Skip to main content

Privacy Policy

Last updated: March 17, 2026

FirstHandAPI, Inc. ("FirstHandAPI," "we," "us," or "our") operates the firsthandapi.com website and the FirstHandAPI platform, including the REST API, worker mobile application, and buyer dashboard (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Information We Collect

We collect information that you provide directly, information generated through your use of the Service, and information from third-party integrations.

Submission Content

When you create jobs through the API, we receive and temporarily store the content associated with them, including text, image URLs, metadata fields, job descriptions, and context attachments. When workers submit uploaded files, we store those files temporarily. Submission content is processed solely to facilitate content collection and delivery and is subject to our data retention schedule described below.

API Keys and Account Information

When you register an organization, we collect your email address, organization name, and billing contact details. API keys are generated with environment-specific prefixes (fh_live_, fh_test_). We store a SHA-256 hash of each key with a KMS-managed pepper; we never store raw API keys after initial generation.

Billing and Payment Information

Payments are processed through Stripe. We do not store full credit card numbers, CVVs, or bank account details on our servers. We retain Stripe customer IDs, transaction references, credit purchase records, and invoice metadata for billing reconciliation and compliance.

Usage Analytics

We collect API request logs including endpoint paths, response codes, latencies, rate-limit counters, and anonymized client identifiers. For the worker application, we collect session duration, job completion rates, and performance metrics. All logs are structured JSON with request IDs for traceability.

How We Use Your Information

We use the information we collect to:

  • Operate and maintain the Service, including routing jobs to qualified workers, delivering submitted files via webhook, and managing credit balances.
  • Authenticate your API requests and enforce rate limits, organization-scoped access controls, and usage quotas.
  • Calculate and update worker trust scores based on submission quality, consistency, and speed within specific job categories.
  • Generate aggregate analytics for your dashboard, including job volumes, submission turnaround times, and quality metrics.
  • Process billing transactions, issue invoices, and manage credit purchases and expiration.
  • Detect and prevent fraud, abuse, and violations of our Acceptable Use Policy.
  • Improve the Service through aggregate, de-identified analysis of usage patterns and system performance.
  • Communicate with you about service updates, security notices, and billing matters.

Data Sharing

We do not sell your personal information or submission content to third parties. We share information only in the following circumstances:

Stripe (Payment Processing)

We share billing contact information and transaction details with Stripe to process credit purchases and manage subscriptions. Stripe's handling of your data is governed by the Stripe Privacy Policy.

AWS (Infrastructure)

Our Service is hosted on Amazon Web Services in the us-west-2 region. All data at rest is encrypted with AES-256-GCM, and all data in transit uses TLS 1.3. AWS processes data on our behalf under a Data Processing Agreement.

Legal Requirements

We may disclose your information if required by law, regulation, legal process, or enforceable governmental request.

Data Retention

We retain different categories of data for different periods based on operational necessity and legal requirements:

Data CategoryRetention Period
Submission content and uploaded files90 days after job completion
Billing and payment records7 years (tax/legal compliance)
Audit logs1 year
Unused credit balances12 months from purchase date

After the applicable retention period, data is permanently deleted or irreversibly anonymized. You may request earlier deletion subject to the limitations described under "Your Rights."

Security

We implement industry-standard technical and organizational measures to protect your data:

  • Encryption in transit: All API communication uses TLS 1.3. Older TLS versions are not supported.
  • Encryption at rest: All data stored in our databases and object storage is encrypted with AES-256-GCM.
  • Key management: Encryption keys and API key peppers are managed through AWS Key Management Service (KMS) with automatic rotation.
  • Access controls: All resource queries are organization-scoped. Worker access to job content is scoped to assigned jobs and audited.
  • Webhook security: All webhook payloads are signed with HMAC-SHA256 to ensure integrity and authenticity.

No method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

Your Rights

European Economic Area (GDPR)

If you are located in the EEA, you have the following rights under the General Data Protection Regulation:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data, subject to legal retention obligations.
  • Right to data portability: Request your data in a structured, machine-readable format.

California (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to delete: Request deletion of personal information we have collected from you.
  • Right to opt-out: We do not sell personal information. If this changes, we will provide a clear opt-out mechanism.

To exercise any of these rights, contact us at privacy@firsthandapi.com. We will respond within 30 days.

Children's Privacy

The Service is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly delete it. If you believe a child under 13 has provided us with personal information, please contact us at privacy@firsthandapi.com.

International Data Transfers

Your information may be transferred to and processed in the United States, where our servers are located (AWS us-west-2, Oregon). If you are accessing the Service from outside the United States, your data will be transferred across international borders. We rely on Standard Contractual Clauses and other lawful transfer mechanisms to ensure adequate protection of your data in compliance with applicable data protection laws.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify you via email or a prominent notice on the Service. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

FirstHandAPI, Inc.
Email: privacy@firsthandapi.com