Privacy Policy

Last updated: February 11, 2026

Introduction

Actyra (“we,” “us,” or “our”) operates the Actyra Open platform at open.actyra.com. This Privacy Policy describes what information we collect, how we use it, and your rights regarding that information.

We practice what we preach. As a platform that analyzes software data collection practices, we hold ourselves to the highest standard of data minimization and transparency.

Information We Collect

Account Information (if you register)

  • Email address — Used for authentication and account recovery
  • Password — Stored as a bcrypt hash; we never store plaintext passwords
  • Account tier — Your access level (public, researcher, archive)

Billing Information (if you subscribe)

  • Stripe Customer ID — A reference to your Stripe account
  • Subscription status — Active, cancelled, or past due

Payment card details are collected and processed entirely by Stripe. We never see, store, or have access to your card number, CVV, or expiration date.

API Keys (if you create them)

  • API key hash — SHA-256 hash of the key (we do not store the key itself after creation)
  • Key prefix — First 8 characters, for identification purposes
  • Key name — A label you choose

Automatically Collected Information

  • IP address — Processed by Cloudflare for DDoS protection and rate limiting; not logged by our application
  • Request metadata — HTTP method, URL path, and response status code for API rate limiting

Information We Do Not Collect

We want to be explicit about what we do not collect:

  • No analytics or tracking scripts (no Google Analytics, no Mixpanel, no Segment)
  • No advertising trackers or pixels
  • No device fingerprinting
  • No third-party cookies
  • No browsing history or referrer tracking
  • No geolocation data beyond what Cloudflare processes for CDN routing
  • No social media login or data sharing

How We Use Information

DataPurposeLegal Basis (GDPR)
EmailAuthentication, account recoveryContract (Art. 6(1)(b))
Password hashAuthenticationContract (Art. 6(1)(b))
Stripe Customer IDBilling and subscription managementContract (Art. 6(1)(b))
API key hashAPI authenticationContract (Art. 6(1)(b))
IP addressDDoS protection, rate limitingLegitimate interest (Art. 6(1)(f))

Third-Party Services

We use a minimal set of third-party services:

Cloudflare

CDN, DDoS protection, DNS, Workers (API hosting), D1 (database), Pages (static hosting). Cloudflare processes IP addresses for security purposes. Cloudflare Privacy Policy

Stripe

Payment processing for paid subscriptions. Stripe collects payment card information directly; we never handle card data. Stripe Privacy Policy

We do not use any analytics services, advertising networks, or social media integrations.

Data Retention

  • Account data — Retained until you delete your account
  • API keys — Retained until revoked by you or account deletion
  • Billing records — Retained as required by tax and accounting law (typically 7 years)
  • Server logs — Cloudflare retains access logs per their retention policy; we do not maintain separate logs

Your Rights

Depending on your jurisdiction, you may have the following rights:

Under GDPR (EU/EEA residents)

  • Access (Art. 15) — Request a copy of your personal data
  • Rectification (Art. 16) — Correct inaccurate data
  • Erasure (Art. 17) — Request deletion of your data
  • Portability (Art. 20) — Receive your data in a machine-readable format
  • Objection (Art. 21) — Object to processing based on legitimate interest
  • Complaint — Lodge a complaint with your local supervisory authority

Under CCPA (California residents)

  • Know — Know what personal information we collect
  • Delete — Request deletion of personal information
  • Non-discrimination — Not be discriminated against for exercising your rights
  • Opt-out of sale — We do not sell personal information

To exercise any of these rights, contact us at privacy@actyra.com. We will respond within 30 days.

Data Security

We implement the following security measures:

  • All data in transit is encrypted via TLS 1.3
  • Passwords are hashed using bcrypt with per-user salt
  • API keys are stored as SHA-256 hashes (not reversible)
  • JWTs are signed with HMAC-SHA256 and expire after 7 days
  • Database access is restricted to authenticated Cloudflare Workers
  • No plaintext credentials are stored in our systems

Cookies

Actyra Open does not set any first-party cookies. Authentication state is managed client-side via localStorage (JWT tokens). Cloudflare may set security-related cookies (e.g., __cf_bm) for bot detection purposes.

International Transfers

Actyra is based in the United States. If you access Actyra Open from outside the U.S., your data will be transferred to and processed in the U.S. Cloudflare's global network may process requests at edge locations in your region before routing to our origin servers.

Children's Privacy

Actyra Open is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

Changes to This Policy

We will update this policy as needed to reflect changes in our practices or legal requirements. Material changes will be noted with an updated “Last updated” date at the top of this page. We encourage you to review this page periodically.

Contact

For privacy-related inquiries: