Data Policy

Version 2.0 · Last updated: April 2026

This policy explains how Holistic Quality LLC ("HQ," "we," "us") collects, uses, stores, and deletes data across the HQ ecosystem, including holisticquality.io, aletheia.holisticquality.io, api.aletheia.holisticquality.io, and related support flows. It is the controller-level source of truth for privacy claims made across our public properties. Where the ALETHEIA website privacy notice or API-served privacy pages provide additional implementation detail, those details must remain consistent with this policy on controller identity, retention, subprocessors, rights, and contact information.

The Short Version

We collect the minimum data required to operate the service. We do not sell it, share it with advertisers, or build profiles on you. Your API usage is yours. We do not store the content of your API requests or responses as part of ordinary service operation, and we do not use customer request content for advertising, model training, or competitive profiling.

Scope and Roles

Holistic Quality LLC is the data controller for the customer and visitor data described in this policy.

Direct-issued ALETHEIA accounts — Holistic Quality LLC is the controller.
RapidAPI marketplace users — RapidAPI (R Software Inc.) is an independent data controller for its users' account, billing, and KYC data under its own privacy policy. RapidAPI is not a subprocessor of Holistic Quality. Holistic Quality receives only the limited hashed-key identifier and usage metadata needed to authenticate, route, secure, and meter API calls; we do not receive your name, email address, or payment details from RapidAPI.
Website visitors and all other flows — Holistic Quality LLC is the controller.

What We Collect

For direct-issued ALETHEIA trials and subscriptions:

Email address — used for account setup, key delivery, service notices, and verified privacy requests.
Organization name (optional) — provided for enterprise or billing context.
Hashed API key record — used to authenticate access and manage subscription state.
Subscription and trial status — plan tier, renewal state, key status.
Stripe customer reference — used for billing reconciliation. We never receive or store full card numbers.

API request metadata (collected for every call):

Timestamp, endpoint called, HTTP status code, one-way hash of your API key, and your IP address truncated to a /24 subnet (e.g., 203.0.113.xxx). This record is used only for rate limiting, abuse detection, and security audit. It is auto-deleted after 90 days and is never used to profile you or anyone else. Request and response bodies, query parameters, and payload contents are never logged or stored.

For website visitors:

Basic server and security logs processed by Vercel and Cloudflare (truncated IP, User-Agent, request path, timestamp, error details).
Privacy-respecting aggregated analytics (Vercel Analytics) used only to understand page usefulness. No advertising pixels or cross-site tracking.

What We Do Not Collect

The content of your API requests or responses (chemical identifiers, CAS numbers, compositions, query parameters, or any business substance). These are processed transiently in memory only and never written to persistent storage on our servers or our subprocessors' servers.
Full IP addresses (we retain only a /24-truncated subnet for security purposes).
Full payment card numbers or bank account credentials (handled directly by Stripe).
Advertising identifiers, data-broker segments, or behavioral profiling data.
Browser fingerprinting for advertising or cross-site profiling.
Data about the end users of applications you build with our API (unless you send it to us directly in a support workflow).
Biometric, health, genetic, or government-issued identification data.

How We Use Data

Service delivery — issuing and validating keys, enforcing plan limits, routing requests.
Security and abuse prevention — detecting credential abuse, scraping, denial-of-service, and other misuse.
Operations and reliability — debugging, uptime monitoring, performance improvement via aggregate statistics.
Billing and account administration — subscriptions, invoices, cancellations, refunds, chargeback reconciliation.
Communications — service notices, key delivery, security advisories, support responses.
Legal compliance — responding to lawful requests, enforcing terms, documenting privacy-rights handling.

Legal Bases for Processing

For users located in the European Economic Area, the United Kingdom, and other GDPR-aligned jurisdictions, we process personal data under the following lawful bases (GDPR Art. 6):

Performance of a contract (Art. 6(1)(b)) — processing your email, hashed key, and subscription state is necessary to deliver the API service you purchased.
Legitimate interests (Art. 6(1)(f)) — logging truncated IPs and request metadata is necessary for our legitimate interest in securing the API, preventing abuse, enforcing rate limits, and ensuring operational stability. We balance these interests against your rights and limit collection to what is strictly necessary.
Legal obligation (Art. 6(1)(c)) — retaining financial transaction records to comply with corporate tax, accounting, and dispute-resolution obligations.
Consent (Art. 6(1)(a)) — where we ask for consent (for example, optional analytics preferences), you may withdraw it at any time without affecting the lawfulness of prior processing.

How Data Is Stored and Shared

Core ALETHEIA account and key records are stored in Upstash Redis hosted on AWS eu-west-1 (Ireland). Website and application infrastructure runs on Vercel. Edge delivery and security controls are provided by Cloudflare. Transactional email is sent through Resend. Payments are processed by Stripe.

Our canonical subprocessor list (all tiers must mirror this exactly):

Cloudflare — DNS, CDN, edge security, DDoS protection, bot management, edge rate limiting. Privacy Policy · DPA
Vercel — website hosting, serverless execution, infrastructure logs. Privacy Policy · DPA
Upstash — managed Redis (eu-west-1). Privacy Policy · DPA
Resend — transactional email. Privacy Policy · DPA
Stripe — payment processing. Privacy Policy · DPA

We do not share personal data with advertisers. We may disclose data to law enforcement or other third parties only when required by law, legal process, or a good-faith need to protect rights, safety, or service integrity.

