Privacy Policy
Effective: 2026-06-21 Operator: X80 Pte. Ltd. (Singapore) — "we", "us" Service: the MyAPI platform at myapihq.com and its APIs (auth, email, domains, funnels, billing, and related primitives) — "the Service"
1. Who this policy is for
MyAPI is an API platform used by developers and agents ("customers") to build applications. This policy covers two groups of people:
- Customers — those who hold a MyAPI account and API key.
- End users — people who interact with a customer's application, including signing in through the MyAPI authentication API.
2. What we collect
From customers: account email, organization details, API-key identifiers (never the secret in plaintext after creation), billing records, and the configuration you create (domains, mailboxes, funnels, workflows).
From API traffic: request and response metadata — timestamp, source IP, API-key identifier, endpoint, payload size, latency, and status code — plus the content you send to an endpoint for the duration needed to fulfil it.
From end users signing in (authentication API): when a customer's application uses MyAPI to authenticate an end user via a third-party identity provider (for example, Google), we receive from that provider the end user's basic profile: their unique account identifier, email address, email-verified status, display name, and profile picture URL. We collect only what the customer's application needs to establish the end user's identity.
3. Google user data
When an end user signs in with Google through the MyAPI authentication API, MyAPI requests only the openid, email, and profile scopes. We use this data solely to:
- verify the end user's identity and create or match their account within the customer's application, and
- return the end user's identity to the customer application that initiated the sign-in.
MyAPI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, we do not sell it, we do not transfer it to others except to deliver the sign-in to the customer application that requested it or as required by law, and we do not use it to train any models.
4. What we do with it
- Provide the Service. We process requests, deliver email, manage domains, publish funnels, and authenticate end users on behalf of customers.
- Operational logs. Status, latency, and usage counts are retained to operate, secure, and debug the Service.
- Billing. Usage by API-key identifier is retained to produce invoices and reconcile balances.
We do not train models on your data, sell personal data, or use request content for marketing.
5. Retention
- Customer account and configuration data: for the life of the account, then deleted within 90 days of account closure.
- End-user identity records: retained while the customer's application keeps the end user active; deleted on the customer's instruction or within 90 days of account closure.
- Request/response content: not retained beyond what is needed to fulfil the request, except transient debug logs purged within 24 hours.
- Operational and billing metadata: up to 24 months.
6. Subprocessors
The Service runs on third-party infrastructure that processes data on our behalf:
- Google Cloud Platform — compute, storage, and networking.
- Cloudflare — edge delivery, DNS, and DDoS protection.
End-user sign-in additionally involves the identity provider the end user chooses (for example, Google), governed by that provider's own privacy policy.
7. Your rights
If you are an end user of a customer's application, the customer is the controller of your data; please direct access or deletion requests to them, and we will assist them as processor. For direct customer requests, write to simon@myapihq.com with the account or API-key identifier and the right you wish to exercise. We respond within 30 days.
8. Security
- All traffic to the Service is TLS-encrypted.
- API-key secrets and end-user credentials are stored hashed at rest; secrets are shown only at creation time.
- We follow least-privilege practices for operator access to production systems.
9. Changes
We will notify customers of material changes to this policy at least 30 days before they take effect, by email to the account contact on file.
10. Contact
Operator: X80 Pte. Ltd. (Singapore) Email: simon@myapihq.com