Privacy Policy

Last updated: June 9, 2026

This Privacy Policy explains how EdgarKit ("EdgarKit," "we," "us," or "our"), operated by Mathew Arena doing business as EdgarKit, collects, uses, and shares information when you use our developer API and website at edgarkit.com.

1. Information We Collect

Account Information. When you sign up, we collect:

• Your email address
• Optional name and company (if you provide them)

Payment Information. If you subscribe to a paid plan, our payment processor (Stripe) collects:

• Billing name and address
• Credit card details (handled directly by Stripe — we never see or store your card number)

We receive only limited summary information from Stripe (last 4 digits, card brand, subscription status).

API Usage Data. When you use the API, we automatically log:

• API key used (associated with your account)
• Timestamp, endpoint hit, and response status
• Response time (for performance monitoring)

This is used to enforce rate limits, prevent abuse, and improve the Service.

Webhook Configurations. If you register webhooks, we store the URLs you provide and any filter criteria.

Standard Web Logs. Like most websites, we collect IP addresses and browser user-agent strings as part of normal HTTP traffic, used for security and abuse prevention.

2. What We DO NOT Collect

• We do not use tracking cookies or third-party advertising trackers on edgarkit.com.
• We do not sell your data to third parties. Ever.
• We do not collect or store the content of webhooks delivered to your endpoint after delivery succeeds.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Authenticate API requests and enforce plan limits
• Process payments and send billing emails
• Communicate with you about your account or important Service updates
• Detect and prevent abuse, fraud, and security incidents
• Comply with legal obligations

4. Who We Share Data With

We share the minimum data necessary with the following service providers:

• Stripe — for payment processing. See Stripe's Privacy Policy.
• Render — our cloud hosting provider. See Render's Privacy Policy.
• Cloudflare — DNS and edge networking. See Cloudflare's Privacy Policy.

We will not share your personal information with any other party unless required by law (e.g., a subpoena) or to protect the rights, property, or safety of EdgarKit, our users, or others.

5. Data Retention

• Account information is retained while your account is active.
• API usage logs are retained for up to 90 days, then aggregated or deleted.
• Stripe-stored billing records follow Stripe's retention policies (typically 7 years for tax purposes).
• If you delete your account, we delete your personal information within 30 days, except where required to retain for legal or financial recordkeeping.

6. Security

We protect your data using industry-standard practices:

• All traffic is encrypted in transit (TLS/HTTPS)
• API keys are stored as cryptographic hashes (SHA-256), never in plaintext
• Webhook payloads are signed with HMAC-SHA256 for tamper detection
• Database access is restricted and credentials are never committed to source control

No security system is perfect. If we discover a breach affecting your data, we will notify affected users by email without undue delay.

7. Your Rights

You have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your account and associated personal information
• Export your data in a portable format
• Opt out of non-essential communications

To exercise any of these rights, email us at support@edgarkit.com. We respond within 30 days.

8. Children's Privacy

EdgarKit is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. International Users

EdgarKit is operated from the United States. By using the Service, you consent to the transfer of your information to the U.S. We do not actively market to or solicit users in jurisdictions where EdgarKit would be subject to additional regulatory requirements (e.g., GDPR data controller obligations) without first complying.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email or on the website with a revised "Last updated" date.

11. Contact

Questions about this Privacy Policy or your data? Email support@edgarkit.com.