Privacy Policy

Last Updated: March 02, 2026

1. Introduction

API Pilot ("we", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our product, API Pilot: Interceptor, Mocker & Tester ("the Service").

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (optional)
  • Password (hashed using bcrypt and securely stored)

2.2 API Request Data

The browser extension intercepts and captures API request data locally on your device. Supported data types include:

  • HTTP Headers
  • Request/Response Bodies (JSON, Text)
  • URLs, Query Parameters, and Timing Information
  • Environment Variables (stored locally)
  • Concurrency Test Results (stored locally)

Important: All intercepted API data is processed and stored locally in your browser using IndexedDB. We do NOT collect, transmit, or store your API data on our servers. Your request history never leaves your device.

2.3 Usage Analytics & Tracking

No Tracking Policy: We do NOT collect, store, or transmit any usage analytics, telemetry data, or behavioral tracking. The extension operates entirely locally.

2.4 Payment Information

Payment processing is handled by Dodo Payments. We do not store your credit card information. We only receive transaction confirmation and subscription status.

2.5 Support Tickets

When you contact support, we store:

  • Your messages and support requests
  • Screenshots you voluntarily upload
  • Ticket metadata (status, priority, category)

3. How We Use Your Information

We use collected information for:

  • Providing and maintaining the Service
  • Processing your subscription and payments
  • Responding to support requests
  • Sending important account notifications
  • Preventing fraud and abuse

4. Data Storage and Security

Local-First Architecture: We implement industry-standard security measures to protect your data:

  • Local Storage: All intercepted API data is stored locally in your browser's IndexedDB.
  • Account security: All account passwords are hashed using bcrypt (never stored in plain text)
  • Transmission security: All communication with our auth/payment servers uses HTTPS/TLS encryption

5. Data Sharing and Third Parties

We do NOT sell your personal information. We only share data with:

  • Dodo Payments: For payment processing (required for subscriptions)
  • Cloud Hosting Provider: For server infrastructure (data is encrypted)
  • Legal Authorities: If required by law or to protect our rights

6. Your Rights and Choices

You have the right to:

  • Access: View your account data at any time
  • Export: Download your stored data directly from the app
  • Delete: Request account deletion (removes all associated server data) or clear local storage
  • Correct: Update your account information

To exercise these rights, contact us at apipilot@nhrdev.com

7. Data Retention

Minimal Data Retention: We retain only the minimum data necessary for service operation:

  • Account data: Until you delete your account
  • Local API Data: Retained on your device until you clear it locally.
  • Support tickets: For 2 years after resolution
  • Payment records: As required by law (typically 7 years)

8. Browser Extension Permissions

Local-Only Operation: Our extension operates entirely within your browser and never transmits your API data to external servers. The extension requires these permissions:

  • Declarative Net Request: To intercept and modify network requests for debugging
  • Side Panel: To display the extension's main interface alongside your active tabs
  • Active Tab & Tabs: To inject scripts for request monitoring and intelligently manage the UI on restricted pages
  • Scripting: To programmatically inject mock payloads into the active page environment
  • Storage & Unlimited Storage: To securely store your API request history, custom mocks, and preferences locally on your device
  • Cookies: To allow the Quick API Tester to securely read and append active session cookies to outgoing requests
  • <all_urls> (Host Permission): To intercept and mock network traffic for your applications across any development, staging, or production environment you configure

These permissions are necessary for core functionality. The extension only accesses your network requests for the purpose of debugging and never collects, tracks, or reports any usage data to external services.

9. Children's Privacy

Our Service is not intended for users under 13 years of age. We do not knowingly collect information from children under 13. If you believe we have collected such information, please contact us immediately.

10. International Users

Our servers are located in Singapore. By using the Service, you consent to the transfer of your information to our servers. We comply with applicable data protection laws.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

  • Posting the new policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification for major changes

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: