Legal

Privacy Policy

Last updated: April 8, 2026

API Locker is a credential vault and proxy. Our entire product exists to keep sensitive data secure, so we take privacy seriously. This page explains what we collect, what we do with it, and what we never touch.

TL;DR

  • We store your encrypted API keys and proxy requests to the providers you choose.
  • Your raw credentials are encrypted with AES-256-GCM before they hit our database, and the encryption key never leaves our server-side runtime.
  • We do not read, sell, or share the contents of your API calls or responses.
  • We collect the minimum data needed to run the service: your email, your OAuth provider ID, and request metadata for audit logging.
  • You can delete your account and all associated data at any time.

1. What we collect

When you sign up with Google or GitHub, we receive and store:

  • Your email address
  • Your display name and avatar URL
  • A unique identifier from the OAuth provider

When you store a credential, we collect:

  • The friendly name you give it
  • The provider type (OpenAI, Stripe, etc.) so we know how to inject it
  • The encrypted ciphertext of the credential itself

When your apps or agents proxy a request through API Locker, we record:

  • The key and token used
  • The target provider and path
  • The HTTP status code and latency
  • The timestamp and source IP

2. What we do NOT collect

  • We do not log the request body you send to providers.
  • We do not log the response body from providers.
  • We do not decrypt or inspect your stored credentials for any purpose other than injecting them into the outbound request you authorized.
  • We do not sell any data to third parties.
  • We do not use your data to train machine learning models.

3. How we store it

Encrypted credential blobs live in Cloudflare Workers KV, encrypted at rest with AES-256-GCM. The encryption key is stored as an environment secret on Cloudflare Workers and is never exposed to the database or logs. Metadata (your user record, token records, audit logs) lives in Cloudflare D1.

All data in transit is protected by TLS 1.3 via Cloudflare's edge.

4. How we use it

  • To authenticate you when you sign in
  • To proxy requests to the providers you have stored credentials for
  • To enforce token scopes, rotation policies, and revocations
  • To detect anomalous traffic patterns (refresh-token reuse, abnormal request volume)
  • To generate audit logs you can review in your own dashboard

5. Third parties

API Locker itself uses the following third-party services:

  • Cloudflare — hosting, DNS, edge compute, database, and key-value storage
  • Google and GitHub — OAuth sign-in only (we never access data beyond your email and profile)

When you proxy a request through API Locker, that request is forwarded to the API provider you chose (OpenAI, Stripe, Anthropic, etc.). Those providers have their own privacy policies and terms that apply to your usage of their services.

6. Your rights

  • Access: you can view all your stored keys, tokens, and activity logs in the dashboard.
  • Deletion: you can delete individual keys and tokens from the dashboard. To delete your entire account, contact us.
  • Export: activity logs are queryable via the dashboard and API.

7. Retention

We retain your data as long as your account is active. Audit logs are retained for up to 12 months. Deleted keys and tokens are removed from the database immediately; audit log entries referencing deleted resources remain for the retention window.

8. Contact

Questions about this policy? Reach out at privacy@apilocker.app.

This policy is a starting point for a credential-vault product in public beta. If you're planning to use API Locker for regulated data (PCI, HIPAA, GDPR-sensitive data, etc.), contact us before you do — we want to make sure the service fits your compliance needs.