Privacy Policy

1. Data We Collect

We collect the following data to operate the service. We aim to be specific about what is stored rather than vague.

• Account data: Your email address and a bcrypt-hashed password. We never store your plaintext password.
• API keys: Generated on signup (format: bk_...). Keys are stored in our database so they can be displayed to you in the dashboard. They are never logged or exposed in proxy responses.
• Gateway configuration: Your target backend URL and feature toggle settings (WAF on/off, rate limiting on/off, caching on/off, idempotency on/off) as stored in your dashboard settings.
• Request metadata (logged for every proxied request): HTTP method, request path, query parameters, source IP address, response status code, latency in milliseconds, and whether the response was served from cache. This data is displayed in your dashboard analytics.
• Request headers (partial): Request headers are logged with authentication headers, cookies, and the host header stripped out for security.
• Request bodies: Request bodies for proxied requests are logged, truncated to a maximum of 64KB per entry. This is stored in your API logs and visible in your dashboard.
• Usage metrics: Request counts are tracked per user for plan-based quota enforcement and billing.
• Payment information: Payment processing is handled entirely by Razorpay. We do not store your card details, bank account information, or Razorpay payment credentials on our servers. We only store the plan you are subscribed to and the Razorpay order/payment IDs for reference.

2. How We Use Your Data

• To authenticate you and manage your account.
• To render live analytics and request logs in your dashboard.
• To enforce plan-based request quotas and rate limits.
• To apply WAF rules and block malicious requests before they reach your backend.
• To process payments via Razorpay and track your subscription plan.
• To send transactional emails via Resend (signup verification, password reset, welcome email).
• We do not sell, rent, or share your data with any third parties for marketing or advertising purposes.

3. Data Retention

API request logs are stored in our database as long as your account is active. There is currently no automatic log expiry or cleanup mechanism. If you need your logs deleted, contact us and we will remove them manually.

Account data (email, password hash, API keys, settings) is retained as long as your account exists. You may request full account deletion at any time by emailing us.

We plan to implement automatic log retention policies (e.g., 30-day expiry for free plans, 90-day for paid plans) in a future update.

4. Cookies & Tracking

Backport uses JWT tokens for authentication, which are stored in your browser's local storage (not cookies). We do not set persistent cookies for tracking purposes.

Our frontend is hosted on Vercel, which may collect standard hosting analytics (page views, geographic data, device information). We do not use Google Analytics, Facebook Pixel, or any third-party advertising or tracking scripts on our site.

5. Security

• All traffic between your application and our gateway is encrypted via TLS (managed by our hosting provider, Render).
• Passwords are hashed using bcrypt before storage.
• Authentication tokens are JWTs signed with HS256 and expire after 7 days.
• API keys are validated on every proxy request against our database.
• Request headers containing sensitive data (Authorization, Cookie, Host) are stripped before logging.

6. Your Rights

You have the right to access, correct, or delete your personal data at any time. You can export your API logs as JSON or CSV from the dashboard. For account deletion or data requests, email support@backportio.com.

If you are in the EU/EEA, these rights are protected under GDPR. If you are in India, your rights are protected under the Digital Personal Data Protection Act, 2023.

7. Third-Party Services

• Razorpay: Processes all payments. We do not store card or bank details.
• Resend: Sends transactional emails (verification, password reset, welcome). Your email address is passed to Resend for delivery only.
• Render: Hosts our backend API. May collect infrastructure-level logs.
• Vercel: Hosts our frontend. May collect standard hosting analytics.

8. Changes to This Policy

We may update this Privacy Policy as the service evolves. Significant changes will be notified via email. The latest version is always available at backport-io.vercel.app/privacy.

9. Contact

For privacy-related questions or data requests: support@backportio.com