Privacy policy

datapolymarket (the “Service”) is operated as a sole proprietorship by Matteo Bongiovanni, based in Italy. You can reach us at hello@datapolymarket.com.

• Email address — when you sign up. Used solely for authentication (magic-link sign-in) and account-related notifications.
• API keys — we store only a SHA-256 hash, never the raw value.
• Usage logs — endpoint, method, status code, latency, IP address, and timestamp for every authenticated API request. Used to apply rate limits, detect abuse, and provide your usage analytics.
• IP address & user-agent — temporarily on sign-in attempts, to guard against credential stuffing.

We do not collect: real names, addresses, phone numbers, payment details (until Stripe is added — at which point Stripe processes payment data directly under its own privacy policy).

• Provide and operate the Service (auth, rate limits, usage analytics).
• Prevent abuse, fraud, and illegal use.
• Send transactional emails (magic links, key creation, account changes).
• Comply with legal obligations and respond to lawful requests.

We do not sell, rent, or share your personal data with third parties for marketing. We do not use behavioral tracking, ad networks, or fingerprinting.

We use exactly one cookie:

• dpm_session — a signed JWT used to keep you signed in. HttpOnly, Secure, SameSite=Lax, scoped to .datapolymarket.com. Expires after 30 days.

We do not use analytics cookies, advertising cookies, or third-party trackers. The session cookie is essential for the Service and does not require consent under ePrivacy.

We rely on the following sub-processors. Each has its own privacy policy.

• Vercel (US/EU) — frontend hosting (datapolymarket.com).
• OVHcloud (EU, France) — backend API and database hosting (api.datapolymarket.com).
• Cloudflare (US/EU) — DNS resolution. We do not run Cloudflare in proxy mode for the API subdomain.
• Resend (US) — transactional email delivery for magic links.
• Stripe (US/EU) — payment processing, when paid tiers are introduced.

• Account & API keys: kept while your account is active.
• Usage logs: 90 days, then aggregated and the raw rows deleted.
• Magic-link tokens: 15-minute expiry, soft-deleted on use; auto-purged after 7 days.
• If you delete your account, we erase personal data within 30 days. Aggregated, non-identifying analytics may be retained.

If you are in the EU, EEA, or UK, you have the right to access, correct, export, restrict, or delete your personal data, and to object to processing. Email hello@datapolymarket.comwith the request and we'll respond within 30 days.

You can also lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, garanteprivacy.it).

All traffic is served over TLS. API keys are hashed at rest. Session cookies are signed and HttpOnly. Database access is restricted to localhost on the backend host. We disclose security incidents affecting your data within 72 hours where required by law.

We may update this policy. Material changes will be communicated via email at least 14 days before they take effect. Continued use of the Service constitutes acceptance.