This Privacy Policy describes how EndpointOS ("we", "us", or "our") handles information when you visit our website, create an account, and use the EndpointOS platform (the "Service"). We collect only what we need to operate the Service, and we do not sell personal information.
EndpointOS is part of the Baseframe Labs family of products (baseframelabs.com). Each product has its own data handling described in its own policy; this policy applies to EndpointOS only.
If you have questions about anything below, email support@baseframelabs.com.
1. Who we are
EndpointOS is the controller of the personal data described in this policy. We operate out of the United States. You can reach us at support@baseframelabs.com for any data-protection question, including access, correction, deletion, or portability requests.
2. Information we collect
2.1 Account information
When you sign up we ask for an email address, a name, and a password. Passwords are hashed by Supabase Auth and never stored in plaintext. Once you choose a username it becomes part of your public API URLs and cannot be changed in self-serve.
2.2 Project content you create
We store the resources, fields, records, API contracts, API keys, consumers, webhook endpoints, and other project assets you create. You own this content. We store it so we can serve the Service to you and to anyone you authorise via an API key.
2.3 Operational telemetry
To operate the public API surface, enforce limits, debug issues, and protect against abuse we collect:
- Request logs: HTTP method, path, status code, duration, request and response bodies (capped and secret-redacted), IP address, user agent, and the API key and consumer (if any) that authorised the call.
- Usage events: counters used to enforce per-project and per-consumer monthly limits.
- Audit events: a record of sensitive actions you take in your dashboard, including key creation/rotation/revocation, project edits, contract publishes, webhook changes, log-ins from new locations, and exports of your own data.
- Login telemetry: IP address, user agent, and timestamp for each successful sign-in, used to detect unfamiliar locations.
2.4 Secrets
We never store API keys or webhook signing secrets in plaintext. API keys are stored as salted hashes; the only time you ever see the full value is the moment of creation. Webhook signing secrets are encrypted at rest with AES-256-GCM using a server-only key.
2.5 Information from your visitors
When end users call APIs you have published with EndpointOS we may incidentally process request payloads and IP addresses you choose to send. Anything inside the request body is governed by your own privacy policy with your end users; you control what data you ask them to send. We act as a processor for that content on your behalf.
2.6 Contact submissions
When you use our contact form we collect the name, email, category, and message you provide. We use this only to respond to your enquiry. We do not add you to any marketing list, and we do not currently send marketing emails.
2.7 Analytics and what we do not collect
We use privacy-first, cookieless analytics (Vercel Web Analytics) to understand aggregate traffic to our public pages. It sets no cookies, does not track you across sites, and does not collect personally identifying information. We place no advertising trackers anywhere. We do not sell personal information, and we do not use your project data to train machine-learning models.
3. How we use information
We use the information above to:
- Provide, secure, and improve the Service.
- Authenticate you and protect your account from abuse and unauthorised access.
- Enforce usage limits, rate limits, and other contractual or fair-use boundaries.
- Generate the dashboards, audit log, request log, analytics, and per-key, per-consumer, and per-resource views in your account.
- Send transactional emails (password resets, security alerts, account-lifecycle messages). We do not currently send marketing emails.
- Investigate and respond to abuse reports, security incidents, and legal requests.
4. Legal bases (EEA/UK users)
Where the EU/UK GDPR applies, we rely on the following legal bases: contract (to provide the Service to you), legitimate interests (to secure and improve the Service and prevent abuse), legal obligation (to respond to lawful requests), and consent where required and explicitly given.
5. How we share information
We share personal data only with the sub-processors that help us run the Service and only as needed:
- Supabase. Managed Postgres and authentication. Project content, account information, request logs, audit events, and hashed credentials are stored here.
- Vercel. Hosting, edge proxy, and build infrastructure. Request metadata (URL, IP, headers) passes through Vercel as part of normal HTTP serving. We also use Vercel Web Analytics, which is cookieless and does not collect personally identifying information.
- Stripe. Payment processing for paid plans. When you subscribe, your billing details (name, email, card) are collected and processed by Stripe; we store only a Stripe customer and subscription identifier plus your current plan, not card numbers.
We do not share personal information with advertisers or data brokers. We may disclose information when required by valid legal process, to enforce our Terms, to protect the rights, property, or safety of users or the public, or in connection with a corporate transaction (we will provide notice in that case).
6. Retention
- Account information: retained while your account is active. After deletion we remove identifying fields within 30 days, except where retention is required by law.
- Request logs: retention varies by plan (7 days on the free plan). Older rows are deleted automatically.
- Audit events: kept for the lifetime of your account so you have a full record of sensitive actions.
- Backups: rolling encrypted backups may retain residual data for up to 35 days after deletion before being overwritten.
7. Security
We apply defence-in-depth controls on top of our infrastructure: API keys are stored as salted hashes, webhook secrets are encrypted at rest, account passwords are managed by Supabase Auth, traffic to the dashboard is served over HTTPS with a strict Content Security Policy, sensitive actions are recorded in an immutable audit log, login attempts are rate-limited and locked out on repeated failure, and outbound webhook deliveries are guarded against SSRF. See our Security overview for the full list.
No system is perfectly secure. If you believe you have found a vulnerability, please email support@baseframelabs.com and we will respond.
8. Your rights
Subject to applicable law (including GDPR, UK GDPR, and CCPA/CPRA), you have the right to:
- Access the personal data we hold about you.
- Request that we correct inaccurate information.
- Request deletion of your account and associated personal data.
- Receive a copy of your data in a portable format.
- Object to or restrict certain processing.
- Lodge a complaint with your data protection authority.
California residents have additional rights under the CCPA/CPRA, including the right to opt out of any sale or sharing of personal information. We do not sell or share personal information as defined by the CCPA.
To exercise any of these rights, email support@baseframelabs.com. We may need to verify your identity before acting on the request.
9. International transfers
Our infrastructure is hosted in the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US. Where applicable we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards for cross-border transfers.
10. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact us so we can delete it.
11. Changes to this policy
We will post any material changes to this page and update the effective date above. For significant changes we will additionally notify you by email or in the dashboard before the new terms take effect.
12. Contact us
For privacy questions or to exercise your rights, email support@baseframelabs.com or visit our contact page.