI, which is an independent data controller for its marketplace users' accounts and billing data and operates under its own terms and privacy policy rather than as a processor for Holistic Quality. We receive only the limited information described in Section 2.1 from RapidAPI.
• Successors in the event of a merger, acquisition, reorganization, or sale of assets, with notice to you where required.
• Authorities and third parties when required by law, subpoena, or court order, or where necessary to protect rights, property, or safety.

We do not share personal data with any other third party without your consent.

6. Data Retention

We retain personal data only for as long as needed to provide the Service and for the purposes described in Section 3, or longer where retention is required by law. The full canonical retention matrix (with GDPR Art. 6 legal basis per category) is maintained in the HQ Data Policy. The categories most directly relevant to the Service are:

• Request and response metadata (timestamp, endpoint, key hash, /24-truncated IP, status) is retained for up to 90 days in active logs. We do not maintain a separate identifiable archival tier.
• Request and response bodies, query parameters, and payload contents are never logged or stored — they are processed transiently in memory only.
• Account data (email, organization, hashed API key) is retained while your subscription is active and, after cancellation, for a baseline of 90 days, extended to a maximum of 120 days only if an open Stripe chargeback or dispute window applies. After that window it is deleted or de-identified unless a legal, fraud, or security hold requires temporary preservation.
• Rate-limit counters auto-expire after 24 hours.
• Encrypted backups (Upstash snapshots) roll off within 35 days of source-record deletion.
• Verified erasure requests are processed without undue delay after verification (typically within 30 days) and always shorter than the normal post-cancellation window.
• Aggregated or anonymized analytics data may be retained indefinitely, as it no longer identifies individuals.

7. Security and Breach Notification

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal data, including transport encryption (TLS), hashed storage of API keys, and access controls. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.

Breach notification. If we become aware of a breach affecting your personal data, we will notify you without undue delay, and we will notify applicable authorities within 72 hours (or such shorter period) where required by applicable law. For breaches affecting RapidAPI-routed users, we will coordinate with RapidAPI in good faith.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• access the personal data we hold about you;
• correct inaccurate personal data;
• delete your personal data, subject to legal and contractual retention requirements;
• restrict or object to certain processing;
• portability — receive a copy of your personal data in a structured, machine-readable format;
• withdraw consent, where processing is based on consent;
• lodge a complaint with a supervisory authority in your jurisdiction.

To exercise any of these rights, contact us at the address in Section 12. We will respond within the timeframe required by applicable law, provided that for users accessing through RapidAPI, primary responsibility for rights requests lies with RapidAPI, and our ability to fulfill certain rights (such as portability or deletion of request metadata) is limited by technical and operational constraints inherent to a small-scale B2B API operator.

Users accessing through RapidAPI should direct rights requests concerning their RapidAPI account information to RapidAPI directly. We will coordinate with RapidAPI in good faith for data under our shared responsibility.

9. International Transfers

Holistic Quality LLC is based in Ohio, USA. Core ALETHEIA account and hashed-API-key records are stored in Upstash Redis on AWS eu-west-1 (Ireland), inside the European Union. Other subprocessors (Vercel, Cloudflare, Stripe, Resend) may process personal data in the United States or across global networks. Where applicable law requires safeguards for cross-border transfers, we rely on contractual protections including the European Commission's 2021 Standard Contractual Clauses, which are incorporated by reference in each subprocessor's Data Processing Addendum. Per-processor transfer-mechanism status (SCC execution, EU-US Data Protection Framework participation) is tracked at /api/compliance.

10. Children

The Service is not directed to children under 18, and we do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, contact us and we will take reasonable steps to delete it.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be announced at least thirty (30) days before taking effect, through the Service website, the RapidAPI listing, or, for users with direct-issued accounts, via email to the address associated with your account. Continued use of the Service after the effective date of a change constitutes acceptance of the updated Privacy Policy.

12. Contact

Questions about this Privacy Policy or our data practices:

Holistic Quality LLC
Lebanon, Ohio
privacy@holisticquality.io