Privacy Policy — IP-Atlas

This policy explains what information IP-Atlas collects, how we use it, and what rights you have. IP-Atlas is operated by Trellis Digital Services LLC ("Company", "we", "us").

Our core principle: we store only what we need to operate the Service. We do not log the content of your API requests, we do not sell data, and we do not use your usage patterns for marketing or analytics.

What we collect

Data	Purpose	Source
Email address	Account identity, key delivery, billing receipts, service notices	You, at signup or checkout
SHA-256 hash of your API key	Authenticate your requests	Generated at key issuance (we never store the plaintext)
Per-key daily and monthly request counts	Quota enforcement, billing accuracy, operational metrics	Incremented on each authenticated request
Stripe customer identifier	Subscription lifecycle, billing portal, webhooks, overage invoicing	Stripe, when you check out or authorise a card
Server access logs	Debugging, abuse detection	Retained ≤30 days, no request body content, no query parameters

What we do NOT collect

The IP addresses you look up via /json/{ip} or /v1/batch. These are not logged. Once a response is rendered, the query IP is gone.
Your payment details (card number, CVV, expiry). These are collected and stored by Stripe under PCI DSS scope and never touch our servers.
Cross-site tracking cookies, marketing analytics, or third-party advertising trackers.

Subprocessors

Stripe, Inc. — payment processing (stripe.com/privacy)
Cloudflare, Inc. — DNS, edge proxy, WAF (cloudflare.com/privacypolicy)
DigitalOcean, LLC — hosting for the API servers (digitalocean.com/legal/privacy-policy)
Zoho Corporation — transactional email delivery (zoho.com/privacy.html)

How we use your data

To authenticate requests and enforce plan quotas;
To bill you correctly, including overage, and send receipts;
To send you service notices (80% and 95% usage warnings, outage notifications, material changes to these policies);
To investigate abuse or security incidents.

We do not sell your data, rent it, or share it with advertising networks. We will disclose data only when legally compelled (subpoena, court order, or similar), and only to the extent required.

Data retention

Account email and key hash: retained while your key is active, plus 6 months after revocation for fraud and audit purposes, then deleted.
Per-key request counts: rolling 13-month retention for historical billing inquiries, then aggregated and per-key detail deleted.
Server access logs: ≤30 days.
Billing periods: retained 7 years for US tax compliance.
Stripe data: retained by Stripe per their own policies; we only store the opaque customer and subscription identifiers.

Your rights

Regardless of where you live, you can:

Request a copy of the data we hold associated with your email address;
Request correction of inaccurate data (most fields are already self-serve in the dashboard);
Request deletion of your account (we delete your email, key, and usage history subject to the retention limits above).

Residents of California (CCPA/CPRA), the EEA/UK (GDPR), and other US states with comprehensive consumer-privacy laws have additional statutory rights. We do not sell personal information, so no opt-out is required; but if you have a specific request, email [email protected].

International transfers

IP-Atlas is hosted in the United States. If you access the Service from outside the United States you consent to your data being processed in the United States. We rely on Standard Contractual Clauses with our subprocessors where applicable.

Children

The Service is not directed to children under 16 and we do not knowingly collect data from children.

Security

API keys are stored as SHA-256 hashes — even a full database compromise does not expose plaintext keys. Transport is TLS 1.2+. Stripe handles all card data. Internal access to production is limited to the single operator of Trellis Digital Services LLC.

If you discover a vulnerability, please email [email protected]. We will acknowledge within 72 hours.

Changes

We may update this policy from time to time. Material changes will be announced by email to active subscribers at least 30 days before taking effect.

Contact

Trellis Digital Services LLC
Email: [email protected]