Privacy Policy
What data BuildCalc API collects, how we use it, and your rights under CCPA. Written to actually match what we do — no boilerplate.
Effective date: 2026-05-30 Last updated: 2026-05-30 Version: 1.1
This Privacy Policy explains how NF Nation LLC ("we", "us", "Provider") collects and uses information about Customers and prospective Customers of the BuildCalc API (the "Service"). It supplements (and does not replace) the Terms of Service.
We are a B2B API for developers and AI agents. We do not run a consumer product, we do not collect data on Customer's end users, and we do not sell data to anyone.
TL;DR
| What we collect | Why | Where it's stored |
|---|---|---|
| Your email address | Send your API key + transactional notices, recover account | Render Postgres (US-West) |
| Stripe customer + subscription IDs | Bill you per the tier and overage you signed up for | Render Postgres; full card data lives at Stripe, never with us |
| API key hash (HMAC-SHA-256) | Authenticate your requests; we never store the plaintext | Render Postgres |
| Per-request logs: HTTP path, method, status, timestamp | Rate limiting, usage metering for billing, security forensics | Render Postgres (usage_events table, monthly partitioned) |
| Sensitive-operation audit records (linked to your API key ID) | Audit trail for revocations, billing changes, exports, admin actions | Render Postgres (audit_log table, monthly partitioned) |
| Idempotency cache (24h TTL) of recent API responses you replayed | Safe retry on transient network failures | Render Postgres (idempotency_keys, 24h auto-expiring) |
| IP address (transient) | Reverse-proxy + rate-limit at the edge; not persisted in our DB beyond what's already in Render's web logs | Render web service logs (rotated by Render) |
| Crash + error telemetry (when GlitchTip is enabled) | Diagnose bugs | GlitchTip (US region), with PII scrubbing enabled — see §9 |
What we don't collect:
- Card numbers, CVCs, bank account numbers — Stripe holds these, never us.
- Your end users' data — you don't submit it to us, and we don't request it.
- Cookies on the API itself (it's a REST API, no browser session).
- Analytics or tracking cookies on this docs site — there are none today.
- Personal data of EU residents under GDPR — Customer must sign a DPA before submitting any (see ToS §3.1). We don't process EU personal data by default.
- Behavioral profiles, advertising IDs, precise GPS location, biometric data, or any "special category" data under GDPR Art. 9.
1. What is "personal information" in this Policy
Under the California Consumer Privacy Act (CCPA / CPRA), "personal information" includes information that identifies, relates to, or could reasonably be linked with a particular consumer or household. For BuildCalc API, that's limited to: your email, your Stripe customer/subscription IDs, your API key metadata (hash + prefix), request logs tied to your API key, and audit records referencing your API key ID.
If you provide a business email (e.g., [email protected]), it is still
personal information for purposes of this Policy even though you're acting in
a B2B capacity.
2. Sources of personal information
- You provide it. When you call
POST /v1/account/signupor sign up via the Stripe Customer Portal, you provide your email and a Stripe PaymentMethod ID. - Generated by your use. Each API call automatically generates a usage
row tagged to your API key (path, method, timestamp, status, response time).
Sensitive operations (key revocations, tier changes, exports, admin
actions) also generate an
audit_logrow tied to the affected key ID. - From service providers. Stripe shares back your
stripe_customer_id,stripe_subscription_id, and billing webhook events. Render and Cloudflare share aggregated logs and metrics for the request layer.
3. How we use personal information
- Provide the Service. Authenticate your API calls, enforce rate limits per your tier, return responses.
- Bill you. Compute monthly base fees and per-call overage based on usage rows, send invoices via Stripe.
- Audit sensitive operations. Record key revocations, tier changes, billing events, export requests, and admin actions in an append-only audit log for security forensics and regulatory accountability.
- Send transactional notices. Email you about your account, payment failures, security incidents that affect you, material Terms changes.
- Improve the Service. Aggregate usage statistics ("p95 latency on
/v1/calc/concrete/yards") to find slow endpoints, optimize databases, prioritize new features. Per ToS §1.4 we never disclose un-aggregated Usage Data to third parties. - Comply with law. Respond to valid legal process (subpoena, court order), defend ourselves against legal claims, prevent fraud or abuse.
We do not use personal information for advertising, behavioral profiling, or to train AI models that are made available outside BuildCalc API. Per ToS §1.6, Usage Data and Customer Content may be used to develop AI/ML features within the Service but only after aggregation and de-identification.
4. Who we share personal information with
| Recipient | Purpose | What they get |
|---|---|---|
| Stripe | Payment processing, subscription management | Email, payment method (you provide directly to Stripe via Stripe Elements), Stripe billing metadata |
| Render | Hosting the API and database | All operational data the Service stores — they don't access it except for infrastructure ops |
| Cloudflare (DNS, CDN, request routing, Email Routing, Turnstile bot verification) | Edge layer for docs.buildcalcapi.dev, buildcalcapi.dev, inbound legal@/security@/noreply@/support@ aliases, and signup-form anti-bot checks | Request headers + IPs at edge; no application body data; Turnstile receives IP + token + page URL during signup verification |
| GlitchTip (when enabled) | Crash + error monitoring | Stack traces, request_id, request path (no body content) with PII scrubbing — see §9 |
| Email provider (planned post-launch) | Transactional email delivery | Your email address + message bodies |
Each service is a Service Provider under CCPA §1798.140(e), bound by contract to not retain, use, or disclose your information for any purpose other than the specific service.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We have not done so in the past 12 months, and we have no plans to.
