TinCan Labs
Home About Blogs Products Privacy
Privacy Policy

How TinCan Labs handles information processed through our APIs

This page describes how TinCan Labs collects, uses, stores, discloses, and protects information processed through API requests, administrative interfaces, and related logs.

Scope

What this policy covers

This policy applies to public and private HTTP APIs exposed by the solution, administrative and dashboard interfaces used to operate those APIs, machine-to-machine integrations, developer clients, support workflows, and infrastructure, access, audit, and diagnostic logs generated while the APIs are used.

This policy does not apply to third-party systems that integrate with the APIs and operate under their own privacy policies.

Data

Data we process

Depending on the API and request, the solution may process:

  • Account identifiers, usernames, and organization identifiers
  • Request and response payloads submitted by authorized clients
  • Authentication and authorization data, including tokens, keys, and claims
  • Technical metadata such as IP addresses, timestamps, request paths, headers, user agents, and status codes
  • Operational telemetry, diagnostic events, and audit records
  • Support and incident data voluntarily provided during troubleshooting

The solution is not intended to collect special-category or highly sensitive personal data unless explicitly required for an approved business use case and protected by additional controls.

Use

How we use data

We use data processed through the APIs to:

  • Authenticate requests and enforce access control
  • Route, validate, fulfill, and return API operations
  • Protect the service against abuse, fraud, misconfiguration, and security threats
  • Monitor availability, performance, and reliability
  • Investigate incidents, errors, and support requests
  • Meet legal, regulatory, and contractual obligations

We do not sell personal information processed through the APIs.

Basis

Legal basis

Where applicable, data is processed on one or more of the following bases:

  • Performance of a contract or requested service
  • Legitimate interests in operating, securing, and improving the APIs
  • Compliance with legal obligations
  • Consent, where consent is required by law
Disclosure

Sharing and disclosure

We may disclose data only as necessary to:

  • Service providers and infrastructure operators acting on our behalf
  • Affiliated entities supporting the service
  • Auditors, regulators, courts, or law enforcement where legally required
  • Counterparties involved in a transaction requested by the API client
  • Protect the rights, security, and integrity of the service, our users, or others

We require recipients acting on our behalf to use appropriate confidentiality and security controls.

Retention

How long we keep data

We retain API data only for as long as necessary for service delivery, security, auditability, dispute handling, and legal compliance.

  • Operational request and response data may be retained for short-term processing and troubleshooting
  • Audit and security logs may be retained longer to support incident response and compliance
  • Backups may persist for a limited period under standard recovery processes

When retention is no longer required, data is deleted, anonymized, or irreversibly de-identified where practical.

Security

Security controls

We use reasonable administrative, technical, and organizational measures designed to protect data, including:

  • Network access controls and security group restrictions
  • Authentication, authorization, and least-privilege access
  • Transport encryption where supported and required
  • Logging, monitoring, and incident response controls
  • Restricted administrative access to API management surfaces

No system can guarantee absolute security. Clients are responsible for protecting their credentials, keys, and endpoint configurations.

Responsibilities

Client responsibilities and rights

API clients must:

  • Submit only data that they are authorized to process and disclose
  • Avoid sending unnecessary personal data
  • Protect API credentials and administrative access
  • Use secure transport and secure storage practices in their own environments
  • Comply with applicable privacy and data protection laws

Where required by applicable law, individuals may have rights to access, correct, delete, restrict, object to, or export their personal data.

Other terms

Additional policy terms

Data may be processed in jurisdictions where our infrastructure, subprocessors, or support personnel operate. Where required, we use appropriate contractual, organizational, or technical safeguards for such transfers.

The APIs are not directed to children and are not intended to knowingly collect personal data from children without appropriate authorization.

We may update this Privacy Policy from time to time. Material changes should be documented through normal governance, release, or policy publication processes.

Contact

Questions or requests

Questions, privacy requests, or incident notifications should be directed to the service owner, security contact, or privacy contact designated for this solution.