Privacy & Data Handling

The data controller for redditapis.com is the entity that operates the service. For data-protection questions, contact emma@redditapis.com.

We do not store your Reddit account password.

2.1 Account data

• Email address.
• A hashed password managed by our auth provider.
• Display name if you set one.

2.2 Billing data

Handled by Stripe. We never see your full card number, expiry, or CVC. Stripe shares the last 4 digits, brand, country of issuance, and a customer ID. For crypto payments we store the on-chain transaction hash for receipt purposes only. We do not store private keys, seed phrases, or wallet credentials.

2.3 Reddit credentials

When you authenticate through /api/reddit/login:

1. Your Reddit username and password are received over TLS.
2. We exchange them with Reddit to obtain a session.
3. The password is dropped after the exchange. It is not persisted in our database.
4. The Reddit session is stored encrypted and can be revoked from your account settings.

2.4 API usage logs

For every request we record:

• Endpoint, HTTP status, response size, timestamp.
• The IP address and User-Agent string.

We do not record:

• The body of your request or response.
• The text content of comments or messages you submit.
• The text of search queries you run through the API.

2.5 Communications

Emails and Telegram messages are retained for three years after your last interaction, then deleted.

1. To run the service: authentication, request routing, session management, rate limiting.
2. To bill you: Stripe customer record, invoice generation, tax compliance.
3. To secure the service: detect abuse, block credential stuffing, investigate incidents, comply with lawful requests.
4. To communicate with you: service notices, security advisories, billing receipts. No marketing email without a separate opt-in.
5. To comply with the law: tax retention, abuse-reporting obligations, lawful requests.

4.1 Our subprocessors

4.2 Reddit, Inc.

When you use our API to interact with Reddit, your own Reddit account credentials and request data are sent to Reddit. We are not affiliated with, endorsed by, or sponsored by Reddit, Inc.

4.3 What we never do

• We do not sell personal data.
• We do not share the content of your Reddit communications with anyone other than Reddit itself.
• We do not share your password. We do not have it after the login exchange.

4.4 Government and law enforcement

We disclose data only when served with a binding legal request from a jurisdiction with authority over us, after reviewing it for facial validity and overbreadth. We notify you unless prohibited by law.

Primary hosting and the database both sit in the EU (Frankfurt). Payment processing happens in the US. Our edge network is global. The named subprocessors that run each function are listed in §4.1.

For transfers out of the EEA/UK we rely on the European Commission's Standard Contractual Clauses (2021/914) and supplementary measures including encryption-in-transit and at-rest.

You can ask us to:

• Access, get a copy of the personal data we hold.
• Correct data that is inaccurate or incomplete.
• Delete, subject to legal retention obligations.
• Restrict, limit how we use your data while we investigate a dispute.
• Port, JSON or CSV.
• Object to legitimate-interest processing.
• Withdraw consent at any time.

Email emma@redditapis.com. We respond within 30 days (less if your jurisdiction requires). We may ask you to verify your identity.

GDPR / UK GDPR: plus the right to lodge a complaint with your local supervisory authority.

CCPA / CPRA (California): we do not "sell" or "share" personal information, so there is nothing to opt out of. We honor Global Privacy Control (GPC) signals.

India DPDP Act 2023: plus nomination rights (DPDP §14) and grievance redressal.

Exercising rights is free. We may charge or refuse only where requests are manifestly unfounded or excessive, and we will explain.

Our service is not directed at children. We do not knowingly collect personal data from anyone under 16 years of age. If a child has provided data, email emma@redditapis.com and we will delete it. You must also be old enough to have a Reddit account under Reddit's own age requirements.

We use strictly-necessary cookies for session and CSRF protection, plus a cookie that remembers your consent choices. Server-side analytics with no third-party ad pixels. No Facebook Pixel, Google Ads, LinkedIn Insight, or TikTok Pixel.

Stripe and Cloudflare may set their own cookies on checkout and when challenging suspicious traffic. Those are governed by their own policies.

Change consent at any time via the Cookie preferences link in the site footer.

We do not store your Reddit account password. We use TLS in transit. Data at rest is encrypted by our hosting and database providers per their published practices (see §4.1 for the named subprocessors). Production access is restricted to named operators with ed25519 SSH keys and passphrases (no password authentication, no shared credentials).

We do not currently carry Tech-E&O insurance. We disclose this and price the service accordingly.

If you find a vulnerability, email emma@redditapis.com with reproduction steps. Please do not test against accounts you do not own, do not attempt to access other customers' data, and do not run automated scanners against production endpoints.

We notify affected customers and the relevant regulator within 72 hours of becoming aware of a breach, where required by law.

Acceptable use: the rules that govern your use of the API live in our Terms of Service §6.

For material changes, we email all active customers at least 30 days before the change takes effect and keep the prior version at /legal/archive/privacy-<YYYY-MM-DD>.html.

Continued use after the effective date constitutes acceptance. If you do not accept, you may close your account before the effective date.

All topics route through one mailbox:

• Email: emma@redditapis.com
• Telegram: @emma_comm