Per-key analytics and job-completion webhooks are live.
Security & privacy

Boring infrastructure, serious about it.

We're a Swiss company subject to revFADP. Privacy isn't a marketing line - it's the law we already operate under. Here's how we handle your data and how we'd handle a security incident.

GDPR

EU General Data Protection Regulation

revFADP

Swiss Federal Act on Data Protection (2023)

CCPA / CPRA

California consumer privacy

SOC 2 (in progress)

Type I targeted Q4 2026

Four pillars

How we secure your account, your keys, and your data.

Encryption

Every byte in transit is TLS 1.3. Every byte at rest is AES-256. Keys live in a managed KMS - never in env vars, never in source.

  • TLS 1.3 enforced on all API and dashboard endpoints
  • AES-256 at rest in Convex storage
  • Database backups encrypted with rotating keys

Authentication & keys

Bearer tokens with a `biz_live_` prefix. Hash-only storage. One-click rotation. No password reset means no token leak.

  • Tokens hashed (SHA-256) at rest - never recoverable in plaintext
  • Revoke and rotate from the dashboard, no downtime
  • Auth via Clerk: SSO, MFA, social, passkey

Isolation

Tenant data is scoped at the database layer. No shared state across customers, no cross-tenant query paths.

  • Per-tenant Convex namespacing on every read & write
  • Job results readable only by the org that requested them
  • Per-key analytics never leave the owning workspace

Compliance

Swiss revFADP, EU GDPR, and California CCPA - covered in a single DPA. Every legal document is public in our Git history.

  • DPA signed pre-paywall on Pro and above
  • Subprocessor list public; 30-day notice on changes
  • SOC 2 Type I targeted Q4 2026 (Type II following)

Your data

What we collect - and what we don't.

What we collect

API request metadata (timestamp, endpoint, status), the search payload, and the result set. We do not log bearer tokens or response bodies after delivery.

What we don't

We do not sell personal data. We do not surface private contact details. We do not train on customer payloads. We honor Global Privacy Control headers.

Your rights

Access, rectification, erasure, and portability - for any subject mentioned in your search results. Submit a DSAR via the dashboard or to our DPO.

Retention

Cached results expire 30 days after a job completes. Account data persists until you delete your workspace, then is hard-deleted within 30 days.

Incident response

If something breaks - or breaks in.

Suspected vulnerability? Email info@bizcollect.dev. We acknowledge within 24 hours and aim to triage critical reports within 72.

In the event of a confirmed personal-data incident, we notify affected customers within 72 hours per Art. 24 revFADP / Art. 33 GDPR - with what was affected, what we know, and what we're doing about it. No silence, no spin.

Trust, but verify.

Pull the OpenAPI spec, audit our subprocessor list, read every policy in our public Git history. Then ship.

Get an API keyRead the docs
No credit card required100 free requests / monthCancel anytime