Privacy Policy
Effective date: 19 July 2026
1. Who is responsible
The controller of personal data described here is Ratelimitly Technologies - FZCO (registration number 83651, trade license 90420), DSO-IFZA, IFZA Properties, Dubai Silicon Oasis, Dubai, United Arab Emirates ("Ratelimitly", "we"). Contact: contact@ratelimitly.com.
This policy covers the Ratelimitly websites and the Service. It forms part of our Terms of Service.
2. What we collect
Account data
- Email address (your account identifier) and name, if you provide one.
- Sign-in method (email magic link, or Google/GitHub if you use social sign-in).
- Short-lived authentication tokens: sign-in links are valid for 15 minutes; session tokens for 14 days.
- A timestamp of when you accepted the Terms of Service.
Billing data
- Payments are processed by Stripe. We store your Stripe identifiers, subscription status, invoices, and — for display only — your card's brand, last four digits, and expiry. Full card numbers never reach our systems.
Service usage data
- API keys you create (name, plan, region) and metered usage counts per key.
- Rate-limit check traffic processed by our data plane contains your tenant key, counters, and timing metadata. Your application's own request and response payloads are not sent to us — the Service sees rate-limit checks, not your API traffic.
- Standard server logs (IP address, user agent, request path, timestamps).
Data you send us directly
- Early-access requests: email address and optional use-case description.
- Contact form: name, email, and message — delivered to our mailbox, not stored in our application database.
3. What we use it for
- Providing and securing the Service, including authentication and rate limiting (performance of our contract with you).
- Billing and account management (contract; legal obligations).
- Service communications such as sign-in links and billing notices (contract).
- Responding when you contact us (legitimate interest).
- Protecting the Service against abuse and attacks (legitimate interest).
- Complying with law, including accounting and tax obligations (legal obligation).
We do not sell personal data, and we do not use it for third-party advertising.
4. Cookies
We set only first-party cookies that the site needs to function: a signed session cookie, and a signed preview cookie if you have been given early access to gated pages. We use no analytics, advertising, or tracking cookies.
5. Who processes data for us
We share personal data only with the sub-processors that help us run the Service — currently our hosting providers (Fly.io, Amazon Web Services), our payment processor (Stripe), and our mailbox provider (Google Workspace). The canonical, always-current list, including purposes and locations, is maintained at /legal/sub-processors. Customers who need processor terms can rely on our Data Protection Addendum.
We may also disclose data where required by law, or as part of a merger, acquisition, or asset sale (in which case this policy continues to apply to it).
6. International transfers
We are a UAE company and our processors operate primarily in the United States and the EU. Where the law of your jurisdiction restricts transfers, we rely on appropriate safeguards such as the processors' standard contractual clauses and equivalent mechanisms.
7. Retention
- Account data: for the life of your account, then deleted in the ordinary course after closure (subject to a 30-day export window and legal retention duties).
- Sign-in tokens: 15 minutes; session tokens: 14 days; both deleted on use or expiry.
- Billing records: as long as tax and accounting law requires.
- Server logs: short-term operational retention.
- Early-access and contact messages: as long as needed to handle your request.
8. Security
Traffic to the Service is encrypted in transit (TLS). Sessions use signed cookies; passwords, where used at all, are stored only as salted hashes; access to production systems is restricted and credential-scoped. No system is perfectly secure — if we learn of a breach affecting your personal data, we will notify you as the law requires.
9. Your rights
Subject to the law that applies to you (including the UAE Personal Data Protection Law and, where applicable, the GDPR), you may request access to, correction of, deletion of, or a copy of your personal data, and you may object to or ask us to restrict certain processing. Write to contact@ratelimitly.com — we respond to verified requests within the time the law allows. You may also lodge a complaint with your local supervisory authority.
10. Children
The Service is for business use and is not directed at anyone under 18. We do not knowingly collect personal data from children.
11. Changes
We may update this policy. For material changes we will give notice by email or in-product notice before they take effect. The effective date above always reflects the current version.
12. Contact
Ratelimitly Technologies - FZCO
DSO-IFZA, IFZA Properties, Dubai Silicon Oasis, Dubai, United Arab Emirates
contact@ratelimitly.com