Privacy Policy

Introduction

DataGraph.city ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our GraphRAG-powered urban data API service ("Service").

By using our Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our Service.

1. Information We Collect

1.1 Personal Information

When you register for an account, we collect:

• Email address - Used for account identification, communication, and API key delivery
• Name (optional) - For personalized communication
• Organization name (optional) - To understand your use case

1.2 Payment Information

If you subscribe to a paid tier, payment processing is handled by Stripe, our third-party payment processor. We do not store your full credit card information on our servers. We receive limited payment information from Stripe, including:

• Last 4 digits of your credit card
• Card brand (Visa, Mastercard, etc.)
• Billing address (if provided)
• Transaction history for your account

Please refer to Stripe's Privacy Policy for details on how they handle your payment information.

1.3 Usage Data

We automatically collect information about how you interact with our Service:

• API Usage Logs: Timestamps, query types, endpoints accessed, response times
• Query Content: The natural language queries or Cypher queries you submit
• IP Address: Your device's IP address for security and rate limiting
• User Agent: Browser/client information for compatibility
• Usage Metrics: Query counts, rate limit hits, errors

1.4 Technical Information

We collect technical data for service operation:

• API key (generated, not provided by you)
• Session tokens for authentication
• Device and browser information
• Error logs and debugging information

1.5 Information We Do NOT Collect

We do not intentionally collect:

• Social Security Numbers or government-issued IDs
• Sensitive personal data (health, biometric, genetic information)
• Data from children under 13 years of age
• Precise geolocation tracking (beyond IP-based country/region)

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Provision

• Authenticate your API requests
• Process and respond to your queries
• Enforce usage limits and rate limits
• Provide customer support
• Send service-related emails (API keys, password resets, important updates)

2.2 Billing and Payment

• Process subscription payments
• Send invoices and payment confirmations
• Detect and prevent fraud
• Handle billing disputes

2.3 Service Improvement

• Analyze usage patterns to improve our Service
• Identify and fix bugs
• Develop new features based on user needs
• Optimize query performance and response times
• Understand which datasets are most valuable

2.4 Security and Compliance

• Detect and prevent abuse, fraud, or unauthorized access
• Enforce our Terms of Service
• Comply with legal obligations
• Protect our rights and property

2.5 Communication (Optional)

• Send product updates and new feature announcements (you can opt out)
• Request feedback on your experience
• Send usage reports (e.g., monthly query summaries)

You can unsubscribe from marketing emails at any time using the unsubscribe link in any email or by contacting us at hello@datagraph.city.

3. How We Share Your Information

We do not sell your personal information to third parties. We only share your information in the following circumstances:

3.1 Service Providers

We share information with trusted third-party service providers who help us operate our Service:

• Stripe: Payment processing (see Stripe Privacy Policy)
• Fly.io: Cloud hosting and infrastructure (see Fly.io Privacy Policy)
• Cloudflare: Content delivery and DDoS protection (see Cloudflare Privacy Policy)
• SendGrid: Email delivery service (see SendGrid Privacy Policy)

These service providers are contractually obligated to use your information only for the purposes we specify and to protect the security of your information.

3.2 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal process (subpoena, court order, warrant)
• Government or regulatory investigations
• Threats to public safety or security
• Protection of our legal rights or property

3.3 Business Transfers

If DataGraph.city is acquired, merged, or undergoes a business restructuring, your information may be transferred as part of that transaction. You will be notified of any such change.

3.4 With Your Consent

We may share your information for other purposes with your explicit consent.

4. Data Retention

We retain your information for as long as necessary to provide our Service and comply with legal obligations:

• Account Information: Retained while your account is active, plus 30 days after deletion
• Usage Logs: Retained for 90 days for analytics and debugging
• Payment Records: Retained for 7 years for tax and accounting compliance
• Email Communications: Retained for 2 years or until you request deletion

After the retention period, we securely delete or anonymize your data. Anonymized data (not linked to your identity) may be retained indefinitely for statistical analysis.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in Transit: All data transmitted to/from our Service uses TLS/SSL encryption
• Encryption at Rest: Sensitive data is encrypted in our databases
• API Key Security: API keys are hashed and salted before storage
• Access Controls: Strict internal access controls and authentication
• Regular Security Audits: We monitor for vulnerabilities and security threats
• Secure Infrastructure: Our hosting providers (Fly.io, Cloudflare) maintain high security standards

Important: While we use reasonable security measures, no system is completely secure. You are responsible for maintaining the confidentiality of your API key. If you believe your API key has been compromised, contact us immediately at hello@datagraph.city.

6. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

6.1 General Rights (All Users)

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your account and personal information
• Portability: Request your data in a machine-readable format
• Opt-Out: Unsubscribe from marketing emails

6.2 GDPR Rights (EU Users)

If you are located in the European Union, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Object: Object to processing of your data for direct marketing or legitimate interests
• Right to Restriction: Request restriction of processing in certain circumstances
• Right to Withdraw Consent: Withdraw consent for data processing at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

6.3 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of data collection and sharing practices
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the "sale" of personal information (Note: We do not sell personal information)
• Non-Discrimination: We will not discriminate against you for exercising your rights

6.4 How to Exercise Your Rights

To exercise any of these rights, contact us at hello@datagraph.city with the subject line "Privacy Rights Request." We will respond within 30 days.

To verify your identity, we may ask for additional information before fulfilling your request.

7. Cookies and Tracking Technologies

We do not currently use cookies or tracking technologies on our website.

Our Service is API-first and does not require cookies for authentication (we use API keys instead). If we add analytics or tracking in the future, we will update this policy and provide opt-out options.

Third-party services we use (Cloudflare, Stripe) may set their own cookies. Please refer to their privacy policies for details.

8. Children's Privacy

Our Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@datagraph.city, and we will delete that information.

9. International Data Transfers

DataGraph.city is based in the United States. If you access our Service from outside the U.S., your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate.

These countries may have different data protection laws than your country. By using our Service, you consent to the transfer of your information to the United States and other countries.

For EU users, we rely on Standard Contractual Clauses or other lawful mechanisms approved by the European Commission for data transfers.

10. Third-Party Links

Our Service may contain links to third-party websites or services (e.g., GOSR.ai, NYC Open Data). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with your information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you by email (for significant changes)
• Post a notice on our website

Your continued use of the Service after changes to this policy constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: hello@datagraph.city
Subject Line: "Privacy Policy Inquiry"
Website: https://datagraph.city

We will respond to privacy inquiries within 30 days.