Privacy Policy

1. Data Controller

CanalAPI is operated by a Japan-registered corporation. All personal data collected through this platform is controlled and processed by us. Our registered address and contact information are available upon request.

2. Information We Collect

• Account information: email address, display name, and password hash (bcrypt).
• Billing information: payment method type, transaction IDs. We do not store credit card numbers — payments are processed by third-party providers (Stripe, Alipay, WeChat Pay).
• API usage metadata: request timestamps, model IDs, token counts, latency, and status codes. We do NOT log prompt or completion content.
• Technical information: IP address (masked after 30 days), browser User-Agent, and referral codes.
• Communication data: emails you send to our support team.

3. How We Use Your Information

We use collected information to provide and improve the CanalAPI service, process payments, issue invoices, detect fraud, send transactional notifications, and comply with legal obligations under Japanese law. We do not sell your personal data to third parties.

4. Data Residency

All personal data is stored on servers located in Japan. Invoice PDFs and database backups are stored on Japan-region cloud storage (AWS S3 Tokyo or Wasabi Tokyo). Usage metadata may be temporarily cached on Cloudflare edge nodes globally for performance purposes.

5. Data Retention

Account data is retained for the duration of your account plus 3 years after account deletion, as required for tax and accounting purposes. API call logs (metadata only) are retained for 90 days. Invoice documents are retained for 7 years in compliance with Japanese accounting law.

6. Your Rights (APPI)

Under Japan's APPI, you have the right to access, correct, or delete your personal information. You may also request disclosure of how your data is used or object to certain processing. To exercise these rights, contact us at privacy@canalapi.com. We will respond within 30 days.

7. Security Measures

We implement industry-standard security measures including TLS 1.3 for all data in transit, AES-256-GCM encryption for sensitive API credentials, bcrypt hashing (cost ≥ 12) for passwords, and SHA-256 hashing for API keys. Access to production systems is restricted to authorized personnel and subject to audit logging.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.