How we treat your data.
Plain English. What we collect, what we don't, how long we hold it, and who else sees it. If a clause sounds like a lawyer wrote it, that's a bug — tell us at privacy@sipsalabs.com.
Who we are.
Sipsa Labs, Inc. ("Sipsa Labs", "we", "us") is a research lab. We ship UltraCompress (PyPI: ultracompress) under BUSL-1.1 for v0.6+ and Apache 2.0 for the frozen v0.5.x line, and we operate the inference API at api.sipsalabs.com. Our compression technology is patent-pending; patent details do not change how we handle data. This policy covers everything in the sipsalabs.com domain and the inference API. The PyPI package itself runs entirely on your machine and ships no telemetry.
What we collect — and what we don't.
We try to collect the minimum needed to bill, authenticate, and stop fraud. Here is the full list. If a row is not in this table, we are not collecting it.
| Data class | Source | Why |
|---|---|---|
| Email address | You enter it at signup or when emailing us. | Account ownership, transactional email (key minted, credits low, billing receipt), customer support. |
| Hashed API key | We mint the key for you. We store only its sha256 hash; the raw key is shown to you exactly once. |
Authenticate requests, attribute usage to your account. |
| Per-request usage rows | Recorded server-side at completion: model name, input + output token counts, latency in ms, computed cost in USD, timestamp. | Billing, invoicing, debugging, abuse detection. |
| HTTP request log | Recorded server-side: model requested, HTTP status code, timestamp, IP address. | Rate limiting, fraud / abuse signals, error diagnosis. |
| Payment data | Stripe Checkout handles the card flow end-to-end. Stripe sends us a customer ID, a charge ID, and the dollar amount. We never see, touch, or store card numbers. | Top up your prepaid credit balance. |
| Customer prompts + completions | Sent to api.sipsalabs.com on each inference call. |
Required transiently to generate the response. By default we do not persist them. Token counts get logged; the text does not. Opt-in debug logging exists for paid customers who explicitly request it; we ask in writing first. |
What we do NOT collect:
- No third-party analytics on the website. No Google Analytics, no Mixpanel, no Segment, no Hotjar, no Plausible.
- No advertising tracking pixels (Meta, Google Ads, TikTok, X). No advertising network sees you on our domains.
- No browser fingerprinting beyond the User-Agent / IP that any web server records by default.
- No sale of any data to anyone, ever. (See section 06 on CCPA — we don't sell, period.)
- No training-data collection. Your prompts are not used to train any model, ours or anyone else's.
How long we keep it.
We delete or aggregate on the schedules below. These are not aspirational; they are wired into the database and the cleanup jobs.
| Data class | Retention | What happens after |
|---|---|---|
| Email address | Until you delete the account, or 24 months after last login (whichever comes first). | Hard-deleted from api_keys.owner_email; usage rows become anonymous. |
| API key (hashed) | Active until you rotate or revoke it. Revoked keys retained 30 days for audit, then deleted. | Row removed. |
| Raw HTTP request log (with IP) | 30 days. | IP truncated to /24 (IPv4) or /48 (IPv6); row kept for usage analytics only. |
| Per-request usage rows | 12 months in detail (for invoice reconciliation and customer dispute response). | Aggregated to monthly totals per key; per-request rows deleted. |
| Payment / billing records | 7 years (US tax + audit requirement). Stripe is the system of record; we mirror only the IDs and dollar amounts needed to reconcile your balance. | Retained per IRS recordkeeping standards. |
| Customer prompts + completions | Not stored. Held in memory only for the duration of the request. If you opt in to debug logging in writing, we retain for the agreed window (default: 14 days), then hard-delete. | N/A. |
| Email correspondence with us | 36 months in our inbox (Gmail), then archived offline indefinitely for legal defense and contract memory. | Available for export on request. |
We hold the 30-day raw IP log because it lets us detect fraud and rate-limit abusive callers. We are not deleting it on the spot. If that's a deal-breaker for your compliance team, email privacy@sipsalabs.com — we can negotiate shorter windows in a Data Processing Agreement under NDA.
Sub-processors.
