Privacy Policy

Last updated: February 10, 2026

Summary: The Document Anonymization API processes documents to remove personal data. Documents are processed in memory and never stored. We don't keep copies of your files. API usage requires an API key. Payments are handled by Paddle.

What This API Does

The Document Anonymization API detects and removes personally identifiable information (PII) from documents including names, addresses, phone numbers, ID numbers, and more. This policy explains how we handle your documents and account data.

Document Processing

This is the most important section:

  • Documents are processed in memory only — they are never written to disk or stored in any database
  • Documents are discarded immediately after the anonymized result is returned to you
  • We cannot retrieve your documents after processing — we don't have them
  • No document content is logged — not even for debugging
  • Processing happens on secure, encrypted servers with TLS in transit

Account & API Data

What we collect:

  • Email address (for account and API key management)
  • API key (hashed)
  • Request count and timestamps (for billing and rate limiting)
  • IP address of API calls (for abuse prevention, retained 30 days)

What we do NOT collect:

  • Document contents (not stored, not logged, not cached)
  • Anonymization results (not stored)
  • Entity types detected (not logged)

Payment Processing

API purchases and usage-based billing are processed through Paddle, a Merchant of Record. Paddle handles all payment information. We receive your request pack tier and usage counts but never see payment card details.

Paddle's privacy policy: paddle.com/legal/privacy

Data Security

  • All API traffic is encrypted via TLS 1.3
  • API keys are hashed and stored securely
  • Infrastructure is hosted on isolated, encrypted servers
  • Regular security audits and dependency updates
  • Rate limiting and abuse detection on all endpoints

GDPR & Compliance

The API is designed to help you comply with GDPR and similar privacy regulations by anonymizing personal data in documents. Regarding your own data with us:

  • Access — request a copy of your account data
  • Deletion — delete your account, API keys, and all usage records
  • Portability — export your account data and usage history

Third-Party Services

  • Paddle — Payment processing
  • Vercel / Railway — Infrastructure hosting

Changes

Policy changes will be posted here and communicated via the API changelog. Breaking privacy changes will be announced at least 30 days in advance.

Contact

Security concerns or questions: support@mishalabs.com