AfriRate

Privacy policy

Last updated 17 May 2026.

1. What we collect

We collect the minimum needed to operate the API and the dashboard:

  • Identity — email and Statotech user id, mirrored from accounts.statotec.com. We never store passwords; authentication is delegated entirely.
  • API keys — the keys you create, their human- readable names, the tier they belong to, and timestamps for created / last used.
  • Usage — per (key, day, country) request counts + per-minute rate-limit window. We do not log request bodies, response bodies, or any query parameters other than the requested country. The country dimension is what powers the "which countries are people querying?" chart in the admin dashboard.
  • Subscribers — if you sign up for rate alerts (when that feature lands): the email address and/or messaging- channel handle you provide, plus the country + pair preferences you choose.
  • Hosting-provider access logs — our hosts (Vercel for the web app, AWS for the scrape ops service) keep their own request logs per their respective policies. We do not add a separate access log on top of those.

We do not use third-party analytics, ad networks, session replay, or browser fingerprinting. The only cookie is the Statotech SSO session (see §4).

2. How we use it

  • To authenticate you and enforce per-key rate limits.
  • To show your own usage on your dashboard.
  • To send rate alerts you have explicitly subscribed to.
  • To detect and prevent abuse of the API (e.g., spotting key- rotation patterns that bypass the limiter).
  • To respond to legal process — see §9.

We do not profile you for advertising, sell your data, or use your usage history to train machine-learning models.

3. Who we share it with (subprocessors)

We use a small set of infrastructure providers. Each one only sees the slice of data needed to do its job:

ProviderPurposeWhat they see
accounts.statotec.comIdentity + subscription plansEmail, Statotech user id, plan changes
Neon PostgresPrimary databaseEverything we store about you
VercelWeb app hostingRequest logs (IP, path, status) per Vercel policy
AWS EC2Scrape ops serviceNo user data — only outbound scrape traffic to central banks
ResendEmail delivery (alerts)Your email + the alert body, at delivery time

We do not sell, rent, or trade personal data with anyone else. We do not share data with advertisers, data brokers, or analytics vendors.

4. Cookies

One cookie: __Secure-statotech-session (or statotech-session in development). It is set by accounts.statotec.com to keep you signed in across Statotech products. No analytics, advertising, or tracking cookies.

5. Data retention

  • Usage records — kept for 12 months, then purged.
  • Server logs — kept for 30 days, then purged.
  • API keys + identity — kept until you delete your AfriRate account from the dashboard's Account section.

6. Your rights

You can ask us to:

  • Access — tell you what we have on you. Most of it is already visible on your dashboard; we will fill in the rest by email.
  • Export (portability) — get a machine-readable copy of your data (JSON). Useful for moving to another provider.
  • Rectify — correct anything inaccurate. Your email comes from Statotech; update it there and it flows down.
  • Restrict — pause specific processing (e.g., stop alert emails) while keeping the account itself open.
  • Object — to any specific use of your data; we will respond within 30 days.
  • Delete — delete your AfriRate account from the dashboard. Your API keys revoke immediately; identity records are purged; usage records lose their key-to-user link and are retained per §5 in de-identified form for our own analytics.

For any of these, email hello@statotec.com from the address on your account.

7. Security

In transit. All traffic is HTTPS. The Statotech SSO cookie is Secure and HttpOnly.

At rest. Postgres encryption is provided by Neon at the storage layer. API keys are stored in plaintext in the database — this matches how Stripe-style high-entropy keys are commonly handled and means we can validate them in a single indexed lookup, but it does mean a database breach would expose live keys. Mitigations: keys can be revoked instantly from your dashboard, and you should rotate any key you suspect has leaked. We plan to move to one-way hashing with a key prefix lookup as a future hardening step.

Identity. Passwords and 2FA are handled by accounts.statotec.com — see their security disclosure.

Patching. We patch high-severity advisories within 7 days; lower-severity, within 30. If you find a security issue please email hello@statotec.com before disclosing publicly.

8. Children

AfriRate is not directed at children under 16, and we do not knowingly collect data from anyone under that age. If you believe a child has signed up, email the address below and we will delete the account.

9. Legal process

We disclose user data only when compelled by valid legal process — a court order, subpoena, or equivalent in the jurisdiction of the request. Where the law permits, we notify the user before complying. We do not provide bulk access to law enforcement and do not maintain back-door interfaces.

10. Changes

We may update this policy. The "last updated" date at the top of the page reflects the most recent change. Material changes — new categories of data collected, new subprocessors, new sharing — will be announced on the dashboard with at least 30 days' notice.

11. Contact

Email hello@statotec.com. See also our terms of service.