PRIVACY POLICY
Last Updated: March 30, 2026 Effective Date: March 30, 2026 Compliance: GDPR (EU), CCPA (California), PIPEDA (Canada), PDPO (Hong Kong)
1. INTRODUCTION
apicheap.net, operated by LOOM AGENCY LIMITED ("we," "us," "our," "Company"), respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (https://apicheap.net) or use our API services (collectively, the "Services").
Data Controller: LOOM AGENCY LIMITED Registered Address: RM 602, 6/F, KAI YUE COMM BUILDING, NO.2C, ARGYLE STREET, MONGKOK KOWLOON, HONG KONG Contact: admin@apicheap.net
By using our Services, you acknowledge that you have read and understood this Privacy Policy.
2. INFORMATION WE COLLECT
2.1 Personal Information You Provide
When you create an account, make a purchase, or contact us:
Identity & Contact Data:
- Full name or business name
- Email address
- Billing address
- Phone number (optional)
Financial Data:
- Payment card details
- Billing history and invoices
Account Data:
- Password (hashed and salted)
- API keys (encrypted)
- Account preferences and settings
- Usage tier and quotas
Communications:
- Support tickets and email correspondence
- Feedback and survey responses
2.2 Information Collected Automatically
Technical Data:
- IP address and geolocation (country/region level)
- Browser type and version
- Operating system and device information
- Referring URL and exit pages
Usage Data:
- API endpoints accessed
- Request timestamps and frequency
- Response times and error rates
- Tokens/credits consumed
Security Logs:
- Failed login attempts
- API authentication failures
- Suspicious activity patterns
2.3 Cookies and Similar Technologies
| Cookie Type | Purpose | Duration | Required? |
|---|---|---|---|
| Essential | Session management, authentication | Session | Yes |
| Security | CSRF protection, fraud prevention | Session | Yes |
| Preferences | Language, theme, dashboard settings | 1 year | No |
| Analytics | Usage patterns, performance metrics | 2 years | No |
Cookie Consent: Essential cookies are set automatically. Analytics cookies require your consent via our cookie banner (EU/UK users).
Managing Cookies: You can control cookies through your browser settings. Disabling non-essential cookies may affect website functionality.
3. HOW WE USE YOUR INFORMATION
3.1 Primary Purposes
- Provide Services: Create and manage your account, process API requests, deliver outputs
- Process Payments: Charge your payment method, send receipts
- Communicate: Send transactional emails (account confirmations, billing notices, security alerts)
- Support: Respond to inquiries, resolve technical issues
- Security: Monitor for fraud, abuse, and security threats
- Improve: Analyze usage patterns, optimize performance, develop new features
- Comply: Meet legal obligations, respond to lawful requests
3.2 Legal Basis for Processing (GDPR)
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Service delivery | Contract performance | Art. 6(1)(b) |
| Payment processing | Contract performance | Art. 6(1)(b) |
| Account management | Contract performance | Art. 6(1)(b) |
| Fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Security monitoring | Legitimate interest | Art. 6(1)(f) |
| Marketing emails | Consent (explicit opt-in) | Art. 6(1)(a) |
| Analytics | Legitimate interest | Art. 6(1)(f) |
| Legal compliance | Legal obligation | Art. 6(1)(c) |
3.3 AI Model Training β IMPORTANT
WE DO NOT USE CUSTOMER DATA TO TRAIN AI MODELS.
LOOM AGENCY LIMITED explicitly affirms:
- Customer prompts (inputs) are NOT used for training, fine-tuning, or improving underlying AI models
- Customer outputs are NOT used for model training
- Customer data is processed solely to return the requested API response
- We do not sell, rent, or share customer prompts or outputs with third parties for training purposes
4. DATA SHARING AND DISCLOSURE
4.1 Third-Party Service Providers
We share data with trusted service providers under strict confidentiality agreements:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe, Inc. | Payment processing | Name, email, card details |
| Airwallex | International payments | Name, email, bank details |
| Hosting Provider | Infrastructure | IP, usage data, logs |
| AI Model Providers | API fulfillment | Prompts, outputs |
4.2 AI Model Providers
To deliver API services, your prompts and outputs are processed by third-party AI model providers.
We endeavor to select AI providers with strong data protection commitments and policies that restrict the use of API data for model training. We encourage you to review the privacy policies of our upstream AI providers for full transparency.
We do not control third-party model behavior or outputs.
4.3 Legal Requirements
We may disclose data when required by:
- Court orders, subpoenas, or warrants
- Law enforcement requests (with valid legal process)
- Regulatory compliance
- Protection of our rights, property, or safety
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, customer data may be transferred to the acquiring entity. We will provide 30 days advance notice via email.
4.5 We Do NOT Sell Data
LOOM AGENCY LIMITED does not sell, rent, or lease your personal data to third parties for their marketing purposes.
