Privacy Policy
The short version: birth data is never persisted. We store the minimum needed to run keys and billing, and nothing else.
Birth data — the product guarantee
Birth dates and times you send to any endpoint (including the demo and MCP tools) are processed in memory only to compute the response, then discarded. They are:
- never written to our database — usage records store only which engine was called, when, and how many times;
- never written to logs — request-URL logging is disabled on our infrastructure precisely because query strings can carry birth parameters, and our application logs are audited (with an automated test) to never contain birth inputs;
- never sent to analytics — we run no analytics scripts and no tracking pixels on this site.
What we do store
- Account email — to deliver your key and account notices.
- A SHA-256 hash of your API key — never the key itself.
- Usage counters — engine name, hour bucket, call counts — for quota enforcement and billing. No request contents.
Third parties we rely on
- Stripe processes payments; we never see your card details. Stripe shares with us your checkout email and subscription status.
- Resend delivers key emails from keys@mysticapi.com.
- Cloudflare runs the service infrastructure; Neon hosts the database (accounts, hashed keys, usage counters only).
- x402 payments settle on a public blockchain (Base). On-chain transactions are public by the nature of the chain; they carry no birth data.
Retention and deletion
Account email, hashed keys, and usage counters are kept while your account is active. Email support@mysticapi.com to delete your account; we remove the account row and its keys (usage counters are anonymized by the deletion cascade).
Contact
support@mysticapi.com, or reply to your key email. Effective: 2026-07-07.