Privacy Policy

Wardline ("we", "us", "our") operates the Cloak API service. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. By using the Service, you agree to the practices described here.

Account information: When you sign up, we collect your email address. We do not collect your name, phone number, or payment card details unless you contact us for a paid plan.

API usage metadata: We log every API request, including the endpoint called, response time, HTTP status code, and approximate request size (character count). We do not log the raw text content of your requests.

Detection metadata: We record the types of PII entities detected (e.g., EMAIL, PHONE, AADHAAR) and confidence scores. The actual text matched is not stored.

API keys: We store a SHA-256 hash of your API key. The raw key is shown once and never stored.

• To authenticate your requests and enforce quotas.
• To display usage statistics in your dashboard.
• To send important service notifications (outages, policy changes).
• To improve the accuracy and performance of the detection model.
• To comply with legal obligations.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

Text you send to /api/v1/detect is forwarded to our inference server for real-time PII detection. This text is processed in memory and is not persisted to any database. Only the detected entity types and confidence scores are stored — never the source text.

You should not send text containing genuine credentials, passwords, or highly sensitive regulated data beyond what is necessary for your integration testing.

• Account data: Retained while your account is active and for up to 90 days after deletion.
• API logs: Request metadata is retained for up to 12 months for quota calculation and analytics.
• Detection records: Entity type logs are retained for up to 12 months.
• API key hashes: Deleted immediately upon key revocation.

The Cloak API dashboard uses Firebase Authentication, which stores session tokens in browser local storage. We do not use third-party advertising cookies or analytics trackers. No cross-site tracking occurs.

We use the following third-party infrastructure:

• Firebase (Google): Authentication and Firestore database. Governed by Google's Privacy Policy.
• Vercel: Hosting and serverless functions. Governed by Vercel's Privacy Policy.
• Hugging Face: ML model inference. Text sent to the API is forwarded to a private Hugging Face Space. Hugging Face's Privacy Policy applies.

We implement industry-standard security practices: API keys are hashed with SHA-256, all data is transmitted over HTTPS (TLS 1.2+), Firestore access is protected by server-side security rules, and Admin SDK credentials are stored as environment variables and never exposed to clients. Despite these measures, no system is completely secure — use strong, unique passwords and revoke unused API keys.

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your account and associated data.
• Portability: Request your data in a machine-readable format.
• Objection: Object to certain processing activities.

To exercise any of these rights, email us at nithish@wardline.co. We will respond within 30 days.

The Service is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If we become aware that we have collected such information, we will delete it promptly.

We may update this Privacy Policy periodically. We will notify you via the email address on your account at least 14 days before material changes take effect. The effective date at the top of this page indicates when it was last revised.

For privacy-related inquiries or to exercise your rights, contact us at: nithish@wardline.co