Privacy Policy · goldprice.dev

1. Who We Are

This Privacy Policy describes how Nusantara Ventures LLC ("we", "us", "our"), a Delaware limited liability company with registered office at 1401 Pennsylvania Avenue STE 105 1776, Wilmington, DE 19806, USA, handles personal information in connection with the goldprice.dev website, API, Model Context Protocol server, and related services (collectively, the "Service"). Questions about this Policy: support@goldprice.dev.

2. Scope

This Policy covers personal information we collect from visitors to our website, subscribers to our Service, recipients of our marketing communications, and individuals who contact our support team. It does not cover data we aggregate from public reference sources to produce commodity pricing data — that data is not personal information and is governed by our Terms of Service and methodology document.

3. What We Collect

Account information. Email address, chosen tier, Stripe customer identifier, and API key metadata (prefix + usage timestamps, never plaintext keys — those are hashed on receipt).

Payment information. We do not store credit-card numbers or payment-method details. Stripe processes all payments and retains this information under its own privacy policy. We receive only billing address, tax identifier (if provided), last four digits of the payment method for reference, and transaction status.

Usage data. API request metadata (timestamp, endpoint, response status, response time, rate-limit bucket). Aggregated anonymously after 90 days for abuse detection and service improvement.

Support data. Messages you send to support@goldprice.dev including content, subject, attachments, and metadata. Support drafts may be processed by third-party AI providers (see Section 7).

Website analytics. Minimal technical metadata (IP address, user agent, referrer) via our CDN and error-tracking providers. We do not operate advertising trackers, behavioral-targeting pixels, or session-recording tools.

4. How We Use It

Operate and maintain the Service (authentication, rate limiting, billing reconciliation)
Send transactional communications (receipts, invoices, dunning, account notifications)
Respond to support inquiries and improve our documentation
Detect abuse, enforce rate limits, and investigate security incidents
Send marketing communications only after explicit opt-in (unsubscribe in every message)
Comply with legal obligations (tax, law-enforcement requests with valid process)

We do not sell personal information. We do not share personal information with advertisers. We do not use personal information to train third-party AI models; our AI-assisted support providers operate under zero-retention terms (see Section 7).

5. Legal Bases (EU / UK / California)

For EU/UK residents, we process personal information under these GDPR bases: (a) contract performance — to provide the Service you subscribed to; (b) legitimate interests — to detect abuse, improve the Service, and market to existing customers; (c) consent — for optional marketing communications; (d) legal obligation — for tax records and law-enforcement requests.

For California residents (CCPA/CPRA), the categories we collect are Identifiers, Commercial Information, Internet Activity, and Professional Information. You have the rights described in Section 8.

6. Retention

Account data (email, Stripe identifiers, API key metadata): for the duration of your account plus 90 days after closure, except where longer retention is required by law (tax records typically 7 years).
Support tickets and AI-assisted draft history: 18 months from the date of the last message in the thread, then auto-purged.
API request metadata: 90 days in identifiable form, aggregated-anonymous thereafter for capacity planning.
Billing records: retained per tax law requirements in applicable jurisdictions (typically 7 years).
Canceled subscriptions: your organization record and API key persist at Free tier indefinitely unless you exercise your right to delete (see Section 8); we do not auto-revoke on cancellation per our cancellation retention design.

7. Subprocessors and International Transfers

We rely on third-party subprocessors to operate the Service. The current list is maintained at /privacy/subprocessors and updated when subprocessors change. Notable categories:

Payments: Stripe, Inc. (US)
Database + auth: Supabase (US region)
Application hosting: Fly.io, Inc. (US)
Cache + rate-limit storage: Upstash, Inc. (US)
Transactional and marketing email: Resend, Inc. (US)
Error tracking: Sentry, Inc. (US)
CDN + DNS: Cloudflare, Inc. (global edge)
AI-assisted support drafts (zero-retention terms): Anthropic, PBC and Google LLC

For EU/UK data transfers to US-based subprocessors, we rely on Standard Contractual Clauses and the subprocessor's own adequacy mechanisms (e.g., Data Privacy Framework certification where applicable).

AI-assisted support specifics. When you email support@goldprice.dev, your message content may be sent to Anthropic's API (primary) or Google's Gemini API (fallback) to generate draft responses for human review. Both providers operate under zero-retention terms for API inputs — your content is not used to train their models and is not retained beyond the inference call. A human reviews and approves all draft responses before they are sent. By contacting support, you consent to this processing. Sensitive inquiries (security, billing disputes, legal matters) bypass AI triage.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you
Correct inaccurate or incomplete information
Delete your personal information, subject to legal retention requirements
Export your information in a machine-readable format
Object to processing based on legitimate interests
Restrict processing while a dispute is resolved
Withdraw consent for marketing communications (use the unsubscribe link in any marketing email)
Not be discriminated against for exercising these rights (California)

To exercise any right, email support@goldprice.dev with the subject prefix [PRIVACY]. We respond within 30 days for most requests and will verify your identity before acting on account-specific requests.

You may also lodge a complaint with a supervisory authority if you believe we have violated applicable privacy law. For EU residents, this is the data protection authority in your country. For UK residents, this is the Information Commissioner's Office.

9. Security

We protect personal information using industry-standard measures:

Payment information is handled exclusively by Stripe (PCI-DSS Level 1).
API keys are stored as SHA-256 hashes; plaintext keys are never retained after the one-time reveal on /onboarding.
Data at rest is encrypted via our hosting providers' disk encryption.
Data in transit uses TLS 1.2 or higher.
Access to production systems is limited to named individuals with multi-factor authentication.
We monitor for security incidents via Sentry and log anomalies for review.

No security system is perfect; you are responsible for keeping your API keys confidential and notifying us at support@goldprice.dev with subject prefix [SECURITY] within 24 hours of any suspected compromise.

10. Children

The Service is not directed to children under 16 (EU / UK) or 13 (US). We do not knowingly collect personal information from children. If you believe a child has provided information, email us at support@goldprice.dev and we will delete the record.

11. Marketing Communications

We send marketing emails only to subscribers who explicitly opted in via a signup form, checkout flow with a marketing-consent checkbox, or an in-product newsletter subscription (Gold Brief). Every marketing email includes an unsubscribe link that takes effect immediately. Transactional emails (account notifications, billing, support responses) are operationally necessary and cannot be opted out of while your account is active.

12. Cookies and Similar Technologies

We use strictly-necessary cookies for authentication and rate-limit session management. We do not use advertising cookies, retargeting pixels, or cross-site tracking. You may clear or block cookies via your browser; doing so may affect parts of the Service that depend on authenticated session state.

13. Changes to This Policy

We may revise this Policy. Material changes will be communicated via email to the address on your account at least 30 days before they take effect. Archived versions are available at /privacy/archive. Continued use after the effective date constitutes acceptance.

14. Contact

For privacy inquiries:

Nusantara Ventures LLC
1401 Pennsylvania Avenue STE 105 1776, Wilmington, DE 19806, USA
Email: support@goldprice.dev with subject prefix [PRIVACY]