5. How long we keep it
- API key hash + key prefix: until you revoke the key, then 30 days for audit trail. (We are working toward automated enforcement of this 30-day cleanup — see §11.)
- Usage events: 13 months (rolling), partitioned monthly. Aged-out partitions are dropped automatically by our partition maintenance job.
- Audit log records: 13 months (rolling), partitioned monthly, on the same schedule as usage events.
- Idempotency cache: 24 hours, with automatic expiry. Cached API responses are deleted within this window.
- Stripe customer + subscription metadata: as long as you have an active subscription, plus 7 years after termination for tax and accounting law.
- Email: until you close your account or 18 months after last activity, whichever is sooner. (We are working toward automated enforcement — see §11.)
- Web logs at Render/Cloudflare: per their default retention (typically 30 days for Cloudflare edge logs).
6. Your rights — California (CCPA / CPRA)
If you are a California resident (or your business is located in California), you have the right to:
- Know what personal information we have about you, the categories and sources, and the categories of third parties we share it with. This Policy is our standing answer to the categorical version of that right.
- Access a specific copy of your personal information. Today, while we
build out the self-service
/v1/account/exportflow, you can request a copy by emailing[email protected]from the email on file; we respond within 45 days as required by §1798.130. - Delete your personal information, subject to exceptions for ongoing
legal obligations (e.g., we must keep payment records for tax law). Email
[email protected]to request deletion. We confirm via the email on file, scope the deletion to fields not subject to retention mandates, and respond within 45 days. - Correct inaccurate personal information. Email
[email protected]with the requested correction; we confirm via the email on file and respond within 45 days. - Opt out of "sale" or "sharing" — but as stated, we don't sell or share for cross-context behavioral advertising, so there's nothing to opt out of.
- Limit use of sensitive personal information — we don't process sensitive personal information as defined under CPRA.
- Non-discrimination — we will not deny service, charge different prices, or provide a lesser level of service if you exercise any of these rights.
To exercise these rights, email [email protected] from the email on file for your account. We'll verify your identity by sending a confirmation link to that email, or by asking you to confirm two of the following: the email used to sign up, the Stripe customer ID (visible in your Stripe Customer Portal), or the first 8 characters of an API key. We respond within 45 days (extendable to 90 days if needed, with notice).
You may also designate an authorized agent in writing.
If you believe we've violated CCPA, you may contact the California Privacy Protection Agency at https://cppa.ca.gov.
7. Your rights — other US states
If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas,
Oregon, Montana, or any other state with a comprehensive privacy law, you
have substantially similar rights to access, delete, correct, and opt out as
described in §6. Use the same email ([email protected]) to exercise
them.
We do not currently market or sell into the European Union or United Kingdom and do not process Personal Data under GDPR / UK GDPR by default. If a Customer requires GDPR coverage, the parties must sign a Data Processing Addendum per ToS §3.1.
8. Children
The Service is B2B and not directed to children under 16. We do not
knowingly collect personal information from children. If you believe a
child has provided personal information to us, email
[email protected] and we will delete it.
9. Security
- API keys are HMAC-SHA-256 hashed with a server-side pepper before storage. Plaintext keys are shown to you once at creation and never stored.
- TLS 1.2+ is required on all API endpoints.
- Database connections use TLS to Render Postgres.
- Secrets (DB credentials, Stripe keys, peppers) live outside the repo, in a separate secret store with file-level audit headers.
- Pre-commit hooks (bandit, pip-audit) gate every commit for known vulnerabilities and security antipatterns.
- GlitchTip telemetry (via sentry-sdk wire-compat client) is configured to scrub personal information from
error reports (
send_default_pii=False). Stack traces, request IDs, and request paths are sent to GlitchTip; request bodies, headers carrying authentication tokens, and email addresses are not.
No system is perfectly secure. If you discover a vulnerability, email [email protected] with details. We acknowledge within 72 hours.
10. Changes to this Policy
We may update this Policy by posting a new version at this URL with an
updated Last updated date and Version number. Material changes will be
emailed to the address on file at least 30 days before they take effect.
The latest version is always at https://docs.buildcalcapi.dev/docs/legal/privacy.
11. Roadmap for retention enforcement and subject-rights automation
We are working toward automated enforcement of the retention windows in §5 (currently they are policy commitments, not all enforced via scheduled jobs). Specifically:
- Automated cleanup of
api_keys.owner_email30 days after key revocation - Automated cleanup of
api_keys.owner_email18 months after account close or last activity - Self-service
POST /v1/account/deleteandPOST /v1/account/correctendpoints (in addition to the existingPOST /v1/account/exportflow)
Until these automations are in place, the rights in §6 remain fully
available via [email protected], with the same 45-day SLA. Our
internal manual-procedure playbook is on file with Legal/Compliance.
12. Contact
| Purpose | |
|---|---|
| Privacy requests (CCPA / other) | [email protected] |
| Security disclosure | [email protected] |
| Support | [email protected] |
NF Nation LLC, a New Mexico limited liability company 1209 Mountain Road Pl NE, Ste R Albuquerque, NM 87110
Terms of Service
BuildCalc API Cloud Service Agreement. Plain-language business terms first, lawyer-vetted legalese below (Common Paper CSA v2.1, CC-BY 4.0).
Codes methodology
How BuildCalc API curates US construction code metadata (IRC + IBC + NEC + IECC + IPC) — the legal framework, hand-curation process, dual-edition strategy, and 6 known limitations every caller should understand.