Privacy Policy

1. Information We Collect

1.1 Account Information

When you sign up for ResetKit, we collect:

• Full name
• Email address
• Password (bcrypt-hashed with 12 rounds, never stored in plaintext)
• Company name (if provided)

1.2 Usage Data

To provide and improve the service, we collect:

• API requests (timestamps, endpoints called, response codes)
• Reset session logs (email hash, success/failure, timestamp)
• Webhook delivery status
• Browser type and IP address (for fraud prevention)

1.3 Payment Information

Payment processing is handled by Stripe. We never see or store your full credit card details. We only receive:

• Last 4 digits of your card
• Card brand (Visa, Mastercard, etc.)
• Expiration date
• Stripe customer ID

2. How We Use Your Information

We use collected data to:

• Provide the ResetKit service to you and your users
• Send transactional emails (password resets, 2FA codes, magic links)
• Bill you for the service
• Detect and prevent fraud or abuse
• Improve our service through analytics
• Respond to support requests
• Send critical service updates (outages, security notices)

We do NOT use your data to:

• Sell to third parties or advertisers
• Send marketing emails (unless you opt in)
• Train AI models

3. Data Storage and Security

Your data is stored securely:

• Database: MongoDB Atlas (encrypted at rest and in transit)
• Passwords: bcrypt with 12 rounds (industry standard)
• Reset codes: bcrypt with 10 rounds, expire after 15 minutes
• 2FA codes: bcrypt with 10 rounds, expire after 5 minutes
• API keys: Stored hashed, only shown once on generation
• Backups: Automated daily, encrypted, retained for 30 days

We follow industry best practices including rate limiting, CSRF protection, and regular security audits.

4. Third-Party Services

ResetKit uses these third-party services:

• Stripe: Payment processing (their privacy policy: stripe.com/privacy)
• Resend: Email delivery (their privacy policy: resend.com/legal/privacy)
• Upstash: Redis for rate limiting (their privacy policy: upstash.com/trust/privacy)
• MongoDB Atlas: Database hosting (their privacy policy: mongodb.com/legal/privacy)
• Vercel: Hosting and CDN (their privacy policy: vercel.com/legal/privacy-policy)

These services are SOC 2 compliant and GDPR-ready.

5. Cookies

We use minimal cookies:

• resetkit_session: Authentication (JWT, httpOnly, 7-day expiry)
• _vercel_analytics: Anonymous pageview tracking (opt-out available)

We do NOT use advertising or tracking cookies.

6. Data Retention

We retain data as follows:

• Account data: Until you delete your account
• Reset session logs: 90 days
• API logs: 30 days
• Webhook logs: 30 days
• Billing records: 7 years (tax compliance)

When you delete your account, all data except billing records is permanently deleted within 30 days.

7. Your Rights (GDPR & CCPA)

You have the right to:

• Access: Request a copy of your data (email support@resetkit.dev)
• Rectification: Correct inaccurate data in your dashboard
• Erasure: Delete your account and all associated data
• Portability: Export your data in JSON format
• Object: Opt out of marketing emails (we rarely send any)
• Restrict: Pause your account without deleting data

To exercise these rights, email support@resetkit.dev or use the settings in your dashboard.

8. Children's Privacy

ResetKit is not intended for use by anyone under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact support@resetkit.dev and we will delete it immediately.

9. Data Breach Notification

In the unlikely event of a data breach affecting your account, we will:

• Notify you via email within 72 hours
• Describe what data was affected
• Explain what we're doing to fix it
• Provide guidance on protecting yourself

10. International Transfers

ResetKit is operated from the United States. If you're accessing the service from outside the US, your data will be transferred to and processed in the US. We use standard contractual clauses approved by the European Commission for GDPR compliance.

11. Changes to This Policy

We may update this policy occasionally. When we do, we'll update the "Last updated" date at the top. For major changes, we'll email you 30 days in advance. Continued use of ResetKit after changes means you accept the new policy.