Privacy Policy

Last updated: 2026-05-25

FormulaAPI ("we", "us") provides a paid REST and WebSocket data service for Formula 1, Formula 2, Formula 3, and F1 Academy timing and historical data. This page describes what personal data we collect, why, where it goes, and what rights you have. We try to keep it short and concrete.

1. What we collect

• Account email. Provided by you when you sign up. Used to send the magic-link sign-in email and account-related notifications (subscription changes, security alerts, scheduled maintenance).
• Hashed API keys. When we issue an API key we store only its bcrypt hash — the raw key is shown to you once at issuance and is not recoverable from our side.
• Usage metadata. For every authenticated API request we record the timestamp, API key id, HTTP method, route, and response code, so we can enforce rate limits and bill subscription tiers. We do not log request bodies or response bodies.
• Billing identifiers. If you subscribe to a paid plan, Stripe creates a customer id and stores card details on its own systems (we never see or store card numbers). We store the Stripe customer id and the active price id alongside your account.
• Server logs. Standard HTTP access logs and error logs containing IP address, user agent, and timestamps. Retained for 30 days for debugging and abuse prevention, then deleted.

2. What we don't collect

• No advertising identifiers, fingerprinting, or third-party trackers on the docs site.
• No analytics SDK that tracks individual users across pages.
• No request or response payloads are logged on authenticated traffic.
• No location data beyond the IP-derived approximation in HTTP logs.

3. Who we share data with (processors)

We share the minimum necessary data with the following processors, each of which is bound by their own DPA:

• Stripe — payment processing and subscription state.
• Resend — transactional email (magic link, billing receipts).
• Railway — hosting infrastructure (compute, Postgres, Redis).
• Better Stack — uptime monitoring and status page.

We do not sell personal data, ever. We don't share data with advertising networks, brokers, or unrelated third parties.

4. Where data is stored

Primary database (Postgres) and cache (Redis) run on Railway. We pick an EU region when available. Stripe and Resend may process data in the US. Transfers are covered by Standard Contractual Clauses where applicable.

5. How long we keep it

• Account email and hashed API keys: until you delete your account.
• Usage metadata: 13 months (rolling), to support billing dispute windows.
• Server logs: 30 days.
• Stripe billing records: retained per Stripe's own retention policy and our local tax-law obligations (typically 10 years in Germany).

6. Your rights

Under GDPR (and analogous regimes), you can request access to, correction of, or deletion of your personal data. Email privacy@codai.app from the address on file. We respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority.

7. Cookies

We use a single first-party cookie called fapi_session, signed with HMAC-SHA256, that stores only your authenticated session id. It is HttpOnly, Secure (in production), SameSite=Lax, and expires after 30 days. No tracking cookies, no third-party cookies, no banner needed under TTDSG because the cookie is strictly necessary for the account function.

8. Security

• All traffic encrypted in transit (TLS 1.2+).
• API keys stored as bcrypt hashes; raw keys never persisted.
• Session cookies HMAC-signed with a server-side secret.
• Stripe handles all card data; we don't see PANs.
• Report suspected security issues to security@codai.app.

9. Children

FormulaAPI is intended for developers and businesses. It is not directed at children under 16, and we do not knowingly collect their data.

10. Changes

Material changes will be announced by email to active subscribers and posted here with a new "Last updated" date.

11. Contact

Questions: privacy@codai.app. General: hello@codai.app.