Privacy Policy

Last updated: June 2026

1. Account data

When you create an xfinlink account, we collect your email address and store a securely hashed password. If you sign in via Google or GitHub, we receive the profile information those providers share (typically your name and email). This data is used solely for authentication and account management. We do not sell or share it with third parties.

2. What we log

For rate limiting and aggregate analytics, each API request generates a log entry containing:

• An IP-derived hash (SHA-256, one-way — not reversible to your IP address)
• Request timestamp
• Tickers queried
• Response time (milliseconds)
• HTTP status code

These logs are used exclusively for enforcing rate limits and understanding aggregate usage patterns (e.g., which endpoints are most popular). They are never used to identify individual users.

3. Cookies and tracking

xfinlink does not use cookies or browser fingerprinting. We do not use Google Analytics, Mixpanel, Segment, or similar analytics platforms.

We use the Reddit Pixel, a lightweight conversion-tracking script provided by Reddit, to measure the effectiveness of our advertising campaigns on Reddit. The pixel fires a page-visit event on every page load and may fire additional events (e.g., when you view our pricing page or create an account). Reddit may use this data to show you relevant ads on its platform. You can opt out of Reddit interest-based advertising in your Reddit privacy settings. No other advertising trackers are present on any xfinlink page or endpoint.

4. No data sales

We do not sell, rent, or share any logged data with third parties. Period.

5. Data retention

Raw API request logs are aggregated after 30 days into anonymous summary statistics (e.g., daily request counts per endpoint). The raw log entries are then deleted. Aggregated statistics contain no IP hashes or other identifiers.

6. GDPR compliance

xfinlink is designed to be GDPR-compliant by default. We minimize data collection, process only what is necessary for rate limiting, and do not store personally identifiable information. The one-way IP hashes we store cannot be reversed to identify you. If you believe any data we hold relates to you and wish to exercise your rights under GDPR, contact us and we will address your request.

7. Changes to this policy

We may update this policy as our practices evolve. Changes will be reflected on this page with an updated date.

8. Contact

Privacy questions? Email hello@xfinlink.com.