International Transfers

Holistic Quality LLC is based in Ohio, USA. Upstash processes API key data in the European Union (eu-west-1, Ireland); the other subprocessors above may process data in the United States or across global networks. Where applicable law requires safeguards, we rely on contractual protections including the European Commission's 2021 Standard Contractual Clauses, which are incorporated by reference in each subprocessor's Data Processing Addendum. Per-processor transfer-mechanism status (SCC execution, EU-US Data Protection Framework participation) is tracked at /api/compliance.

Data Retention

We keep identifiable data only for as long as needed for the specific operational, security, or legal purpose that justified collecting it. This is our canonical retention matrix — all other HQ-ecosystem documents must reference this table exactly.

Data Category	Retention Period	Legal Basis
Email + hashed API key (active subscription)	Duration of active trial or subscription (max 24 months idle on paid keys per Terms)	Contract performance (Art. 6(1)(b))
Email + hashed API key (post-cancellation)	90 days baseline; extended to a maximum of 120 days only if an open Stripe chargeback or dispute window applies; then deleted or de-identified unless a legal, fraud, or security hold requires temporary preservation	Legitimate interest: billing reconciliation, dispute resolution (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))
Request metadata (timestamp, endpoint, key hash, /24-truncated IP, status)	90 days active logs; no separate identifiable archival tier	Legitimate interest: abuse prevention, debugging (Art. 6(1)(f))
Rate-limit counters	24 hours (auto-TTL)	Legitimate interest: service operation (Art. 6(1)(f))
Security audit logs (hashed or minimized identifiers only)	90 days	Legitimate interest: fraud prevention (Art. 6(1)(f))
Trial signup flag	30 days (auto-TTL)	Legitimate interest: trial management (Art. 6(1)(f))
Enterprise inquiry data	30 days (auto-TTL)	Legitimate interest: sales follow-up (Art. 6(1)(f))
Encrypted backups (Upstash snapshots)	Roll off within 35 days of source-record deletion	Legitimate interest: disaster recovery (Art. 6(1)(f))
Verified erasure requests	Processed without undue delay after verification (typically within 30 days); always shorter than the normal post-cancellation window, except where a legal, fraud, or active payment-dispute hold applies	GDPR Art. 17 (right to erasure)
Aggregated or anonymized analytics	May be retained longer because it no longer identifies a person	Not personal data once anonymized

Security Measures

All data transmitted to and from Holistic Quality LLC is encrypted in transit using modern TLS 1.2/1.3 protocols. Data at rest — including hashed API keys, rate-limit counters, and backups stored in our Upstash eu-west-1 databases — is encrypted using AES-256 under Upstash-managed keys. API keys are generated with high-entropy cryptographic functions and stored only as one-way salted hashes; if you lose a key, we cannot recover it, only revoke it and issue a replacement. We apply least-privilege access controls to all personal data, log administrative access, and review our subprocessor security posture at least annually.

Your Rights

You have the right to access, correct, delete, restrict, object to, or port your personal data, and to lodge a complaint with a data-protection supervisory authority where applicable (GDPR Art. 77).

For direct-issued ALETHEIA accounts: Email privacy@holisticquality.io or use the verified deletion flow:

POST /api/keys/erasure with {"email": "you@example.com"}
Check your email for a 6-digit verification code
POST /api/keys/erasure with {"email": "you@example.com", "code": "123456"}
All account records, API keys, and associated identifiable service data are permanently deleted without undue delay (encrypted backups roll off within 35 days).

We respond to verified rights requests without undue delay, typically within 30 days of verification (or sooner where required by applicable law). If you access ALETHEIA through RapidAPI, rights requests about your RapidAPI account or billing should be directed to RapidAPI first; we will cooperate in good faith on any data we directly control.

Children

The ALETHEIA API is a business-to-business service providing chemical and pharmaceutical safety intelligence; it is not directed to individuals under 18, and we do not knowingly collect personal data from anyone under 18 in connection with ALETHEIA. If you believe a minor has provided personal data through an HQ-ecosystem property, contact privacy@holisticquality.io and we will investigate and delete it where appropriate.

Changes to This Policy

If we change our subprocessor list, retention windows, legal bases, or data collection practices, we will update this page and the Last updated date above. For material changes that affect your rights, we will notify active direct-issued subscribers by email and post an announcement on our platform at least 30 days before the changes take effect. Historical versions are available on request.

What We Will Never Do

Sell your personal data to third parties.
Share your email or usage data with advertisers or data brokers.
Use API request content to train advertising systems or build competitive intelligence profiles.
Monetize your data in any way other than the service you chose to buy.

Contact

Privacy matters, data-rights requests, and questions about this policy:
privacy@holisticquality.io

Security vulnerability reports: security@holisticquality.io (or /.well-known/security.txt)
Terms of Service and legal notices: legal@holisticquality.io
API trial and key delivery: api@holisticquality.io
Billing, refunds, and support: support@holisticquality.io
Safety database: safety@holisticquality.io

Holistic Quality LLC · Lebanon, Ohio, USA