On this page
1. Who We Are
Apselog (“we,” “us,” or “our”) is operated by {{COMPANY_LEGAL_NAME}}, located at {{COMPANY_ADDRESS}}. We operate the AI-era public status page platform at apselog.com.
For privacy questions, contact us at [email protected]. We will respond within 30 days.
2. Data We Collect
Account information
When you sign in via Google OAuth, we receive your name, email address, and profile picture from Google. We store these to identify your account and address you in communications.
Billing information
Payment processing is handled entirely by Stripe. We do not store card numbers, CVVs, or full payment details on our servers. We retain Stripe customer IDs and subscription status to manage your plan.
Usage data
We collect information about how you interact with the Service, including:
- Public status page views (IP address, user-agent, timestamp).
- Dashboard activity (pages visited, features used, timestamps).
- API request logs (endpoint, response time, status code — not request bodies).
Customer-uploaded data
When you use Apselog to monitor your LLM application, you may submit through our ingest API:
- Golden eval sets — prompt/expected-output pairs you define.
- Token usage events — model name, token counts, latency, cost metadata.
- Alert configurations — thresholds, notification channels, recipient addresses.
This data belongs to you. We process it only to operate the Service as described in our Terms of Service.
3. Why We Collect It
- Operate the Service — authenticate sessions, power dashboards, generate status pages, evaluate LLM health, fire alerts.
- Billing — create and manage Stripe subscriptions, send receipts.
- Security — detect abuse, protect API keys, investigate incidents.
- Support — diagnose issues when you contact us.
- Product improvement — aggregate, anonymized usage patterns (not individual Customer Data).
4. Legal Bases (GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases:
- Contract — processing necessary to perform our agreement with you (operating your account, billing, delivering the Service).
- Legitimate interests — security monitoring, fraud prevention, aggregate analytics, improving the Service — where those interests are not overridden by your rights.
- Consent — optional analytics or marketing communications, where applicable. You may withdraw consent at any time.
- Legal obligation — where required by applicable law.
5. Sub-processors
We share data with the following sub-processors to operate the Service. Each is bound by data processing agreements and appropriate safeguards.
| Sub-processor | Purpose | Data received | Location |
|---|---|---|---|
| Neon | Database hosting | All stored account, usage, and customer data | AWS us-east-2 (USA) |
| Vercel | Hosting & edge network | Request logs, IP addresses, deployment artifacts | Global edge (primary USA) |
| Stripe | Payment processing | Name, email, billing address, payment method | USA |
| Resend | Transactional email | Email address, notification content | USA |
| Anthropic | Incident summary generation (via Vercel AI Gateway) | Incident metadata, anonymized event snippets | USA |
| OpenAI | Incident summary generation (via Vercel AI Gateway) | Incident metadata, anonymized event snippets | USA |
| Google (OAuth) | Authentication | Name, email, profile picture (on sign-in) | USA |
We do not sell your data to third parties.
6. Your Rights
Depending on your location, you may have rights to access, correct, delete, or port your personal data, and to object to or restrict certain processing. To exercise any of these rights, email [email protected]. We will respond within 30 days.
You may also opt out of marketing emails at any time using the unsubscribe link in any email we send.
7. Data Retention
- Account data — retained for the duration of your account, then deleted within 30 days of account closure.
- Request and ingest logs — retained for 90 days, then purged.
- Backups — encrypted backups are retained for up to 1 year, then destroyed.
- Billing records — retained for 7 years as required by applicable tax law.
8. Cookies and Tracking
We use cookies to operate the Service. See our full Cookie Policy for details on which cookies we set and how to control them.
9. Security
- All data in transit is encrypted with TLS 1.2+.
- Data at rest is encrypted by Neon on AWS us-east-2.
- API keys are stored as SHA-256 hashes — we cannot recover the plaintext.
- Passwords are not stored; authentication is handled by Auth.js with Google OAuth.
- We conduct periodic security reviews and respond to vulnerability reports at
[email protected].
10. Children
The Service is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, contact us at [email protected] and we will delete it promptly.
11. International Data Transfers
Apselog is operated in the United States. If you access the Service from outside the United States, your data may be transferred to, stored, and processed in the United States and other countries where our sub-processors operate.
For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and equivalent mechanisms under UK GDPR. Copies of applicable transfer mechanisms are available upon request at [email protected].
12. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:
- Right to Know — request disclosure of the personal information we have collected about you in the past 12 months.
- Right to Delete — request deletion of your personal information, subject to certain exceptions.
- Right to Opt Out of Sale — we do not sell personal information.
- Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights.
To exercise these rights, email [email protected] with the subject line “California Privacy Request.”
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via a prominent notice in the Service at least 14 days before the change takes effect. The “Effective date” at the top of this page reflects the date of the latest update.
14. Contact
Privacy questions or data requests:
Email: [email protected]
{{COMPANY_LEGAL_NAME}}
{{COMPANY_ADDRESS}}
This is a starter legal template. Have a qualified attorney review before relying on it for high-stakes operations.