Skip to content
RevAddress

Privacy Policy

Effective date: March 10, 2026 · Revasser LLC · New York, NY

RevAddress is a USPS v3 REST API and native iOS app built by Revasser LLC. This policy covers both the API and the iOS app, describing exactly what data we collect, why we collect it, and what rights you have over it. No boilerplate. No filler.

1. What We Collect

Account & Signup

When you sign up at /signup, we collect your email address and pass it through Cloudflare Turnstile bot verification. We do not collect your name, phone number, or mailing address unless you contact us directly.

  • Email address (required to issue your API key and send transactional emails)
  • Turnstile challenge result (bot signal, not stored long-term)

Payment

Billing is handled entirely by Stripe. When you complete checkout, you are redirected to a Stripe-hosted page. We never see, store, or process your credit card number, CVV, or billing address. What we do receive from Stripe after a successful payment: your email address, Stripe customer ID, subscription plan, and billing status. These are stored in our Cloudflare D1 database solely to manage your API key access.

API Usage

Every request to api.revaddress.com is logged for rate limiting, billing enforcement, and service integrity. We record:

  • API key (hashed identifier — never the plaintext key after issuance)
  • Endpoint called (e.g., /addresses/validate, /tracking)
  • Request count per billing period
  • HTTP status codes returned
  • Timestamps (UTC)

We do not log the address data, tracking numbers, or package contents you pass through the API. The payload you send to USPS is proxied — we do not retain it.

BYOK Credentials (Pro & Enterprise)

If you use Bring Your Own Keys (BYOK), your USPS Developer Portal client ID and client secret are stored encrypted using AES-GCM with a per-tenant encryption key. The plaintext credentials are never written to disk or logs. They are decrypted in memory only at request time to exchange for a short-lived USPS OAuth token.

Website Analytics

We use Google Analytics 4 (measurement ID: G-G6FK8BDX4H) on the revaddress.com marketing site. GA4 collects standard browser telemetry: page views, session duration, referrer, approximate geographic region (country/city), and device type. This data is anonymized and used to understand which documentation and blog content is useful. We do not use GA4 on API endpoints.

Cloudflare also collects aggregate traffic analytics (request counts, error rates, geographic distribution) at the edge. This data does not include personal identifiers.

RevAddress iOS App

The RevAddress iOS app uses your device camera to scan and recognize addresses via Apple's VisionKit framework. Here is exactly what happens with your data:

  • Camera images are never uploaded or stored. All image processing happens entirely on your device using Apple's VisionKit and Vision frameworks. No camera data ever leaves your phone.
  • Extracted address text is sent to the RevAddress API (api.revaddress.com) for USPS validation. The text is processed transiently and not retained after the response is returned.
  • Saved addresses are stored locally on your device using Apple's SwiftData framework. They are never uploaded to our servers or any third party.
  • Subscription purchases are managed entirely by Apple through StoreKit 2. We receive your subscription status (active/expired, tier) but never your payment details. Apple's privacy policy governs all purchase data.
  • Scan usage counts (free tier daily limit tracking) are stored locally in UserDefaults on your device. We do not track how many scans you perform.
  • No analytics, no tracking, no advertising. The iOS app does not include any analytics SDK, ad network, or tracking framework. We do not collect device identifiers, location data, or usage telemetry from the app.

2. How We Use It

We use the data we collect for six purposes and nothing else:

  1. 01 Service delivery — authenticating API requests, enforcing rate limits, issuing and revoking API keys, routing BYOK credentials.
  2. 02 Billing — syncing Stripe subscription state to your API key access level, counting requests against your plan limit.
  3. 03 Transactional email — sending API key confirmation, billing receipts, and service notifications via Resend. We do not send marketing email unless you opt in explicitly.
  4. 04 Security & abuse prevention — detecting anomalous request patterns, blocking API key abuse, Cloudflare WAF enforcement.
  5. 05 Product improvement — aggregate, anonymized GA4 data to understand which features and documentation need work.
  6. 06 iOS app functionality — processing extracted address text from the RevAddress iOS app to validate against USPS records, managing subscription status via Apple StoreKit 2, and enforcing free tier scan limits locally on your device.

3. Third-Party Services

We use five third-party services. Each receives only the minimum data necessary for its function.

