⚠️ Research Preview — Deli is in active development and has not undergone a third-party security audit. Do not store production API keys with spending authority. Use test keys or keys with low rate limits while we harden the platform.

Privacy Policy

Effective Date: February 12, 2026

1. Introduction

Welcome to Deli (“we,” “us,” “our”). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our API key management and proxy platform, including our website, developer portal, user portal, API services, CLI tool, and SDK (collectively, the “Service”).

We are committed to protecting your privacy and being transparent about our data practices. This Privacy Policy should be read in conjunction with our Terms of Service.

By using our Service, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

When you use our Service, we collect information that you provide directly to us:

  • Account Information: Email address, password (hashed using bcrypt), and account preferences for both Developer and User accounts.
  • API Keys: Third-party service credentials (OpenAI, Anthropic, Stripe, GitHub) that you choose to store in our encrypted vault. These are encrypted using AES-256-GCM with unique initialization vectors.
  • OAuth Applications: Information about applications you register as a developer, including app names, descriptions, redirect URIs, and webhook endpoints.
  • Support Communications: Information you provide when contacting us for support, including your messages and any attachments.

2.2 Information We Collect Automatically

When you use our Service, we automatically collect certain information:

  • Usage Data: Information about your interactions with the Service, including API calls made through our proxy, request/response metadata, timing data, and error logs.
  • Log Information: Server logs that include IP addresses, browser type, operating system, referring/exit pages, date/time stamps, and clickstream data.
  • Device Information: Information about the device you use to access our Service, including device type, operating system, and unique device identifiers.
  • Session Data: Information stored in browser sessions to maintain your login state and preferences.

2.3 Information from Third Parties

We may receive information about you from third parties:

  • OAuth Providers: If you use social login (Google), we may receive basic profile information like your email address and name.
  • API Providers: When we proxy requests to third-party services, we may receive response metadata, but we do not store the actual response content.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and Maintain the Service: To operate our API proxy, manage your encrypted key vault, handle OAuth authorization flows, and provide customer support.
  • Security and Fraud Prevention: To detect and prevent unauthorized access, abuse, and fraudulent activity. This includes monitoring for unusual API usage patterns and potential security threats.
  • Analytics and Improvement: To understand how our Service is used, improve functionality, and develop new features. This includes analyzing usage patterns and performance metrics.
  • Communication: To send you important service announcements, security alerts, support responses, and updates about changes to our Service.
  • Compliance: To comply with legal obligations, enforce our Terms of Service, and protect the rights and safety of our users and the public.
  • Rate Limiting and Abuse Prevention: To enforce rate limits and prevent abuse of our Service by monitoring usage patterns and implementing appropriate controls.

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

4.2 When We May Share Information

We may share your information in the following limited circumstances:

  • API Proxy Requests: When you make proxied API calls, we forward necessary request data to the target service (OpenAI, Anthropic, Stripe, GitHub) along with your decrypted credentials. We only share what’s necessary to complete the request.
  • Service Providers: We may share information with trusted service providers who help us operate our Service, such as hosting providers, monitoring services, and payment processors. These providers are contractually bound to protect your information.
  • Legal Requirements: We may disclose information if required by law, such as in response to a subpoena, court order, or law enforcement request.
  • Safety and Security: We may share information to protect the rights, property, or safety of Deli, our users, or the public, including in cases of suspected fraud or security threats.
  • Business Transfers: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to the same privacy protections.

4.3 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, analytics, or business purposes.

5. Data Security

We implement comprehensive security measures to protect your information:

  • Encryption: API keys are encrypted at rest using AES-256-GCM with unique initialization vectors. All data in transit is protected using HTTPS with TLS 1.2 or higher.
  • Access Controls: We implement strict access controls and authentication mechanisms. Database access is restricted to authorized personnel and systems.
  • Infrastructure Security: Our infrastructure includes firewalls, intrusion detection systems, and regular security monitoring. We use secure hosting providers with SOC 2 compliance.
  • Code Security: We implement secure coding practices, including input validation, output encoding, and protection against common vulnerabilities like SQL injection and XSS.
  • Regular Audits: We conduct regular security assessments and monitor for vulnerabilities. Critical security updates are applied promptly.
  • Incident Response: We have procedures in place to detect, respond to, and notify users of security incidents in accordance with applicable laws.

