Privacy Policy

1. Data Controller

Vector Apps Inc. is the data controller for personal data processed through CueAPI.
Contact: [email protected]

2. Information We Collect

2.1 Account Information

Email address (required for registration). No name, phone number, or physical address is collected. Your API key is stored as a SHA-256 hash — the plaintext is shown once at creation and never stored after that.

2.2 Cue Configurations

Cue definitions you create via the API: name, schedule, callback URL, payload, callback headers, and failure notification preferences. Callback headers may contain authentication tokens for your own services — these are stored as-is and redacted from data exports.

2.3 Execution Logs

When cues fire, we record: execution status, timing, HTTP response status code, error messages, outcome data you report, and evidence metadata. Executions with a terminal status (success, failed, missed, outcome_timeout) are retained for 90 days and then deleted by an automated cleanup job. In-flight executions are never deleted regardless of age.

2.4 Payment Information

Processed entirely by Stripe. We store your Stripe customer ID and subscription ID for billing management. We do not store credit card numbers, bank details, or other payment credentials. See Stripe's privacy policy.

2.5 Support Tickets

Subject, message, severity, and type. Support ticket content (including your email and message) is also posted to GitHub Issues for internal tracking. This means GitHub receives your support ticket content.

2.6 Device Authentication Tokens

When you log in via the CLI, short-lived device codes, verification tokens, and session tokens are created. These have application-level TTLs (typically minutes) and are cleaned up by an automated retention job after expiry.

2.7 Usage Data

Monthly execution counts per account for plan limit enforcement and billing.

2.8 Temporary Data in Redis

IP addresses are stored for up to 70 seconds for rate limiting (sliding window). Auth session caches are stored for 5 minutes. Echo test payloads are stored for 5 minutes. IP addresses are not stored in the database.

2.9 Dashboard Storage

The CueAPI dashboard stores a session token and email in your browser's localStorage. No cookies are set by any CueAPI site. All fonts are self-hosted across all CueAPI sites — no external font loading occurs (see Section 8 for details).

3. How We Use Your Information

• Operate the scheduling service (create, schedule, deliver, retry cues)
• Deliver webhook payloads to your callback URLs
• Process payments and enforce plan limits via Stripe
• Provide execution logs and outcome tracking
• Send transactional emails (registration, alerts, deletion confirmation)
• Rate limit API requests for abuse prevention
• Respond to support requests

CueAPI does not use your data for advertising. Does not sell data. Does not train AI models on your data.

4. Lawful Bases for Processing (GDPR)

• Contract: Account management, cue scheduling, webhook delivery, billing, support
• Legitimate interest: Execution logging, rate limiting, error monitoring, security
• Consent: Memory block subscriptions (opt-in, disabled by default)

5. Data Retention

On account deletion, all data across all tables is permanently deleted within 24 hours. An audit record is retained with one-way SHA-256 hashes of your user ID and email (no reversible PII).

6. Sub-Processors

We use the following third-party services to operate CueAPI. For full details on each, including what data they receive, see our Sub-Processor Disclosure Page.

• Railway — Infrastructure hosting (US region)
• Stripe — Payment processing
• Resend — Transactional email delivery
• Cloudflare — CDN, DNS, static site hosting
• Anthropic — AI content quality evaluation (internal content pipeline only, no user PII)
• Google — Search indexing only (Search Console). All fonts are self-hosted.
• Bing / Microsoft — Search indexing

We will notify registered users via email at least 30 days before adding any new sub-processor.

7. International Data Transfers

All CueAPI data is stored on Railway infrastructure in the United States.

All five of our sub-processors that handle personal data have transfer mechanisms in place. Railway and Stripe have Standard Contractual Clauses (SCCs) based on EU Commission Decision 2021/914 and are certified under the EU-US Data Privacy Framework (DPF). Resend and Anthropic rely on SCCs as the primary transfer mechanism (no DPF certification). Cloudflare is DPF certified; SCC acceptance status is pending verification in our Cloudflare dashboard.

If you configure a webhook callback URL pointing to a non-US endpoint, your cue payload and execution data will be transmitted there at your direction.

If you are located in the EU/EEA, please be aware that your data is transferred to and processed in the United States under the transfer mechanisms described above.

8. Cookies and Tracking

CueAPI sets zero cookies across all sites and services.

No analytics scripts (Google Analytics, Plausible, PostHog, etc.), no advertising trackers (Facebook Pixel, LinkedIn Insight, etc.), and no tracking pixels are used on any CueAPI site.

