Privacy Policy

What this Policy covers

• Account registration, login, password reset, and profile management.
• Community contributions such as API submissions, listing change proposals, reviews, ratings, collections, app idea submissions, community API requests, votes, bookmarks, and provider claim applications.
• Operational communications including submission status updates, moderation decisions, security alerts, and service announcements.
• Security, fraud prevention, rate limiting, captcha verification, and audit logging related to platform use.
• Product analytics and performance monitoring where enabled.

What this Policy does not cover

This Policy does not apply to third-party websites, API documentation portals, payment processors, identity providers, or services operated by API providers listed on Core Route. When you leave our Platform or integrate with a third-party API, that organization's privacy policy governs how they handle your information.

If you are an employee or contractor of a provider whose API is listed on Core Route, your relationship with that provider is separate from your use of the Platform as an individual user.

4.1 Information you provide directly

When you create an account, we collect information such as your name, email address, and password. Passwords are stored using industry-standard hashing; we do not store plaintext passwords.

When you update your account or dashboard profile, we collect the information you choose to provide, which may include display preferences and saved items.

• Registration and authentication details, including email address, name, and credentials.
• Profile information you choose to add or update after registration.
• API submission data, including API name, description, documentation URLs, pricing notes, category selections, country coverage, and any supporting metadata you provide.
• Listing change proposals that suggest edits to existing directory entries.
• Reviews and ratings, including written feedback, star ratings, and associated API identifiers.
• Collections you create, including titles, descriptions, and the APIs you include.
• App idea submissions and community API requests, including descriptions, use cases, and voting activity where applicable.
• Provider claim materials, which may include your name, work email, company affiliation, verification documents, and statements of authorization.
• Communications you send to us, including support requests, abuse reports, privacy requests, and responses to moderation inquiries.

4.2 Information collected automatically

When you visit or use the Platform, we automatically collect certain technical and usage information. Some of this information is necessary to deliver the service securely; other information helps us understand how the Platform is used and where improvements are needed.

• Network and device data, such as IP address, browser type and version, operating system, device type, language settings, and approximate location derived from IP address.
• Referral and navigation data, including the page that linked you to Core Route, pages viewed, time spent on pages, click paths, search queries, filters applied, and comparison actions.
• Session and authentication data, including login timestamps, session identifiers, and authentication method used.
• Security and anti-abuse data, including failed login attempts, rate-limit events, captcha challenge identifiers, bot detection signals, and suspicious activity flags.
• Error and performance data, such as crash reports, server response times, and diagnostic logs needed to maintain reliability.
• Cookie and local storage identifiers used to maintain sessions, remember preferences, and protect against cross-site request forgery.

4.3 Information from third parties

• Identity provider data if you sign in with Google or another supported OAuth provider. This typically includes your name, email address, and profile identifier supplied by the provider, subject to your settings with that provider.
• Publicly available provider documentation, logos, OpenAPI specifications, and metadata used to populate or verify directory listings.
• Infrastructure, email delivery, analytics, search, monitoring, and security vendors that process data on our behalf to operate the Platform.
• Moderation or abuse reports submitted by other users that reference your account or published content.

4.4 Information we do not intentionally collect

We do not require you to provide sensitive categories of personal information such as government ID numbers, financial account details, health information, or precise geolocation for ordinary use of the Platform. Please do not include such information in reviews, submissions, or support messages unless we explicitly request it for a specific verification process (for example, a provider claim review).

5.1 Providing and operating the Platform

• Create, authenticate, and manage user accounts.
• Enable browsing, search, filtering, comparison, and detail pages for APIs, categories, countries, providers, and collections.
• Process and display submissions, reviews, collections, app ideas, community requests, and provider claims.
• Deliver dashboard features such as saved items, submission tracking, monitoring views, and account settings.
• Send transactional emails, including account verification, password reset links, submission status updates, moderation outcomes, and security notifications.

5.2 Maintaining quality, safety, and trust

• Moderate user-generated content for accuracy, spam, malware links, impersonation, and policy violations.
• Review provider claim applications and verify authorized representatives where practicable.
• Investigate abuse reports, enforce rate limits, and protect the Platform from automated scraping or credential attacks.
• Maintain audit logs of administrative and moderation actions for accountability.
• Improve listing quality through editorial review, automated checks, and community feedback.

5.3 Improving and developing the Platform

• Analyze aggregated usage patterns to understand feature adoption and performance bottlenecks.
• Test new features, fix bugs, and optimize search and monitoring experiences.
• Conduct internal research on developer needs and directory completeness.

5.4 Legal and compliance purposes

• Comply with applicable laws, regulations, lawful requests, and court orders.
• Establish, exercise, or defend legal claims.
• Enforce our Terms of Service and other platform policies.
• Detect, prevent, and address fraud, security incidents, and unlawful activity.

5.5 Marketing and communications

We may send product announcements, newsletters, or community updates if you opt in or where permitted by law. You can unsubscribe from non-essential marketing emails at any time using the link in the message or by contacting us. Transactional and security-related messages are not marketing and may be sent even if you opt out of promotional communications.

