Legal
Privacy Policy
Effective Date: May 18, 2026 Last Updated: May 18, 2026
1. Introduction
corsproxy.dev ("Service") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.
2. Data We Collect
2.1 Account Information
When you register for an account, we collect:
- Email address
- Password (hashed using PBKDF2, never stored in plaintext)
- Account creation date
- Email verification status
- API key generation timestamps
2.2 API Keys
- API Key identifier (sklive...)
- API Key hash (SHA-256)
- Creation timestamp
- Last used timestamp
- Key name (optional, user-provided)
- Revocation status
2.3 Request Data
When you make requests through the Service, we log:
- Target URL
- HTTP method (GET, POST, etc.)
- Client IP address
- User-Agent header
- Request timestamp
- Response status code
- Response time
- Request/Response body size
- Associated user ID and API key
2.4 Usage Analytics
- Daily request counts per user
- Daily request counts per API key
- Rate limit checks and violations
- Account status and plan information
2.5 Technical Data
- Server logs
- Error messages and stack traces (for debugging)
- Performance metrics
- Service uptime data
3. How We Use Your Data
3.1 Service Operation
- To authenticate users and validate API keys
- To enforce rate limits and track usage
- To provide the proxy functionality
- To maintain and improve the Service
- To prevent abuse and unauthorized access
3.2 Security and Compliance
- To detect and prevent fraud
- To detect and prevent security breaches
- To enforce our Terms of Service
- To comply with legal obligations
- To investigate and resolve disputes
3.3 Analytics and Improvement
- To understand usage patterns
- To identify service issues and bugs
- To plan infrastructure improvements
- To develop new features
- To monitor service performance
3.4 Communication
- To send important account notifications
- To send security alerts
- To respond to support requests
- To send product updates (with opt-out option)
4. Data Retention
4.1 Account Data
- User account information is retained as long as the account is active
- After account deletion, data is retained for 30 days before permanent deletion
- Deleted data cannot be recovered after permanent deletion
4.2 API Keys
- API key metadata is retained as long as the key is active
- Revoked keys are retained for 90 days, then deleted
- Key hashes are never deleted to prevent key reuse
4.3 Request Logs
- Request logs are retained for 30 days
- Logs are automatically purged after 30 days
- Log data may be aggregated for analytics beyond the 30-day period
4.4 Usage Analytics
- Daily usage counters are retained for 7 days (active tracking)
- Monthly aggregates are retained for 1 year
- Trend data is retained indefinitely (anonymized)
5. Data Security
5.1 Encryption
- Passwords are hashed using PBKDF2 with 100,000 iterations and SHA-256
- API keys are hashed using SHA-256 before storage
- Data in transit uses HTTPS/TLS 1.3+
- Sensitive data is masked in logs
5.2 Access Controls
- Access to data is restricted to authorized personnel
- API keys require proper authentication
- User sessions expire after 24 hours
- All access is logged for audit purposes
5.3 Infrastructure Security
- We use Cloudflare Workers for edge computing security
- We use Cloudflare KV for encrypted at-rest data storage
- Regular security audits and vulnerability assessments
- Incident response procedures in place
6. Third-Party Services
6.1 Cloudflare
- The Service runs on Cloudflare's global edge network (Cloudflare Workers, Workers KV, and Durable Objects). Cloudflare operates ~300 points of presence worldwide; your requests are processed at whichever PoP is nearest you.
- As our infrastructure provider, Cloudflare acts as a sub-processor and has access to data necessary to operate the Service.
- Our use of Cloudflare is governed by Cloudflare's Data Processing Addendum (DPA), which incorporates the EU Standard Contractual Clauses (SCCs) for personal data of EU/UK/Swiss subjects.
- Cloudflare's Privacy Policy: https://www.cloudflare.com/privacy/
- Cloudflare's sub-processor list and DPA: https://www.cloudflare.com/trust-hub/
6.2 Proxied Requests
- When you proxy requests to third-party services, those services may receive:
- Your request headers and body
- Your client IP address (unless anonymized)
- Any authentication credentials included in your request
- We are not responsible for third-party privacy practices
- You are responsible for complying with third-party terms and privacy policies
6.3 Email Service (Future)
- We may use SendGrid, Mailgun, or AWS SES for sending emails
- These services may process your email address
- Their privacy policies apply to email processing
7. Your Rights
7.1 Access
- You can access your account data through the dashboard
- You can download your data in a standard format upon request
7.2 Correction
- You can update your account information in the dashboard
- You can change your password at any time
- You can update your API key names
7.3 Deletion
- You can delete your account and all associated data
- Account deletion is permanent and cannot be undone
- Deletion is processed within 30 days
7.4 Portability
- You can request a copy of your data in machine-readable format
- We will provide your account information, API key metadata, and usage history
7.5 Opt-Out
- You can opt out of promotional emails
- You can opt out of analytics tracking (except security-critical tracking)
- You cannot opt out of essential service communications
8. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect information from children under 13. If we become aware that we have collected such information, we will delete it immediately.
9. International Data Transfers
The Service operates on Cloudflare's global edge network. Your data may be processed and replicated across Cloudflare's points of presence worldwide, including data centres inside and outside the European Economic Area, in order to deliver low-latency access from your location.
We do not maintain our own servers; all storage (Workers KV, Durable Objects) and compute (Cloudflare Workers) is operated by Cloudflare. Cloudflare provides EU Standard Contractual Clauses (SCCs) and a UK International Data Transfer Addendum as part of its Data Processing Addendum, which we have accepted. By using the Service, you consent to your data being transferred and processed on Cloudflare's infrastructure under those safeguards.
If you require a copy of the Cloudflare DPA or have specific data-residency requirements, contact us at contact@corsproxy.dev.
10. California Privacy Rights (CCPA)
California residents have the right to:
- Know what personal information is collected, used, and shared
- Access and delete their personal information
- Opt out of the sale or sharing of personal information
- Non-discrimination for exercising their privacy rights
To exercise these rights, contact us at privacy@corsproxy.dev
11. European Privacy Rights (GDPR)
If you are in the European Union, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Request erasure of your data
- Restrict processing of your data
- Data portability
- Object to processing
- Lodge a complaint with your supervisory authority
To exercise these rights, contact us at privacy@corsproxy.dev
12. Changes to Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or applicable laws. We will notify you of material changes by:
- Posting the updated policy with a new effective date
- Notifying you via email if the changes significantly affect your rights
Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.
13. Contact Us
For privacy-related questions or requests, contact us at:
- Email: privacy@corsproxy.dev
- Address: corsproxy.dev, Internet
- GitHub: https://github.com/melihbirim/devproxy-v01
14. Data Protection Officer
For GDPR-related inquiries, contact our Data Protection Officer at:
- Email: dpo@corsproxy.dev
15. Compliance
This Privacy Policy complies with:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Children's Online Privacy Protection Act (COPPA)
- Canada's PIPEDA
- Other applicable privacy laws
16. Additional Privacy Measures
16.1 Logging Best Practices
- Sensitive headers are masked in logs (Authorization, X-API-Key, etc.)
- Request bodies are truncated to 1000 characters in logs
- Personal identifying information is minimized in logs
16.2 Retention Minimization
- We only retain data for as long as necessary
- Automatic data purging is enabled for all systems
- Users can request early deletion
16.3 Audit Logging
- All data access is logged
- Access logs are monitored for suspicious activity
- Quarterly access log reviews are performed
Last Updated: May 18, 2026