These vendors process some piece of your data on our behalf. We list every one. If we add a sub-processor, this list updates with at least 30 days notice via email to active customers.
| Vendor | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. (US) · privacy | Payment processing (one-time credit top-ups via Stripe Checkout). | Email address, billing details you enter, card data (Stripe-hosted; never sent to our servers). |
| Resend (US) · privacy | Transactional email (signup confirmation, key minted, credits-low, receipts). | Email address, the message we send. |
| Cloudflare, Inc. (US) · privacy | DNS, the secure tunnel that fronts api.sipsalabs.com, DDoS protection. |
IP address, request headers, in-flight HTTPS traffic (terminated at the Cloudflare edge). |
| Vercel, Inc. (US) · privacy | Static hosting for sipsalabs.com. |
IP address + standard server logs from page visits. |
| Google LLC (Workspace + Gmail) (US) · privacy | Inbound email at the @sipsalabs.com aliases. |
Email content you send to us. |
| Local sqlite database (on Sipsa Labs hardware, US) | System of record for accounts, hashed keys, usage rows. Not a third-party processor; listed for completeness. | All operational data classes above except prompts/completions. |
How we secure it.
- TLS 1.2+ everywhere in transit. The website and API only accept HTTPS. Cloudflare terminates the public TLS leg; the link from Cloudflare to our origin runs over an authenticated tunnel.
- API keys are sha256-hashed at rest. The raw key exists in plaintext only at the moment we mint it and hand it to you. We literally cannot recover it — lose it, rotate it.
- No card data on our servers. Stripe Checkout owns the card flow; we get an opaque charge ID. PCI scope on our side is therefore SAQ-A (the lightest tier).
- Single-admin access at MVP scale. One founder, one box, one SSH key, hardware-backed. As we hire, this section will list the access matrix; for now we are honestly small and we say so.
- Encrypted backups. Daily encrypted off-box backups of the sqlite database; key material held by the founder.
- Reproducibility verifier. Every shipped UltraCompress artifact carries a
sha256manifest so you can verify reproducible reconstruction yourself.
We are pre-Series-A. We do not have a SOC 2 report yet. We will pursue SOC 2 Type 1 once we have a customer who needs it; we will not pretend to have it before then. If your security review needs a SOC 2 letter today, tell us — we can scope a Type 1 audit and split the timeline.
Your rights.
If you live in the EU / EEA / UK (GDPR), California (CCPA / CPRA), or another jurisdiction with data-protection law, you have rights against us as your data controller. We apply these rights globally regardless of where you live.
- Access. Email privacy@sipsalabs.com with the email address on your account. We return your full record within 30 days.
- Deletion. Same email, same address. Account deleted within 30 days. Billing records retained per the 7-year tax window noted above; we'll tell you exactly what we kept and why.
- Portability. Your data is exported as JSON.
- Correction. Wrong email on file? Wrong invoice address? Same email, we fix it.
- Objection / withdrawal of consent. Stop using the service; we stop processing. Combine with a deletion request to also clear the record.
- Do-not-sell (CCPA). N/A — we do not sell, rent, or share personal information for advertising or any other purpose. Nothing to opt out of.
- Right to lodge a complaint. EU / UK residents may complain to their local supervisory authority. We would prefer you tell us first so we can fix it.
International transfers.
Sipsa Labs operates from the United States. Our database, our compute, and our backups all live on US-based infrastructure. If you sign up from the EU / EEA / UK, your data will be transferred to the US. For enterprise EU customers we can sign Standard Contractual Clauses (the EU-approved transfer mechanism). Email privacy@sipsalabs.com for the SCC packet.
Cookies.
The website (sipsalabs.com) sets no first-party cookies and no tracking cookies. Cloudflare may set a session cookie (__cf_bm) on the API endpoint for bot management; this is the only cookie path you will see from us. We don't run a cookie-consent banner because we don't have cookies that need consent.
Children.
Sipsa Labs is a developer-tools service for adults building software. We do not knowingly collect data from anyone under 16 (GDPR-K) or under 13 (US COPPA). If you believe a child has signed up, email privacy@sipsalabs.com and we will delete the account.
Breach response.
If we discover a security incident affecting your data, we will:
- Contain the incident first — rotate keys, isolate the affected component.
- Notify affected customers within 72 hours of confirmation (the GDPR window), with what we know, what we don't, and what we did about it.
- Publish a public post-mortem on our security page within 14 days unless an active law-enforcement matter prevents it.
Reporting a vulnerability? Email security@sipsalabs.com. We don't run a paid bug bounty yet but we credit responsible reporters publicly with their consent.
Contact us.
Changes to this policy.
Material changes get notified by email to active customers at least 30 days before they take effect. Cosmetic edits (typos, link fixes, clearer wording) ship without notice and are noted in the changelog below.
Not legal advice.
This document is written by the founder in plain English for a working developer audience. It is not legal advice and it has not been reviewed by a privacy lawyer as of the effective date. If you are relying on this for a regulatory compliance defense, GDPR audit, vendor-security questionnaire, or contract negotiation, hire your own counsel and ask us for whatever clarification you need. We will answer in writing.