Privacy Policy

Effective date: May 15, 2026

Last updated: May 19, 2026

This Privacy Policy explains how WellMarked ("WellMarked," "we," "us," or "our") collects, uses, shares, and protects personal information when you visit wellmarked.io, use the WellMarked API at api.wellmarked.io, or use any of our official client libraries and integrations — including the Python SDK on PyPI (wellmarked), the JavaScript / TypeScript SDK on npm (wellmarked), and the n8n community node (n8n-nodes-wellmarked) (together, the "Service").

This policy applies to personal information about our customers and prospective customers, visitors to our website, and individuals authorized to use the Service on behalf of a customer.

If you have any questions, contact us at [email protected].

1. The short version

We are a developer API company. We collect the information we need to run the API, bill you accurately, support you when things go wrong, and keep the Service secure. We do not sell personal information, we do not use your content to train machine-learning models, and we do not run ad-tech tracking on our site. Where the law gives you rights over your data, we honor those rights — see Section 8.

2. Information we collect

a. Information you give us

Account information. When you register, we collect your email address, a password (which we store as a salted hash), and optionally your name. If you sign up with Google or GitHub, we receive your email, name, and profile picture from that provider.
Billing information. If you subscribe to a paid plan, our payment processor Stripe collects your payment details directly. We do not see or store full card numbers. We store the Stripe customer ID associated with your account, your plan, and your invoice and transaction history (amount, currency, status, dates, the plan involved).
Team information. If you create a team on the Enterprise plan, we store the team name, the email and role of each member, invitation status, and when each member joined.
Communications. When you email support, fill in a form, or otherwise contact us, we keep that correspondence so we can respond and follow up.

b. Information we generate from your use of the Service

API keys. We generate API keys for your account and store a SHA-256 hash of each key, plus a short preview (the first and last few characters) for display in the dashboard. The raw key is shown to you exactly once when it is created or rotated and is not stored on our servers after that.
Request logs. For every API call to /extract, /bulk, and /crawl, we record the target URL you submitted, the response status code, the response time in milliseconds, the size in bytes of the returned content, and any error code. This is what powers your analytics dashboard, our rate limiting and metered billing, and our ability to debug problems.
Bulk and crawl job results. For bulk and crawl jobs, we temporarily store the extracted Markdown and metadata for each URL/page in the job, so you can poll the job to completion. These results are deleted 6 hours after the job finishes.
Usage counters and rate-limit state. We keep request counts per billing period in Redis to enforce plan quotas.
Notifications. We keep records of usage alerts and billing alerts we send to you.

c. Information we collect automatically

Technical information. When you use the website or API, we receive your IP address, the user agent string of your browser or HTTP client, request timestamps, and similar technical metadata. We use this for security, fraud prevention, rate limiting, and debugging.
Authentication metadata. When you log in to the website, we maintain a session via signed cookies (a JWT in an access_token cookie). We also record failed login attempts (the identifier used, the count, and any temporary lockout) to defend against brute-force attacks.
Cookies. See Section 7.

d. Content you submit

When you call the API, you submit URLs. The Service fetches those URLs from the public internet, extracts the main content, and returns it to you. We retain the URL and the metadata about each request (see "Request logs" above). For single-URL /extract calls, we do not retain the full extracted Markdown after we return it. For bulk jobs, we retain the extracted Markdown for 6 hours to support polling.

3. How we use information

We use personal information to:

Operate the Service. Authenticate you, run extractions you request, return results, enforce rate limits, and serve your dashboard.
Bill you and process payments. Calculate metered usage, send invoices through Stripe, and reconcile transactions.
Communicate with you. Send service-related notices (e.g., usage alerts, billing alerts, password resets), respond to support requests, and announce material changes to the Service or these policies.
Improve the Service. Diagnose issues, monitor performance, and understand which features are used. We rely on aggregated request logs and analytics, not on the substantive content of extracted pages.
Keep the Service secure. Detect, prevent, and respond to fraud, abuse, attacks, and violations of our Terms of Service.
Comply with the law. Meet our legal, tax, accounting, and reporting obligations, and respond to lawful requests from authorities.

We do not use the URLs you submit or the content we extract to train machine-learning models. We do not sell personal information.

