Skip to content
Back to Home

Privacy Policy

Version 1.1·Last Updated: February 22, 2026

LukeAPI is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. This policy applies to Personal Data we collect as a Data Controller. Where we process data on behalf of our Customers, our Data Processing Agreement applies.

1. Introduction

When you use LukeAPI, we act as a Data Controller for Personal Data we collect directly from you or generate in providing the Service. "Personal Data" means any information relating to an identified or identifiable natural person. We process Personal Data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), and other applicable laws.

2. Information We Collect

Account Information:

  • Name, email address, password (hashed)
  • Organization name and billing address
  • Profile information (avatar, bio) if provided

Payment Information:

  • Card details and billing address—processed by Stripe; we do not store full card numbers
  • Transaction history and subscription details

Profile and API Information:

  • Listed APIs, documentation, pricing, versions, and metadata (for Providers)
  • Subscriptions, API keys (hashed), usage quotas, favorites, and collections (for Developers)

Referral and affiliate data:

  • Affiliate or referral codes you use or generate; referral links and attribution (e.g., cookie-based attribution for commission eligibility)

Webhooks and notifications:

  • Webhook endpoint URLs and configuration; notification preferences (email, in-app, webhook events)

AI and playground usage:

  • Inputs you provide to AI-powered features (e.g., code generation, playground requests) and generated outputs; session data for improving and securing these features

Community and support:

  • Forum posts, challenge submissions, and support ticket messages, attachments, and contact history

Usage Data (automatically collected):

  • API calls, request counts, response times, and error rates
  • Page views, navigation paths, and feature usage
  • Device type, browser, IP address, and user agent
  • Log data (timestamps, request IDs, security events)

Cookies and Similar Technologies:

  • Essential, functional, analytics, and optional marketing cookies—see our Cookie Policy for details

Where GDPR applies, we rely on the following legal bases:

  • Contract: Processing necessary to perform our contract with you (e.g., providing the Service, billing)
  • Legitimate Interest: Processing necessary for our legitimate interests (e.g., security, fraud prevention, analytics, product improvement) where not overridden by your rights
  • Consent: Where required (e.g., non-essential cookies, marketing communications)
  • Legal Obligation: Processing necessary to comply with applicable law (e.g., tax, anti-money laundering)

4. How We Use Your Information

  • Provide and operate the Service (marketplace, discovery, API gateway, billing, analytics, playground, forum, challenges)
  • Authenticate users and manage accounts and organizations
  • Process transactions, subscriptions, and referral/affiliate attribution
  • Deliver webhooks and notifications (email, in-app, webhook endpoints) per your preferences
  • Power AI features (code generation, playground); we may use inputs and outputs to operate, secure, and improve these features
  • Monitor usage, enforce limits, and prevent abuse
  • Send transactional communications (confirmations, receipts, security alerts, ticket updates)
  • Improve the product (analytics, debugging, feature development)
  • Comply with legal, security, and regulatory obligations
  • Respond to support requests and legal process

5. How We Share Your Information

Service Providers (Sub-Processors): We share data with trusted providers under contractual protections:

  • Stripe—payment processing and Connect payouts (when billing is used)
  • Supabase—database, authentication, realtime
  • Vercel—hosting, CDN, edge functions
  • Anthropic—AI features (e.g., code generation)
  • Resend—transactional and notification email delivery

API Providers: When you subscribe to an API, we share your organization name, tier, and usage data with that API provider so they can provide the service.

Legal and Safety: We may disclose data when required by law, court order, or legal process, or to protect rights, safety, or property.

Aggregate/Anonymized Data: We may share anonymized or aggregate data that cannot identify you for analytics, research, or marketing.

Transactional email is sent via Supabase Auth. We do not sell Personal Data.

