01
Who we are#
"IPkit" (also "we," "us," or "our") refers to Four Birds Limited, a New Zealand company with its registered office at 566A Cove Road, RD2, Waipu 0582, New Zealand. We are the data controller for personal data processed through IPkit's consumer-facing surfaces. Where IPkit acts as a data processoron behalf of a customer (for example, where a customer's application sends end-user queries to api.ipkit.ai), the customer is the controller and our Data Processing Addendum governs that relationship.
02
Scope#
This policy applies to all IPkit properties:
- ipkit.ai — the marketing site (the apex).
- app.ipkit.ai — the customer portal (account, keys, billing, dashboards).
- api.ipkit.ai — the programmatic API.
This policy does not apply to third-party sites that IPkit links to, or to the official intellectual-property registers and similar public sources whose own privacy notices govern their data.
03
Information we collect#
3.1 Information you provide
- Account information. Email address, display name, and (optionally) company name when you sign up at ipkit.ai. If you sign in with Google or GitHub, we receive the email and avatar associated with that account.
- Billing information.Plan selection and billing identifiers. Card details are handled by Stripe and never reach IPkit's servers — we receive only a customer identifier, the last four digits, and the card brand.
- Support and waitlist correspondence. The email address and any content you send to
hello@ipkit.ai,privacy@ipkit.ai, or via a waitlist form on the apex. - Search queries and content.Brand names, descriptions, classes, jurisdictions, and any other text or file you submit through IPkit's search, monitoring, or analysis tools.
3.2 Information collected automatically
- Authentication state. A Supabase-issued session cookie on ipkit.ai (see our Cookie Policy).
- API usage telemetry. For each call to api.ipkit.ai we record the authenticated key, request path, response status, latency, byte counts, IP address, and a timestamp. We use this for rate-limiting, billing, abuse detection, and product improvement.
- Server logs. Standard request logs (IP, user-agent, path, status, timestamp) generated by our hosting providers for security and operational diagnostics.
- Fraud-prevention signals.During checkout, Stripe collects device and network signals (described in Stripe's own privacy notice).
We do not run analytics cookies, advertising trackers, or session-replay tools on the apex (ipkit.ai). See the Cookie Policy for the full breakdown.
3.3 Information from third parties
We receive limited identity information from OAuth providers (Google, GitHub) when you choose to sign in with them, and operational data from our sub-processors (e.g., Stripe sends events about subscription state). We do not buy personal data from data brokers.
04
How and why we use information#
Each purpose below maps to a lawful basis under the EU/UK General Data Protection Regulation. Comparable bases apply under the California Consumer Privacy Act ("CCPA") and other regional laws.
| Purpose | Data used | Lawful basis (GDPR) |
|---|---|---|
| Provide the service you requested (search, monitoring, analysis) | Account, queries, usage | Contract (Art. 6(1)(b)) |
| Authenticate sessions and protect accounts | Account, session cookie, IP | Contract; legitimate interest in security |
| Bill paid plans and prevent payment fraud | Billing identifiers, usage counts | Contract; legal obligation (tax records) |
| Enforce rate limits and detect abuse | Usage telemetry, IP, key metadata | Legitimate interest (Art. 6(1)(f)) |
| Improve the product (aggregate analysis, debugging) | Usage telemetry, error logs | Legitimate interest |
| Send service emails (security, billing, material changes) | Email address | Contract; legal obligation |
| Send product updates and waitlist follow-ups | Email address | Consent — withdrawable at any time |
| Comply with legal requests and enforce our Terms | As needed | Legal obligation; legitimate interest |
We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you. IPkit's analyses are presented for human review — they do not auto-file, auto-oppose, or auto-reject anything on your behalf.
We do not sell your personal data, and we do not "share" it for cross-context behavioural advertising as those terms are defined under the CCPA.
06
Sub-processors#
The following providers process personal data on our behalf:
| Provider | Purpose | Primary region |
|---|---|---|
| Vercel | Hosting | US / global edge |
| Supabase | Authentication and database | EU (primary) / US |
| Fly.io | Application hosting infrastructure | Global multi-region |
| Stripe | Billing, payments, fraud prevention | US / EU |
| Resend | Transactional email and waitlist messaging | US |
| Tinybird | Aggregated usage analytics | EU / US |
| Upstash | Caching and operational data store | Global edge |
| Cloudflare | DNS, DDoS protection, edge security | Global edge |
We engage each sub-processor under a written contract with data-protection terms at least as protective as those in this policy. Material changes to this list will be reflected here with at least 30 days' notice for enterprise customers under a DPA.
07
International transfers#
IPkit is operated by a team and infrastructure that spans the United States, the European Union, and the United Kingdom. When personal data is transferred out of the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary technical measures (encryption in transit and at rest) as applicable.
08
Retention#
| Category | Retention |
|---|---|
| Account profile | While your account is open; deleted within 30 days of account closure. |
| Billing records (invoices, tax-relevant data) | 7 years after the transaction (legal obligation). |
| API usage telemetry (per-request) | 13 months, then aggregated and anonymised. |
| Search queries and inputs | While your account is open, or as set out in your enterprise agreement. |
| Server and security logs | 90 days, unless retained longer to investigate an incident. |
| Waitlist email addresses | Until you unsubscribe or 24 months of inactivity, whichever comes first. |
| Support correspondence | 3 years after the ticket is resolved. |
Backups containing personal data are encrypted and aged out on the same schedules; in practice deletion from backups completes within 35 days of the live-system deletion.
09
Security#
We protect personal data with administrative, technical, and physical safeguards appropriate to its sensitivity. These include encryption in transit (TLS 1.2+) and at rest, least-privilege access controls with single sign-on for staff, mandatory two-factor authentication for production systems, structured logging and alerting, periodic vulnerability scanning, and an incident-response runbook. We follow a security-by-default model: raw API keys are shown to you exactly once at creation and stored on our side only as a salted hash.
No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and any regulator with jurisdiction as required by applicable law.
10
Your rights#
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data (subject to legal-retention exceptions).
- Restrict or object to certain processing.
- Receive a portable copy of data you provided to us.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with your local supervisory authority (EU/UK residents) or the California Privacy Protection Agency.
Exercise any of these rights by emailing privacy@ipkit.ai. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We will not discriminate against you for exercising a privacy right.
California residentsmay designate an authorised agent to make requests on their behalf. We will verify both the agent's authority and your identity before responding.
11
Children#
IPkit is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@ipkit.ai and we will delete it promptly.
12
Do Not Track#
Because we do not run cross-site advertising trackers, IPkit treats "Do Not Track" and Global Privacy Control signals as a no-op: there is no third-party tracking to disable.
13
Changes to this policy#
We may update this policy as the product and our infrastructure evolve. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be announced by email to account holders and via an in-product banner. Continued use of IPkit after the effective date of a change constitutes acceptance.
14
Contact#
Privacy questions and rights requests: privacy@ipkit.ai.
Postal: Four Birds Limited, 566A Cove Road, RD2, Waipu 0582, New Zealand.
IPkit does not currently process EU or UK personal data at the scale that requires a designated representative under GDPR Article 27 or the UK GDPR. If that changes, we will appoint a representative and update this section with their contact details.