Privacy Policy

This policy explains what data OmniStream ("we") collects when you use the Service, why we collect it, and the choices you have. We collect the minimum needed to run a developer API marketplace and we never sell your data.

• Account data: your email address and a securely hashed password (we never store your password in plain text).
• API keys and usage: the Omni keys we issue to you and per-key request counts used for metering, rate limiting, and billing.
• Content you submit: APIs you publish (specifications, metadata, upstream credentials you provide) and any reviews you write.
• Payment data: if you subscribe, billing is handled by Stripe. We store a Stripe customer reference and your plan status - we never see or store your full card number.
• Technical data: basic request logs (such as IP address and timestamps) needed for security, abuse prevention, and reliability.

We use your data to provide and secure the Service: to authenticate you, issue and meter keys, proxy your API calls, process payments, prevent abuse, and communicate important account or service notices. We rely on your consent, the performance of our contract with you, and our legitimate interest in operating a secure service.

We use your browser's local storage to keep you signed in (a session token) and to remember small preferences such as the Omni key used in the in-browser console. We do not use third-party advertising or tracking cookies.

We share data only with the processors needed to run the Service:

• Stripe for payment processing and subscription management;
• our hosting infrastructure that runs the gateway and website; and
• upstream API publishers - when you call an API through the proxy, the request (and any parameters you send) is forwarded to that publisher's upstream.

We may also disclose data if required by law or to protect the rights and safety of our users.

We keep your account data for as long as your account is active. Usage and billing records are retained as long as needed for the purposes above and to meet legal or accounting obligations. You can request deletion of your account and associated personal data at any time.

Passwords are hashed with scrypt, secrets are stored with restricted access, and traffic is served over HTTPS. No system is perfectly secure, but we take reasonable technical and organizational measures to protect your data.

Depending on where you live (including under the EU GDPR), you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise any of these rights, contact us using the details below.

The Service is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

We may update this policy from time to time. We will revise the date above and, for material changes, take reasonable steps to notify you.

For privacy questions or data requests, email support@skinvaults.online.