6. Data Retention

We retain data as follows:

  • Active accounts: Data retained while your account is active
  • After deletion: Passwords and API keys removed immediately; user content within 90 days
  • Financial records: 7 years for tax and compliance
  • Anonymized analytics: May be retained indefinitely

7. International Transfers

Data may be transferred to and processed in countries outside your residence (e.g., US, EU). We use appropriate safeguards: Standard Contractual Clauses (SCCs) where required, adequacy decisions where applicable, and supplementary measures (encryption, access controls) where necessary. See our Data Processing Agreement for details on Sub-Processor locations and safeguards.

8. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect Personal Data from children under 13 (or equivalent age in your jurisdiction). If you believe we have collected data from a child, and we will delete it promptly.

9. California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know: Request disclosure of categories and specific pieces of Personal Data we collect
  • Delete: Request deletion of your Personal Data (subject to exceptions)
  • Correct: Request correction of inaccurate Personal Data
  • Opt-out of sale/share: We do not sell Personal Data
  • Non-discrimination: We will not discriminate against you for exercising your rights

To exercise these rights: visit Privacy Settings or. We will verify your identity before processing requests. You may designate an authorized agent; we may require proof of authorization.

10. EU/UK Residents (GDPR)

If you are in the EEA or UK, you have the right to:

  • Access: Request a copy of your Personal Data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion ("right to be forgotten")
  • Restriction: Request restriction of processing in certain circumstances
  • Portability: Request transfer of your data in a structured format
  • Object: Object to processing based on legitimate interests or for direct marketing
  • Withdraw consent: Where processing is based on consent

To exercise these rights: visit Privacy Settings or. We will respond within one month. You also have the right to lodge a complaint with your supervisory authority (see Section 18).

11. Other US State Laws

Residents of Virginia (CDPA), Colorado (CPA), Connecticut, Utah, and other states with similar laws may have rights to access, delete, correct, opt-out of targeted advertising, or port their data. To exercise these rights, or use our Privacy Settings.

12. Data Breach Notification

In the event of a Personal Data breach that poses a risk to your rights and freedoms, we will notify affected individuals and relevant supervisory authorities as required by law (e.g., within 72 hours where GDPR applies). Notifications will include the nature of the breach, likely consequences, and remedial action taken.

13. Automated Decision-Making

We may use automated processing (e.g., fraud detection, abuse prevention) to protect the Service. We do not use fully automated decision-making that produces legal or similarly significant effects on you without human involvement. If we introduce such processing, we will provide notice and the right to obtain human review.

14. Marketing Communications

We may send marketing emails (product updates, tips, offers) only with your consent or where permitted by law. You may opt out at any time via the unsubscribe link in emails or via Cookie Settings. Transactional emails (confirmations, security alerts) are sent as part of the Service and cannot be opted out of without closing your account.

15. Cookies

We use essential, functional, analytics, and optional marketing cookies. Essential cookies are required for the Service; others can be managed via our Cookie Settings or browser settings. See our Cookie Policy for categories, purposes, durations, and how to control them.

16. Data Security

We implement encryption in transit (TLS 1.3) and at rest (AES-256), access controls, hashing for passwords and API keys, and regular security assessments. No system is completely secure; we cannot guarantee absolute security. See our Security & Compliance page for details.

17. Data Controller Information

The Data Controller is LukeAPI (or the legal entity operating the platform). For EU/UK residents, we may have an EU representative. for entity details.

18. Supervisory Authority

EU residents may lodge a complaint with the data protection authority in their country. UK residents may contact the Information Commissioner's Office (ICO): ico.org.uk. We will cooperate with supervisory authorities.

19. Changes to This Policy

We may update this Privacy Policy. Material changes will be posted on this page with an updated "Last Updated" date. We may also notify you by email for significant changes. Continued use after changes constitutes acceptance.

20. Contact

Contact

For privacy questions or to exercise your rights:

By using LukeAPI, you acknowledge that you have read and understood this Privacy Policy.

Terms of ServiceData Processing AgreementCookie PolicySecurity & Compliance