While we implement strong security measures, no system is 100% secure. We encourage you to take steps to protect your account, such as using strong passwords and enabling two-factor authentication when available.

6. Data Retention

We retain your information for as long as necessary to provide our Service and comply with legal obligations:

  • Account Data: Retained for the lifetime of your account and deleted within 30 days of account termination, unless we have a legal obligation to retain it longer.
  • API Keys: Stored in encrypted form until you delete them or terminate your account. Deleted immediately upon request.
  • Audit Logs: Proxied API call logs are retained for 30 days for security and debugging purposes, then automatically purged.
  • OAuth Tokens: Access tokens expire after 1 hour, refresh tokens after 30 days. Authorization codes expire after 10 minutes.
  • Support Communications: Retained for up to 3 years to provide ongoing support and resolve issues.
  • Legal Hold: Information may be retained longer if required by law, legal proceedings, or investigations.

7. Your Rights and Choices

7.1 Access and Control

You have several rights regarding your personal information:

  • Access: You can view and download your account information, stored API keys, and usage history through your dashboard.
  • Correction: You can update your account information and correct any inaccuracies through your account settings.
  • Deletion: You can delete your API keys or terminate your account at any time, which will result in the deletion of your data (subject to legal retention requirements).
  • Portability: You can export your data through our API endpoints or by contacting us.
  • Revocation: You can revoke OAuth authorizations and API access at any time through your user dashboard.

7.2 Regional Privacy Rights

Depending on your location, you may have additional rights:

  • European Economic Area (EEA), UK, and Switzerland: You may have rights under GDPR, including the right to object to processing, restrict processing, and file complaints with supervisory authorities.
  • California: You may have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected and the right to non-discrimination.
  • Other Jurisdictions: You may have additional rights under local data protection laws.

7.3 Exercising Your Rights

To exercise your privacy rights, you can:

  • Use the controls in your account dashboard
  • Contact us at kieran@kierans.net
  • Use our API endpoints to export data
  • Submit requests through our support channels

We will respond to your request within 30 days and may need to verify your identity before processing certain requests.

8. Cookies and Tracking

We use cookies and similar tracking technologies to provide and improve our Service:

  • Essential Cookies: Required for the Service to function, including session management and authentication. These cannot be disabled.
  • Analytics Cookies: Help us understand how our Service is used and improve performance. We use Google Analytics and may use other analytics services.
  • Security Cookies: Help us detect and prevent fraud and abuse of our Service.

You can control cookies through your browser settings, but disabling certain cookies may affect the functionality of our Service. For more information about cookies and how to manage them, visit aboutcookies.org.

9. International Transfers

Our Service is operated from the United States. If you are located outside the United States, please be aware that information we collect will be transferred to and processed in the United States and other countries where we or our service providers operate.

If you are in the EEA, UK, or Switzerland, we rely on appropriate safeguards for international transfers, including adequacy decisions, standard contractual clauses, or other legally recognized mechanisms.

10. Children's Privacy

Our Service is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at kieran@kierans.net.

If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

  • Update the "Effective Date" at the top of this Privacy Policy
  • Post the updated Privacy Policy on our website
  • Notify you of material changes via email or through our Service
  • For significant changes, provide advance notice and obtain consent where required by law

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Deli

Email: kieran@kierans.net

Website: https://withdeli.com

Subject Line: Privacy Policy Inquiry

We will respond to your inquiry as promptly as possible, typically within 30 days. For urgent privacy concerns, please indicate this in your subject line.

— End of Privacy Policy —