Performance of a contract

We process account, authentication, and feature-related data as necessary to provide the Platform and the services you request when you register or use authenticated features.

Legitimate interests

We process certain information because it is necessary for our legitimate interests in operating, securing, and improving the Platform, maintaining listing quality, preventing abuse, and communicating with users about service-related matters. Where we rely on legitimate interests, we balance those interests against your rights and expectations.

• Platform security, fraud prevention, and anti-abuse measures.
• Moderation of submissions, reviews, and claims.
• Internal analytics and product improvement using aggregated or pseudonymized data where possible.
• Responding to inquiries and maintaining business records.

Consent

Where required by law, we rely on your consent for optional activities such as non-essential analytics cookies or marketing emails. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Legal obligation

We process information when necessary to comply with legal obligations, such as responding to valid legal process or retaining records required by applicable law.

Choosing what to share

Do not include confidential business information, personal data belonging to others, or secrets such as API keys or credentials in public submissions, reviews, or comments. Core Route is a discovery platform, not a secrets manager.

8.1 Service providers and processors

We use trusted vendors to help us operate the Platform. These providers process personal information on our behalf and only as instructed by us, subject to contractual confidentiality and security obligations. Categories of service providers include:

• Cloud hosting and database infrastructure providers.
• Email delivery and transactional messaging services.
• Authentication and captcha providers.
• Analytics, logging, and error monitoring tools.
• Search, indexing, and content delivery services.
• Customer support and ticketing tools where used.

8.2 Moderators and administrators

Authorized moderators and administrators may access personal information and user content as needed to review submissions, investigate reports, process provider claims, enforce policies, and maintain platform integrity. Access is limited by role-based permissions and audit logging.

8.3 Other users and the public

As described in Section 7, information you choose to publish may be visible to other users or the public.

8.4 Legal and safety disclosures

We may disclose personal information if we believe in good faith that disclosure is necessary to comply with applicable law, respond to lawful requests from public authorities, enforce our agreements, protect the rights, property, or safety of Core Route, our users, or others, or detect and prevent fraud or security issues.

8.5 Business transfers

If Core Route is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will take steps to ensure the recipient is bound by privacy obligations consistent with this Policy or notify you where required by law.

9.1 Types of cookies we use

• Strictly necessary cookies: required for authentication, session management, security tokens, load balancing, and CSRF protection. The Platform cannot function properly for signed-in users without these cookies.
• Preference cookies: store choices such as theme (light/dark mode) and UI settings to improve your experience on return visits.
• Analytics cookies: if enabled, help us understand traffic patterns, feature usage, and performance. We aim to configure analytics in a privacy-conscious manner and may use aggregated reporting.
• Security cookies: support captcha challenges, bot detection, and abuse prevention during registration and sensitive actions.

9.2 Managing cookies

Most browsers allow you to refuse or delete cookies through settings. Blocking strictly necessary cookies may prevent login, break dashboard features, or cause repeated security prompts. For more information about cookie controls in your browser, consult your browser's help documentation.

9.3 Do Not Track

Some browsers transmit Do Not Track signals. Because there is no uniform industry standard for responding to such signals, the Platform may not respond to Do Not Track requests in a particular way. You can manage cookies directly through your browser as described above.

10.1 Account information

We retain account information while your account is active. If you request account deletion, we will delete or anonymize personal information associated with your account within a reasonable period, except where retention is necessary for legal compliance, dispute resolution, fraud prevention, or enforcement of our agreements.

10.2 Community content

Public content you published may remain on the Platform after account deletion if it has been approved for listing, referenced by other users, or is required for the integrity of the directory. Where feasible, we will disassociate deleted accounts from remaining public content by removing or anonymizing identifying attribution.

10.3 Security and operational logs

Security logs, authentication records, and operational diagnostics are typically retained for a limited period sufficient to investigate incidents, enforce rate limits, and maintain system reliability, after which they are deleted or aggregated.

10.4 Legal and backup retention

Information may persist in encrypted backups for a limited time after deletion from active systems. Backups are restored only when necessary for disaster recovery and are subject to the same security controls as production data.

Your role in security

No online service can guarantee absolute security. You are responsible for choosing a strong password, keeping your credentials confidential, signing out on shared devices, and notifying us promptly at hello@coreroute.dev if you suspect unauthorized access to your account.

Security incidents

If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.

13.1 How to submit a request

To exercise your privacy rights, email privacy@coreroute.dev from the address associated with your account and describe your request in sufficient detail. We may need to verify your identity before processing the request to protect your account from unauthorized access.

We will respond within the timeframe required by applicable law. If we deny a request, we will explain the reason unless prohibited by law.

13.2 Account deletion

You may request account deletion through your dashboard account settings or by contacting privacy@coreroute.dev. Deletion may not immediately remove all public content as described in Section 10.2.

13.3 Regional notices

Users in the European Economic Area and United Kingdom may contact their local data protection authority if they believe we have not addressed a concern adequately. Users in Nigeria may have rights under the Nigeria Data Protection Act and related regulations. Users in other jurisdictions may have additional rights under local consumer or privacy laws.