Privacy Policy
Last updated: March 16, 2026
This Privacy Policy describes how Plaza ("Plaza," "we," "us," or "our") collects, uses, and protects your information when you use the Plaza API and related services ("Service") at plaza.fyi. By using the Service, you agree to the collection and use of information as described in this policy.
1. Information We Collect
Account Information
When you create a Plaza account, we collect:
- Email address — provided directly or obtained through OAuth
- Display name — if provided through OAuth (Google or GitHub)
- OAuth identifiers — your Google or GitHub user ID, used solely for authentication
- Passkey credentials — public key data for WebAuthn authentication (we never store passwords)
Payment Information
When you subscribe to a paid plan, payment is processed by Stripe. Plaza does not directly store your full credit card number or bank account details. We receive and store:
- Stripe customer ID
- Payment method type (e.g., card brand, last four digits)
- Billing address (if provided)
- Transaction history and invoice records
API Usage Data
When you make requests to the Plaza API, we automatically log:
- IP address of the request origin
- API endpoint accessed
- Timestamp of the request
- Response time and HTTP status code
- API key identifier (hashed)
- Request method and query parameters
We do not log request bodies or response bodies. We do not store the content of your queries or the geospatial data returned in API responses.
Website Usage
When you visit plaza.fyi, we collect standard web server logs including IP address, browser type, pages visited, and referring URL.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service — authenticate your identity, authorize API access, and process your requests
- Billing — calculate usage, process payments, generate invoices, and manage subscriptions
- Abuse prevention — enforce rate limits, detect and prevent misuse, and protect the integrity of the Service
- Service improvement — analyze aggregate usage patterns to improve performance, reliability, and features
- Communication — send transactional emails (account verification, billing receipts, security alerts) and, where permitted, service announcements
- Legal compliance — fulfill legal obligations, respond to lawful requests, and protect our rights
We do not sell your personal information. We do not use your data for advertising. We do not build user profiles for marketing purposes.
3. Authentication
Plaza supports three authentication methods:
- Magic link email — we send a one-time login link to your email. No password is created or stored.
- OAuth (Google, GitHub) — we receive your email and display name from the OAuth provider. We do not receive or store your password from these providers.
- Passkeys (WebAuthn) — cryptographic credentials are stored on your device. We store only the public key component.
Plaza never stores passwords. None of our authentication methods require or create passwords.
4. Cookies
Plaza uses cookies strictly for:
- Session management — to keep you logged in to the Plaza dashboard and maintain your session state
We do not use third-party tracking cookies. We do not use cookies for advertising or cross-site tracking. We do not use analytics cookies that track individual users.
5. Third-Party Services
We use the following third-party services to operate Plaza:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing and usage metering | Email, payment method, billing address, transaction amounts, API usage counts |
| Google Cloud | Application hosting | API requests transit Google Cloud infrastructure |
| Neon | Database hosting | Account and usage data stored in Neon Postgres |
Each third-party service processes data according to its own privacy policy. We select providers that maintain industry-standard security practices.
We do not share your data with any third parties for their own marketing or advertising purposes.
6. Data Retention
- Account data — retained for as long as your account is active. Upon account deletion, we remove your personal information within 30 days, except as required by law.
- API usage logs — retained for 90 days, then automatically purged. Aggregate, anonymized statistics may be retained indefinitely.
- Billing records — retained for 7 years after the end of the billing relationship, as required by tax and financial regulations.
- Security logs — retained for up to 1 year for abuse prevention and security incident investigation.
7. Data Location
Plaza's infrastructure is hosted on Google Cloud in the US East (us-east1) region. Your data, including account information, API logs, and usage data, is stored and processed in the United States.
Database services are provided by Neon, with data stored in US-based infrastructure.
If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate personal data
- Deletion — request deletion of your personal data and account
- Data export — request a machine-readable export of your account data and usage history
- Restriction — request that we restrict processing of your personal data in certain circumstances
- Objection — object to processing of your personal data for certain purposes
To exercise any of these rights, contact us at legal@plaza.fyi. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.
Deleting your account will deactivate your API keys and remove your personal information. It will not retroactively remove your data from backups, which are purged on a rolling schedule.
9. Children's Privacy
The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at legal@plaza.fyi and we will promptly delete such information.
10. Security
We implement the following measures to protect your data:
- Encryption in transit — all connections to Plaza use TLS (HTTPS). Unencrypted HTTP requests are rejected.
- API key hashing — API keys are stored using one-way cryptographic hashes. We cannot retrieve your raw API key after initial generation.
- Database encryption — data at rest is encrypted using Neon's built-in encryption.
- Access controls — internal access to production systems is restricted and audited.
- No password storage — our passwordless authentication model eliminates an entire class of credential-based attacks.
No system is perfectly secure. If you discover a security vulnerability, please report it to security@plaza.fyi.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at the address associated with your account at least thirty (30) days before the changes take effect. The "Last updated" date at the top of this page reflects when the policy was most recently revised.
Your continued use of the Service after any changes take effect constitutes your acceptance of the revised policy.
12. Contact Information
If you have questions about this Privacy Policy or our data practices:
- General support: support@plaza.fyi
- Legal and privacy inquiries: legal@plaza.fyi