Client-Side Storage (Not Cookies)

• Dashboard localStorage — Stores a session JWT and email under the key cueapi_auth. Essential for authenticated session management. Cleared on logout.
• Chat sessionStorage — Stores Jenny AI chat conversation history. Automatically cleared when you close the tab. Used on marketing, docs, and blog sites.

Google Fonts

All CueAPI sites self-host fonts. Our marketing site (cueapi.ai), docs site (docs.cueapi.ai), and blog site (blog.cueapi.ai) load fonts via Next.js font optimization, which downloads fonts at build time. Our dashboard (dashboard.cueapi.ai) uses locally bundled font files. Google does not receive any visitor data from font loading on any CueAPI site.

Because CueAPI sets zero cookies, no cookie consent banner is required under GDPR Article 5(3) of the ePrivacy Directive.

9. Your Rights (GDPR)

If you are in the EU/EEA, you have the following rights. We provide programmatic endpoints for most of them:

You also have the right to lodge a complaint with your local data protection supervisory authority.

10. Your Rights (US State Privacy Laws)

If you are a resident of any US state with a comprehensive privacy law, you have the rights listed below. These rights apply under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act, Montana Consumer Data Privacy Act, Iowa Consumer Data Protection Act, Tennessee Information Protection Act, Indiana Consumer Data Protection Act, Delaware Personal Data Privacy Act, New Jersey Data Privacy Act, New Hampshire Privacy Act, Kentucky Consumer Data Protection Act, Maryland Online Data Privacy Act, Minnesota Consumer Data Privacy Act, and Rhode Island Data Transparency and Privacy Protection Act.

Your Rights

• Right to Know / Access: You can request what personal information we collect, use, and disclose. Use GET /v1/auth/me/processing.
• Right to Delete: You can request deletion of your personal information. Use DELETE /v1/auth/me.
• Right to Correct: You can correct inaccurate personal information. Use PATCH /v1/auth/me.
• Right to Data Portability: You can export your data in machine-readable JSON. Use GET /v1/auth/me/export.
• Right to Opt-Out of Sale / Sharing: CueAPI does not sell personal information or share it for cross-contextual behavioral advertising. No opt-out action is required. See our Do Not Sell page.
• Right to Opt-Out of Targeted Advertising: CueAPI does not engage in targeted advertising. No opt-out action is required.
• Right to Opt-Out of Profiling: CueAPI does not use automated decision-making or profiling that produces legal or similarly significant effects.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

What CueAPI Does Not Do

• CueAPI does not sell personal information as defined by the CCPA or any other US state privacy law
• CueAPI does not share personal information for cross-contextual behavioral advertising
• CueAPI does not use automated decision-making or profiling with legal or similarly significant effects
• CueAPI does not process sensitive personal information beyond what is necessary for service delivery

How to Exercise These Rights

Use the API endpoints listed above, or contact [email protected]. We will verify your identity before processing any request. We respond to verifiable requests within 45 days (CCPA) or 30 days (other state laws), with extensions as permitted by applicable law.

If you are a CueAPI customer processing personal data on behalf of your end users, see our Data Processing Addendum for the framework governing that processing.

Authorized Agents (California)

California residents may designate an authorized agent to exercise rights on their behalf. The agent must provide written authorization signed by the consumer, and we may verify the consumer's identity directly. Submit authorized agent requests to [email protected].

Global Privacy Control

Because Vector Apps Inc. does not sell or share personal information for cross-contextual behavioral advertising, the Global Privacy Control (GPC) signal has no functional effect on our processing — we already operate as if every user has set GPC to “on.” We do not currently detect the GPC signal at the server level, but our default behavior achieves the same outcome.

Appeals

If we decline a privacy request, you may appeal by emailing [email protected] with “Privacy Appeal” in the subject line. We will respond within 60 days. If your appeal is denied, you may contact your state's attorney general.

11. Data Security

See our Security page for details on how we protect your data. Key measures include API key hashing (SHA-256), webhook signing (HMAC-SHA256), HTTPS-only API traffic, SSRF protection, and rate limiting.

12. Children's Privacy

CueAPI is not directed to users under 13 (or 16 in the EEA). We do not knowingly collect personal data from children.

13. Changes to This Policy

Updated policy is posted at cueapi.ai/privacy. Material changes are communicated via email to registered users at least 30 days in advance.

14. Contact

Email: [email protected]
Company: Vector Apps Inc.
Location: United States