1. Overview
This policy describes how HashScraper ("we", "us") collects, processes, and protects data in connection with the MCP API service. We are committed to compliance with applicable data protection regulations including GDPR (EU), CCPA (California), and PIPA (Korea).
2. Data We Collect
2.1 Account Data
- Email address — for authentication and billing communications.
- Payment information — processed by Polar.sh; we do not store card details.
- API key hashes — SHA-256 hashes only; raw keys are never stored.
2.2 Usage Data
- Request metadata — timestamp, target URL, response status, credits charged, tool name.
- Rate limit counters — temporary cache data (TTL ≤ 60 seconds).
- Daily usage summaries — aggregated request counts per user per day.
2.3 Data We Do NOT Collect
- We do not store the scraped content returned to you.
- We do not log request/response bodies.
- We do not sell or share your data with third parties for marketing purposes.
3. How We Use Your Data
- Service delivery — authentication, credit billing, rate limiting.
- Service improvement — aggregated analytics to improve reliability and performance.
- Billing & support — transaction records, credit threshold notifications.
- Security — fraud detection, abuse prevention, audit logging.
4. Data Retention
| Data Type |
Retention Period |
| Account data |
Until account deletion + 30 days |
| Usage records (detailed) |
90 days (partitioned, auto-pruned) |
| Daily usage summaries |
1 year |
| Credit ledger |
3 years (financial records) |
| Cache data |
5 minutes (key cache) to 60 seconds (rate limit) |
5. Data Security
- All API communication is encrypted via TLS 1.2+.
- API keys are stored as SHA-256 hashes (raw keys are never persisted).
- Webhook signatures are verified using constant-time comparison to prevent timing attacks.
- Database access is restricted to application-level credentials with least-privilege permissions.
6. Your Rights (GDPR / CCPA / PIPA)
Depending on your jurisdiction, you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate personal data.
- Erasure — request deletion of your account and associated data.
- Portability — receive your data in a machine-readable format.
- Restriction — limit processing of your data under certain circumstances.
- Opt-out of sale (CCPA) — we do not sell personal data; no opt-out required.
To exercise any of these rights, contact help@hashscraper.com. We will respond within 30 days.
7. Scraped Content Responsibility
When you use the Service to scrape websites, you are the data controller for any personal data contained in the scraped content. We act as a data processor, executing scrape requests on your behalf. You must:
- Ensure a lawful basis for processing any personal data you collect.
- Comply with the privacy policies and terms of service of target websites.
- Not use the Service to systematically collect personal data without consent where required by law.
8. Third-Party Services
- Polar.sh — payment processing (Privacy Policy).
- Google Analytics — website analytics (landing page only, not API requests).
9. Changes to This Policy
We may update this policy periodically. Material changes will be notified via email at least 30 days in advance.