Privacy Policy
Last updated: March 7, 2026
This Privacy Policy describes how the Satoshi API hosted service at bitcoinsapi.com ("Service") collects, uses, and protects your information. The Service is operated by Andy Barnes ("Operator", "we", "us").
1. Information We Collect
| Data | When Collected | Purpose | Retention |
|---|
| Email address | API key registration | Key management, abuse prevention | Until key deletion |
| API key hash (SHA-256) | Registration | Authentication | Until key deletion |
| IP address | Every request | Rate limiting, abuse prevention | 90 days (access logs) |
| Request path and method | Every request | Usage analytics, rate limiting | 90 days |
| HTTP status code | Every request | Error monitoring | 90 days |
| User-Agent string | Every request | Usage analytics, abuse prevention | 90 days |
| Response time (milliseconds) | Every request | Performance monitoring | 90 days |
2. Information We Do NOT Collect
- We do not use cookies. We use PostHog with in-memory persistence for anonymous page view analytics — no data persists in your browser between sessions.
- We do not collect personal information beyond email (for key registration) and IP addresses (for rate limiting).
- We do not store your API key in plaintext. Only the SHA-256 hash is stored.
- We do not log the content of your API requests or responses (e.g., transaction hex data you broadcast is not stored).
- We do not sell, rent, or share your data with third parties, except as necessary for payment processing (see Section 3).
3. Third-Party Services
The Service uses the following third-party services:
- Cloudflare: HTTPS termination, DDoS protection, and CDN. Cloudflare may process your IP address and request headers according to their privacy policy.
- CoinGecko: Price data source. Your requests to our price endpoint do not go directly to CoinGecko; we fetch and cache data server-side.
- Stripe, Inc.: Payment processing for Pro tier subscriptions. When you subscribe to a paid plan, we share your email address, payment method details, and billing address with Stripe to process payments. We do not store your full payment card number. Stripe's handling of your data is governed by the Stripe Privacy Policy.
- Resend: Processes email addresses to deliver transactional emails (welcome email with API key, usage alerts). Data retained per Resend's privacy policy.
- Upstash: Processes IP addresses as ephemeral rate limit keys. Data automatically expires within 60 seconds via TTL. See Upstash's privacy policy.
- PostHog: Receives anonymous page view events and CTA click events from our landing page. IP anonymization is enabled. No autocapture, no session recording. Registration events use hashed email (not raw PII). See PostHog's privacy policy.
4. How We Use Your Information
- Rate limiting: IP addresses and API key hashes are used to enforce per-minute and daily rate limits.
- Abuse prevention: Access logs help identify and block abusive behavior.
- Service improvement: Aggregate, anonymized usage data (e.g., most popular endpoints) may be used to prioritize features.
5. Data Security
- All traffic is encrypted via HTTPS (TLS, terminated at Cloudflare).
- API keys are stored as SHA-256 hashes. Plaintext keys are shown once at registration and never stored.
- The database is stored locally on the server with filesystem-level access controls.
- No passwords are collected (API keys are the only credential).
6. Data Retention
- Access logs: Pruned automatically after 90 days.
- API key records: Retained until you request deletion.
- Fee history data: Aggregate data retained for up to 30 days for the fee history endpoint.
7. Your Rights
You may request:
- Deletion of your API key and associated email by contacting us.
- Information about what data we hold about your email address.
Contact [email protected] for data requests.
8. European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), the following applies to our processing of your personal data:
- Lawful basis: We process IP addresses and API key hashes under legitimate interest for rate limiting and service operation. Email addresses are processed on the basis of consent provided at registration.
- Data portability: You have the right to receive your personal data in a structured, machine-readable format. Contact [email protected] to request a data export.
- Supervisory authority: You have the right to lodge a complaint with your local data protection supervisory authority.
- International transfers: Your data is processed in the United States. By using the Service, you consent to this transfer.
9. California Privacy Rights (CCPA)
California residents have the right to know what personal information is collected, request deletion, and opt out of sale. We do not sell personal information. Contact [email protected] for data requests.
10. Self-Hosted Instances
This Privacy Policy applies only to the hosted service at bitcoinsapi.com. If you self-host Satoshi API, you are responsible for your own data handling practices. The open-source software does not phone home or transmit data to us.
11. Children's Privacy
The Service is not directed at children under 13. We do not knowingly collect information from children.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date.
13. Contact
For privacy questions or data requests, contact us at [email protected].