5. DATA RETENTION
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account data | Life of account + 2 years | Contract |
| Payment records | 7 years | Tax compliance (HK Inland Revenue Ordinance, US IRS) |
| API usage logs | 90 days | Legitimate interest (security, debugging) |
| Support tickets | 2 years | Contract, legitimate interest |
| Security logs | 1 year | Legitimate interest (fraud prevention) |
| Marketing data | Until opt-out or 3 years | Consent |
| Cookies | As specified in Section 2.3 | Consent/Legitimate interest |
After retention periods, data is anonymized or securely deleted. You may request early deletion (see Section 7); we will comply within 30 days except where retention is required by law.
6. INTERNATIONAL DATA TRANSFERS
6.1 Transfer Mechanisms
Your data may be transferred to and processed in:
- Hong Kong (Company headquarters)
- United States (payment processors, hosting, AI providers)
- European Union (hosting, support)
We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy Decisions where applicable
- User Consent for specific transfers
6.2 Your Rights Regarding Transfers
EU/UK users have the right to:
- Request information about specific transfer safeguards
- Obtain a copy of SCCs or other transfer mechanisms
- Lodge complaints with their local data protection authority
Contact admin@apicheap.net for transfer-related inquiries.
7. YOUR DATA PROTECTION RIGHTS
7.1 GDPR Rights (EU/UK/EEA)
Right of Access (Art. 15): Request a copy of your personal data.
Right to Rectification (Art. 16): Request correction of inaccurate data.
Right to Erasure (Art. 17): Request deletion of your data, subject to legal exceptions.
Right to Restriction (Art. 18): Request limitation of processing in certain circumstances.
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON, CSV).
Right to Object (Art. 21): Object to processing based on legitimate interest or for direct marketing.
Right to Withdraw Consent (Art. 7): Revoke consent at any time (does not affect prior lawful processing).
Right to Lodge a Complaint (Art. 77): File a complaint with your local data protection authority.
7.2 CCPA Rights (California, USA)
- Right to Know: Disclosure of personal information categories, sources, and purposes
- Right to Delete: Deletion of personal information (with exceptions)
- Right to Opt-Out: "Do Not Sell My Personal Information" β we do not sell data
- Right to Non-Discrimination: Equal service regardless of exercising rights
- Right to Correct: Correction of inaccurate personal information
7.3 PIPEDA Rights (Canada)
Access, challenge accuracy, withdraw consent, and file complaints with the Office of the Privacy Commissioner of Canada.
7.4 PDPO Rights (Hong Kong)
Access, correction, object to direct marketing, and withdraw consent.
7.5 How to Exercise Your Rights
Email: admin@apicheap.net Subject: Data Rights Request β [Your Name]
Include: Full name, email, account ID, specific right, description of data involved.
Response Time:
- GDPR: Within 30 days (may extend to 60 for complex requests)
- CCPA: Within 45 days (may extend to 90)
Verification: We may require identity verification to prevent unauthorized access. Exercising your rights is free.
8. DATA SECURITY
8.1 Security Measures
We implement appropriate technical and organizational measures to protect your data, including:
- TLS 1.3 for data in transit
- AES-256 encryption for data at rest
- Role-based access control for internal systems
- Regular monitoring for suspicious activity
- Secure software development practices
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
8.2 Breach Notification
In the event of a personal data breach:
- EU/UK (GDPR): Notify supervisory authority within 72 hours; notify affected individuals without undue delay if high risk
- California (CCPA): Notify affected residents in the most expedient time possible
- Hong Kong (PDPO): Notify affected individuals as soon as practicable
We will notify you via email within 72 hours of discovering a breach that affects your personal data.
8.3 Your Role in Security
You are responsible for:
- Maintaining strong, unique passwords
- Protecting your API keys (use environment variables, never commit to Git)
- Reporting suspicious activity to admin@apicheap.net
9. CHILDREN'S PRIVACY
Our Services are not intended for users under 16 years of age (or 13 in jurisdictions where applicable). We do not knowingly collect personal data from children. If discovered, data will be deleted immediately and the associated account terminated.
10. CHANGES TO THIS PRIVACY POLICY
- Material Changes: 30 days advance notice via email
- Minor Changes: Immediate effect with updated "Last Updated" date
- Legal Compliance: Immediate effect where required by law
Your continued use after changes constitutes acceptance.
11. CONTACT INFORMATION
LOOM AGENCY LIMITED Email: admin@apicheap.net Address: RM 602, 6/F, KAI YUE COMM BUILDING, NO.2C, ARGYLE STREET, MONGKOK KOWLOON, HONG KONG
Supervisory Authorities:
- Hong Kong: Office of the Privacy Commissioner β https://www.pcpd.org.hk
- EU: Your local data protection authority β https://edpb.europa.eu
- California: California Attorney General β https://oag.ca.gov/privacy
- Canada: Office of the Privacy Commissioner β https://www.priv.gc.ca
12. ADDITIONAL DISCLOSURES
12.1 Do Not Track (DNT)
We do not respond to browser "Do Not Track" signals.
12.2 Automated Decision-Making
We do not use automated decision-making that produces legal or similarly significant effects on individuals.
12.3 Sensitive Personal Data
We do not intentionally collect sensitive personal data (racial/ethnic origin, political opinions, religious beliefs, health data, etc.). If inadvertently received, such data is deleted immediately.
END OF PRIVACY POLICY