Stripe

Payment processing. Receives your email and payment method at checkout. Their privacy policy governs all payment data: stripe.com/privacy. We receive only subscription status and customer ID from Stripe webhooks.

Cloudflare

Hosting, DNS, WAF, CDN, Workers runtime, D1 database, and Turnstile bot verification. All API and site traffic passes through Cloudflare's global network. Their privacy policy: cloudflare.com/privacypolicy.

Google Analytics 4

Site analytics on revaddress.com only (measurement ID G-G6FK8BDX4H). Anonymized session data, page views, device type. IP anonymization is enabled. Google's data policy: policies.google.com/privacy.

Resend

Transactional email delivery. Receives your email address to send API key confirmations and billing notifications. We do not share any other personal data with Resend. Their privacy policy: resend.com/legal/privacy-policy.

Apple

Subscription and in-app purchase processing for the RevAddress iOS app via StoreKit 2. Apple receives your payment information and manages subscription billing. We receive only your subscription status (active, expired, tier) and transaction identifiers — never your payment details. Apple's privacy policy: apple.com/legal/privacy.

We do not sell your data to any third party. We do not use data brokers. We do not run advertising networks. These five services are the complete list of external data processors.

4. Data Retention

Email address Retained while your account is active. Deleted within 30 days of account termination on request.
API usage logs Request counts retained for 90 days (billing reconciliation). Detailed request logs (endpoint + status) retained for 30 days then purged.
BYOK credentials Deleted immediately when you remove BYOK from your account or terminate your subscription. AES-GCM encrypted at rest in Cloudflare Durable Objects.
Stripe records Retained by Stripe per their standard retention policy (typically 7 years for financial records). We retain only the customer ID and subscription status in our D1 database.
GA4 analytics Retained for 14 months per Google's standard configuration, then automatically deleted from GA4 servers.
RevAddress Camera images are never stored or transmitted. Extracted address text is processed transiently and not retained after the API response. Saved addresses and scan counts are stored locally on your device and deleted when you uninstall the app. Subscription status is managed by Apple per their retention policy.

5. Your Rights (CCPA & GDPR)

Regardless of where you are located, you have the following rights with respect to your data:

Access

Request a copy of all personal data we hold about you. We will respond within 30 days.

Deletion

Request deletion of your account and associated data. We will purge your email, API keys, and usage records within 30 days. Note: Stripe financial records are retained per their legal obligations.

Correction

If we hold incorrect data about you, email us and we will correct it.

Opt Out of Analytics

You can opt out of Google Analytics tracking by installing the GA Opt-out Browser Add-on or using a content blocker. Opting out does not affect your ability to use the API.

Data Portability

Request your data in machine-readable format (JSON). We can provide your account data, API key history, and usage counts.

California residents: under CCPA, you have the right to know what personal information is collected, the right to delete, and the right to opt out of sale (we do not sell data). We do not discriminate against users who exercise these rights.

EEA/UK residents: the legal basis for processing your data is contractual necessity (delivering the API service you signed up for) and legitimate interests (security and fraud prevention). You have the right to lodge a complaint with your local supervisory authority.

6. Security

We take the security of your data seriously:

No system is perfectly secure. In the event of a data breach affecting your personal information, we will notify you via email within 72 hours of becoming aware of the breach.

7. Cookies

The revaddress.com site uses a minimal cookie footprint:

Cloudflare (_cf_bm) Bot management cookie, expires after 30 minutes. Required for WAF.
Google Analytics (_ga, _gid) Session and user identification for GA4 analytics. _ga expires after 2 years, _gid after 24 hours.
Turnstile Bot challenge session cookie used at /signup. Session-scoped, expires on tab close.

The API at api.revaddress.com does not set cookies. All API authentication is via the X-API-Key header.

8. Changes to This Policy

If we make material changes to this policy, we will update the effective date and send an email notification to all registered users at least 14 days before the changes take effect. Minor clarifications (typos, improved wording that does not change the substance) will be updated without notice. The current version is always at revaddress.com/legal/privacy.

9. Contact

For privacy requests, data deletion, or questions:

Revasser LLC

New York, NY

[email protected]

We respond to all privacy requests within 5 business days.

Last updated: March 10, 2026

Terms of Service · Pricing · Get Free API Key