Privacy Policy

Effective: March 26, 2026

TL;DR

  • We collect the minimum data needed to run the service.
  • We don't sell your data. Ever.
  • We don't use client-side analytics or tracking pixels.
  • You can export or delete your data at any time.

1. What We Collect

Account data: Email address, display name, and avatar (from OAuth provider).

Spec content: The OpenAPI specifications you create and edit.

Execution data: API request/response logs from the execution proxy. Auto-deleted after 7 days (free) or 30 days (pro).

Workspace data: Workspace names, member lists, roles, and invitation records.

Usage data: Server-side logs only (request timestamps, route paths, response codes). No client-side analytics, no tracking pixels, no fingerprinting.

2. How We Use It

Data Type Purpose Shared With
AccountAuthentication, displayWorkspace members (name only)
SpecsEditing, storage, hotlinksPublic if hotlink enabled
ExecutionDebugging, historyNever
WorkspaceCollaborationWorkspace members
UsageOps, debuggingNever

3. Where Data Lives

All data is stored on Cloudflare's global network (D1 for database, KV for cache, R2 for storage). Cloudflare operates data centers in 300+ cities worldwide. If you self-host, all data lives in your own Cloudflare account.

4. Cookies

We use one cookie:

  • Session token — signed JWT, 7-day expiry, HttpOnly, Secure, SameSite=Lax

No analytics cookies. No third-party cookies. No cookie banner needed.

5. Third-Party Services

  • Cloudflare — Infrastructure (hosting, database, cache, storage)
  • GitHub — OAuth sign-in (we only receive your email address)

That's it. No analytics services, no ad networks, no data brokers.

6. Data Retention

Data Type Retention
AccountUntil you delete it
SpecsUntil you delete them
Execution history7 days (free) / 30 days (pro), auto-deleted
Invitations7 days after acceptance or expiry
Server logs30 days

7. Your Rights

  • Export: Download your specs as JSON or YAML at any time.
  • Delete: Delete individual specs, workspaces, or your entire account.
  • Access: View all data associated with your account.

GDPR: If you're in the EU, you also have the right to correction, objection, data portability, and filing a complaint with your local data protection authority.

8. Children

OpenAPI Studio is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children.

9. Changes

If we update this policy, we'll announce it via an in-app notification. Material changes take effect 30 days after notice.

10. Contact

Questions about privacy? Open an issue on GitHub or email privacy@openapistudio.app. We aim to respond within 7 days.