Skip to content
RevAddress

Privacy Policy

Effective date: March 10, 2026 · Revasser Labs · New York, NY

RevAddress is a USPS v3 REST API product built by Revasser Labs. This policy describes exactly what data we collect, why we collect it, and what rights you have over it. No boilerplate. No filler.

1. What We Collect

Account & Signup

When you sign up at /signup, we collect your email address and pass it through Cloudflare Turnstile bot verification. We do not collect your name, phone number, or mailing address unless you contact us directly.

  • Email address (required to issue your API key and send transactional emails)
  • Turnstile challenge result (bot signal, not stored long-term)

Payment

Billing is handled entirely by Stripe. When you complete checkout, you are redirected to a Stripe-hosted page. We never see, store, or process your credit card number, CVV, or billing address. What we do receive from Stripe after a successful payment: your email address, Stripe customer ID, subscription plan, and billing status. These are stored in our Cloudflare D1 database solely to manage your API key access.

API Usage

Every request to api.revaddress.com is logged for rate limiting, billing enforcement, and service integrity. We record:

  • API key (hashed identifier — never the plaintext key after issuance)
  • Endpoint called (e.g., /addresses/validate, /tracking)
  • Request count per billing period
  • HTTP status codes returned
  • Timestamps (UTC)

We do not log the address data, tracking numbers, or package contents you pass through the API. The payload you send to USPS is proxied — we do not retain it.

BYOK Credentials (Pro & Enterprise)

If you use Bring Your Own Keys (BYOK), your USPS Developer Portal client ID and client secret are stored encrypted using AES-GCM with a per-tenant encryption key. The plaintext credentials are never written to disk or logs. They are decrypted in memory only at request time to exchange for a short-lived USPS OAuth token.

Website Analytics

We use Google Analytics 4 (measurement ID: G-G6FK8BDX4H) on the revaddress.com marketing site. GA4 collects standard browser telemetry: page views, session duration, referrer, approximate geographic region (country/city), and device type. This data is anonymized and used to understand which documentation and blog content is useful. We do not use GA4 on API endpoints.

Cloudflare also collects aggregate traffic analytics (request counts, error rates, geographic distribution) at the edge. This data does not include personal identifiers.

2. How We Use It

We use the data we collect for five purposes and nothing else:

  1. 01 Service delivery — authenticating API requests, enforcing rate limits, issuing and revoking API keys, routing BYOK credentials.
  2. 02 Billing — syncing Stripe subscription state to your API key access level, counting requests against your plan limit.
  3. 03 Transactional email — sending API key confirmation, billing receipts, and service notifications via Resend. We do not send marketing email unless you opt in explicitly.
  4. 04 Security & abuse prevention — detecting anomalous request patterns, blocking API key abuse, Cloudflare WAF enforcement.
  5. 05 Product improvement — aggregate, anonymized GA4 data to understand which features and documentation need work.

3. Third-Party Services

We use four third-party services. Each receives only the minimum data necessary for its function.

Stripe

Payment processing. Receives your email and payment method at checkout. Their privacy policy governs all payment data: stripe.com/privacy. We receive only subscription status and customer ID from Stripe webhooks.

Cloudflare

Hosting, DNS, WAF, CDN, Workers runtime, D1 database, and Turnstile bot verification. All API and site traffic passes through Cloudflare's global network. Their privacy policy: cloudflare.com/privacypolicy.

Google Analytics 4

Site analytics on revaddress.com only (measurement ID G-G6FK8BDX4H). Anonymized session data, page views, device type. IP anonymization is enabled. Google's data policy: policies.google.com/privacy.

Resend

Transactional email delivery. Receives your email address to send API key confirmations and billing notifications. We do not share any other personal data with Resend. Their privacy policy: resend.com/legal/privacy-policy.

We do not sell your data to any third party. We do not use data brokers. We do not run advertising networks. These four services are the complete list of external data processors.

4. Data Retention

Email address Retained while your account is active. Deleted within 30 days of account termination on request.
API usage logs Request counts retained for 90 days (billing reconciliation). Detailed request logs (endpoint + status) retained for 30 days then purged.
BYOK credentials Deleted immediately when you remove BYOK from your account or terminate your subscription. AES-GCM encrypted at rest in Cloudflare Durable Objects.
Stripe records Retained by Stripe per their standard retention policy (typically 7 years for financial records). We retain only the customer ID and subscription status in our D1 database.
GA4 analytics Retained for 14 months per Google's standard configuration, then automatically deleted from GA4 servers.

5. Your Rights (CCPA & GDPR)

Regardless of where you are located, you have the following rights with respect to your data:

Access

Request a copy of all personal data we hold about you. We will respond within 30 days.

Deletion

Request deletion of your account and associated data. We will purge your email, API keys, and usage records within 30 days. Note: Stripe financial records are retained per their legal obligations.

Correction

If we hold incorrect data about you, email us and we will correct it.

Opt Out of Analytics

You can opt out of Google Analytics tracking by installing the GA Opt-out Browser Add-on or using a content blocker. Opting out does not affect your ability to use the API.

Data Portability

Request your data in machine-readable format (JSON). We can provide your account data, API key history, and usage counts.

California residents: under CCPA, you have the right to know what personal information is collected, the right to delete, and the right to opt out of sale (we do not sell data). We do not discriminate against users who exercise these rights.

EEA/UK residents: the legal basis for processing your data is contractual necessity (delivering the API service you signed up for) and legitimate interests (security and fraud prevention). You have the right to lodge a complaint with your local supervisory authority.

6. Security

We take the security of your data seriously:

  • All traffic is encrypted in transit via TLS 1.3 (enforced by Cloudflare)
  • BYOK credentials encrypted at rest with AES-GCM using per-tenant keys
  • API keys are hashed (SHA-256) before storage — we cannot recover your plaintext key
  • Cloudflare WAF protects against injection, DDoS, and common attack patterns
  • Stripe handles all PCI-compliant payment processing — we are not in the card data path

No system is perfectly secure. In the event of a data breach affecting your personal information, we will notify you via email within 72 hours of becoming aware of the breach.

7. Cookies

The revaddress.com site uses a minimal cookie footprint:

Cloudflare (_cf_bm) Bot management cookie, expires after 30 minutes. Required for WAF.
Google Analytics (_ga, _gid) Session and user identification for GA4 analytics. _ga expires after 2 years, _gid after 24 hours.
Turnstile Bot challenge session cookie used at /signup. Session-scoped, expires on tab close.

The API at api.revaddress.com does not set cookies. All API authentication is via the X-API-Key header.

8. Changes to This Policy

If we make material changes to this policy, we will update the effective date and send an email notification to all registered users at least 14 days before the changes take effect. Minor clarifications (typos, improved wording that does not change the substance) will be updated without notice. The current version is always at revaddress.com/legal/privacy.

9. Contact

For privacy requests, data deletion, or questions:

Revasser Labs

New York, NY

[email protected]

We respond to all privacy requests within 5 business days.

Last updated: March 10, 2026

Terms of Service · Pricing · Get API Key