permitflow.dev
Get API key

Legal

Privacy Notice

Last updated: 2026

1. Who we are

PermitFlow ("we", "us", "our") provides a REST API for US construction permit and contractor license data. This notice explains what personal data we collect when you use our website and API, why we collect it, and your rights. PermitFlow is the data controller for the personal data described here.

2. Data we collect

  • Account data — name, email address, hashed password, login credentials.
  • Support communications — emails or messages you send us.
  • Usage and telemetry — API request counts, endpoints used, error rates.
  • Device and connection — IP address, user-agent, device identifiers, approximate location derived from IP.
  • API keys — we store a hash and prefix of issued keys, never the full secret.

Payment-related data (card details, billing address, tax ID) is collected and processed directly by our payment provider, Paddle, and is not stored on our servers.

3. Why we use it (purposes & legal basis)

  • Provide the Service — create your account, authenticate API requests, deliver permit data (legal basis: performance of contract).
  • Security and fraud prevention — detect abuse, enforce rate limits, investigate incidents (legitimate interests).
  • Customer support — respond to your questions (performance of contract / legitimate interests).
  • Product improvement — aggregated usage analytics to improve coverage and performance (legitimate interests).
  • Legal compliance — meet tax, accounting, and other legal obligations (legal obligation).

4. Who we share data with

  • Paddle — our Merchant of Record, who handles checkout, subscription management, payments, tax compliance, invoicing, and refunds.
  • Service providers — hosting, database, email delivery, and analytics tooling acting as our processors under contract.
  • Professional advisers — legal and accounting advisers, where reasonably needed.
  • Authorities — where required by law, court order, or to protect our rights.

We do not sell your personal data.

5. How long we keep it

We keep account data for as long as your account is active and for a reasonable period afterward to comply with legal and tax obligations. Usage logs are retained for up to 12 months for security and debugging. Data that is no longer needed is deleted or anonymized.

6. Your rights

Subject to applicable law, you may have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. If you are in the UK or EEA, you also have the right to lodge a complaint with your supervisory authority. To exercise any of these rights, email hi@permitflow.dev.

7. Security

We use appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), hashed credentials and API keys, and role-based access controls. No system is perfectly secure, but we work to minimize risk.

8. International transfers

Some of our service providers are based outside your country. Where data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions where applicable.

9. Cookies

We use a small number of essential cookies required to keep you logged in and to keep the Service secure. We do not use advertising cookies. If we add analytics cookies in the future we will update this notice and request consent where required.

10. Contact

Questions about this notice or our data practices? Email hi@permitflow.dev.