Privacy Policy — NYC API
Effective Date: March 29, 2026
This Privacy Policy describes how Matchup Labs (“we,” “us,” or “our”) collects, uses, and protects information when you use the NYC API platform and related services. We are committed to transparency and minimizing the data we collect. By using NYC API, you agree to the practices described in this policy.
1. Information We Collect
We collect only the information necessary to provide, secure, and improve our services:
- Account email address — provided during registration. Used for authentication, account recovery, and service communications.
- Payment information — processed entirely through Stripe. We do not store credit card numbers, CVVs, or full card details on our servers. Stripe handles all payment data in compliance with PCI-DSS standards.
- API usage logs — including request timestamps, endpoints called, response status codes, and request volume. These logs are associated with your API key, not your personal identity.
2. How We Use Your Information
The information we collect is used for the following purposes:
- Service delivery — authenticating your account, issuing and validating API keys, and delivering API responses.
- Billing — processing subscription payments, generating invoices, and managing plan upgrades or downgrades through Stripe.
- Usage analytics — monitoring aggregate API usage to improve performance, plan capacity, and inform product development. Analytics are aggregated and not used to profile individual users.
- Abuse prevention — detecting and mitigating rate limit violations, unauthorized access attempts, and other forms of platform abuse.
3. What We Don't Collect
We do not collect, store, or log any personal data from the content of your API queries. When you query an address, property, restaurant, or any other entity through our endpoints, we do not retain the query parameters or response payloads beyond the immediate request lifecycle. All API queries are stateless — we process the request, return the result, and discard the query content. The only metadata retained is the usage log (endpoint, timestamp, status code) for billing and analytics purposes.
4. Third-Party Services
We rely on the following third-party services to operate NYC API. Each has its own privacy policy governing its handling of data:
- Stripe — payment processing and subscription management. Stripe receives your payment details directly and operates under PCI-DSS compliance.
- Supabase — authentication, database, and account management. Supabase stores your email and hashed authentication credentials.
- Vercel — application hosting and edge delivery. Vercel processes HTTP requests and may collect standard server logs (IP addresses, user agents) as part of its infrastructure.
- NYC Open Data — the primary upstream data source for our API responses. All data returned by NYC API originates from publicly available NYC government datasets. We do not send any of your personal information to NYC Open Data.
5. Data Retention
We retain data only as long as necessary for the purposes described in this policy:
- API usage logs are retained for 90 days, after which they are automatically purged. Aggregated, anonymized usage statistics may be retained indefinitely for capacity planning.
- Account data (email, API keys, subscription status) is retained for as long as your account remains active. Upon account deletion, all associated data is permanently removed within 30 days.
6. Your Rights
You have the following rights regarding your data:
- Delete your account — you may request full account deletion at any time. This will revoke all API keys, cancel any active subscription, and permanently remove your data from our systems.
- Export your data — you may request an export of your account information and usage history by contacting us at the email below.
- Contact us — for any privacy-related questions, concerns, or requests, reach out to us directly. We aim to respond to all privacy inquiries within 5 business days.
7. Cookies
NYC API uses minimal cookies strictly for authentication session management. When you log in to the dashboard, a session cookie is set to maintain your authenticated state. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. There are no cookie banners because there is nothing to consent to beyond essential session functionality.
8. Contact
If you have questions about this Privacy Policy or wish to exercise any of your rights described above, please contact us at:
This policy may be updated from time to time. We will notify registered users of material changes via email. Continued use of NYC API after changes constitutes acceptance of the revised policy.