Privacy Policy

This policy covers ServiceGraph — the website at servicegraph.co, the API at api.servicegraph.co, the documentation console at docs.servicegraph.co, and any related skill installs distributed under the find-service-providers name.

• Account email. Provided to issue an API token via the email + one-time-code flow. Stored case-insensitively.
• API tokens. Stored as SHA-256 hashes; the plaintext token is shown to you once and never retained.
• Usage logs. Per request: timestamp, source IP, endpoint, method-family rate-limit counters, response status. For /v1/search and /v1/get, the filter you used and which firms you viewed (firm IDs only, no PII), used to enforce monthly quotas and improve catalog ranking.
• Browser local storage. The docs console stores your issued bearer token and a list of saved query strings on your device. These never leave your browser unless you explicitly send them in an API call.
• Cookies. The marketing site sets none. Vercel and Cloudflare may set strictly-necessary cookies for routing and DDoS protection; we do not run analytics or advertising cookies.

• Provide the service: authenticate you, enforce rate limits and quotas, return catalog data.
• Prevent abuse: throttle, detect token theft, block malicious traffic.
• Improve the catalog: aggregate firm-view signals to learn ranking. We use this in aggregate; we do not single out any user's identity in published ranking outputs.
• Send transactional email: the one-time login code, sent via Postmark. We do not send marketing email.

• We do not sell or rent your email or usage data to third parties.
• We do not run ad targeting or profile-builder products.
• We do not retain bearer-token plaintext.

We use a small number of sub-processors strictly to operate the service:

• Hetzner Online GmbH — server hosting (EU).
• Cloudflare, Inc. — DNS, CDN, DDoS protection.
• Postmark (ActiveCampaign LLC) — transactional email delivery for one-time login codes.
• Vercel Inc. — static hosting for the marketing and docs sites.

We do not transfer personal data to other parties except as required by law.

• Bearer tokens: 90 days from issue, or until you revoke them.
• Login OTPs: 10 minutes; deleted after use.
• Per-minute and per-day rate-limit counters: 7 days (oldest pruned automatically).
• Calendar-monthly firm-view records and the firm-view signal log: 24 months for ranking research.
• Account row: until you ask us to delete it.

Depending on where you are based you may have the right to access, correct, export, or delete personal data we hold about you (including under GDPR or CCPA-equivalent laws). To exercise any of these, email artur@servicegraph.co. We'll respond within 30 days.

The catalog is built from public web data — company websites, third-party directories, public business registries — and contains information about firms, not consumers. If you represent a firm and want a record corrected or removed, email artur@servicegraph.co with the apex domain and the requested change.

Material changes will be announced at the top of this page with a new “Last updated” date. Continued use of ServiceGraph after a change constitutes acceptance of the revised policy.

NostrCorp, Inc. — artur@servicegraph.co