Privacy Policy

This Privacy Policy explains how xchangr8 ("we", "us", or "xchangr8") collects, uses, stores, and protects information when you use our website at xchangr8.com and our foreign exchange rate API (collectively, the "Service"). By using the Service you agree to the practices described here.

1Information We Collect

We collect the minimum information necessary to provide and improve the Service. This includes:

• API usage logs — Every API request is logged with a timestamp, endpoint called, response code, response time (ms), and the API key used (hashed). We do not log request body content.
• Email address — Collected at sign-up to identify your account, send transactional emails (key creation, billing receipts, service alerts), and for account recovery.
• Billing information — Collected and processed by our payment processor, Stripe. We store only a Stripe customer ID and subscription status; we never store raw card numbers on our servers.
• IP addresses — Captured per API request for abuse detection, rate limiting, and security purposes. IP addresses are not associated with your public profile.
• Browser / device information — Basic user-agent and session data collected when you visit our website, used for analytics and security.

2How We Use Your Information

Information we collect is used exclusively for the following purposes:

• Service delivery — authenticate API requests, enforce rate limits, return exchange rate data, and operate your account dashboard.
• Billing — process subscription payments, send invoices, and handle plan upgrades or downgrades via Stripe.
• Security and abuse prevention — detect and block fraudulent or abusive usage patterns, investigate anomalies, and protect the integrity of the API for all users.
• Service communications — send transactional emails about your account (password resets, API key changes, billing events). We do not send marketing email without explicit consent.
• Service improvement — analyse aggregate, anonymised usage patterns to understand which endpoints are most used, latency trends, and to guide product roadmap decisions.

3Data Retention

We retain data only as long as necessary:

• API request logs — retained for 90 days, then permanently deleted. Aggregated (non-identifiable) statistics derived from logs may be retained indefinitely.
• Account data — retained for the lifetime of your account. Upon account deletion, all personal data associated with your account is purged within 30 days, except where retention is required by law (e.g. billing records may be retained for up to 7 years for tax compliance).
• Billing records — retained for 7 years as required by Australian tax law.
• Security logs — anomaly and abuse records may be retained for up to 12 months.

To request deletion of your data before your account closure, contact us at privacy@xchangr8.com.

4Third-Party Services

We use a small number of carefully selected third-party providers to operate the Service:

• Stripe — payment processing and subscription management. Stripe is PCI DSS Level 1 certified. Your payment data is subject to Stripe's Privacy Policy.
• Cloudflare — global CDN, DDoS protection, and edge infrastructure. API requests pass through Cloudflare's network. Cloudflare may process IP addresses and request metadata per their Privacy Policy.
• Exchange rate data providers — we aggregate rate data from ECB (European Central Bank), FRED (Federal Reserve), Currencybeacon, and FastForex. These providers supply market data only; they do not receive any of your personal information.

We do not use Google Analytics, Facebook Pixel, or any other advertising or behavioural tracking third parties.

5Cookies

We use only the cookies strictly necessary to operate the Service:

• Session cookie — a short-lived, HTTP-only cookie to maintain your authenticated session in the dashboard. Expires when you close your browser or log out.
• CSRF token — a security cookie to protect form submissions from cross-site request forgery attacks.

We do not use persistent tracking cookies, analytics cookies, or any third-party advertising cookies. No cookie consent banner is required because we use only strictly necessary cookies.

6Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete personal data.
• Deletion — request deletion of your personal data (subject to legal retention obligations).
• Portability — request your data in a structured, machine-readable format.
• Objection — object to processing where we rely on legitimate interests as the legal basis.
• Withdrawal of consent — where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@xchangr8.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

7Security

We take security seriously and implement the following practices:

• Encryption in transit — all data transferred between your browser or application and our servers is encrypted using TLS 1.2 or 1.3.
• Encryption at rest — all databases and storage volumes are encrypted at rest using AES-256.
• API key hashing — API keys are stored as bcrypt hashes; we cannot recover a key after initial issuance.
• Access controls — production systems are accessible only to authorised personnel via SSH with hardware-key authentication. Principle of least privilege applies throughout.
• SOC 2-level practices — our security posture aligns with SOC 2 Type II controls for security, availability, and confidentiality, including audit logging of administrative actions and regular vulnerability assessments.
• Incident response — in the event of a data breach affecting your personal data, we will notify you within 72 hours as required by applicable law.

No system is completely secure. If you discover a security vulnerability, please report it responsibly to privacy@xchangr8.com.

8Contact

If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact our privacy team:

• Email: privacy@xchangr8.com
• Website: xchangr8.com/about

We are committed to resolving privacy complaints promptly. If you are not satisfied with our response, you may have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.

This policy may be updated periodically. Material changes will be communicated by email to registered users and by posting a notice on this page. Continued use of the Service after any update constitutes acceptance of the revised policy.