4. Legal bases for processing (EEA/UK users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process personal information on one or more of the following legal bases under the GDPR:

Performance of a contract — to provide the Service to you under our Terms of Service (Article 6(1)(b)).
Legitimate interests — to secure the Service, prevent abuse, improve our product, and run our business, where those interests are not overridden by your rights (Article 6(1)(f)).
Legal obligation — to comply with applicable laws, including tax and accounting rules (Article 6(1)(c)).
Consent — for any processing where we ask for and you give consent, which you may withdraw at any time (Article 6(1)(a)).

We share personal information only as described below.

Service providers (sub-processors)

We use vetted third-party service providers to run the Service. Each is bound by contract to handle personal information consistent with this policy. Current sub-processors include:

Sub-processor	Purpose	Data involved
Stripe	Payment processing and metered billing	Email, name, billing address, payment method, transaction history
Railway	Application hosting and infrastructure	All Service data while in operation
Resend	Transactional email (password resets, usage and billing alerts)	Email, subject and body of transactional emails
Google	Optional sign-in via OAuth	Email, name, profile picture (if you choose Google sign-in)
GitHub	Optional sign-in via OAuth	Email, name, profile picture (if you choose GitHub sign-in)

We will keep this list current. If we add or change a sub-processor in a way that materially affects how we process personal information, we will update this policy and, where required, notify affected customers.

Other sharing

At your direction. If you submit personal information through the Service (e.g., add a colleague to a team), we share it as you direct.
Legal requests. We may disclose information when we are required by law, court order, or valid government request. Where we can, we will notify you before disclosure so you can challenge the request.
Corporate transactions. If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. We will notify you (and provide choices where required by law) before any transfer of your personal information becomes subject to a different privacy policy.
To protect the Service and others. We may share information when we believe in good faith that doing so is necessary to investigate or prevent fraud, abuse, security incidents, or threats to the safety of any person, or to enforce our Terms of Service.

We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.

6. International data transfers

We operate the Service from infrastructure that may process and store data in the United States and other countries. If you access the Service from outside those countries, your personal information may be transferred internationally.

Where we transfer personal information out of the EEA, the UK, or Switzerland, we rely on appropriate safeguards — typically the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or an equivalent mechanism — to protect your data.

7. Cookies and similar technologies

We use a small number of strictly necessary cookies on the website. We do not use third-party advertising cookies, behavioral tracking pixels, or cross-site tracking.

Cookie	Purpose	Type
`access_token`	Maintains your signed-in session via a short-lived JWT	Strictly necessary
Refresh token	Renews your session without making you log in again	Strictly necessary

We may also use browser sessionStorage to cache your API key for the duration of a browser tab so you don't lose it while navigating the dashboard. This is data stored in your browser, not transmitted to us.

If your browser sends a Do Not Track or Global Privacy Control signal, we treat it as a request not to "sell" or "share" personal information for advertising — which is consistent with what we already do (we don't do that).

8. Your rights

Depending on where you live, you may have rights regarding your personal information. We honor the following requests from anyone who uses the Service, regardless of jurisdiction, except where we are required by law to retain certain data:

Access. Request a copy of the personal information we hold about you.
Correction. Ask us to correct inaccurate personal information.
Deletion. Ask us to delete your personal information and close your account. Self-service: you can do this yourself from Settings → Danger zone → Delete account on the dashboard, or programmatically via DELETE /api/account. Either path immediately cancels any active subscription, refunds the prorated unused portion of your last payment to the original payment method, and erases your profile, API keys, extraction history, notifications, and team memberships.
Portability. Ask for a copy of your personal information in a machine-readable format.
Restriction or objection. Ask us to limit how we use your personal information or object to specific processing.
Withdraw consent. Withdraw any consent you previously gave (without affecting the lawfulness of processing already done).

To exercise any of these rights, email [email protected] from the email address on your account. We will respond within the timeframes required by applicable law (typically 30 days, extendable in limited circumstances). We will not discriminate against you for exercising these rights.

EEA/UK residents have the right to lodge a complaint with their local data protection authority. We would appreciate the chance to address concerns first, but you can complain to a regulator at any time.

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the rights to know, delete, correct, and limit the use of sensitive personal information, and the right not to be retaliated against for exercising those rights. We do not sell or share personal information as those terms are defined under the CCPA. If you need to make a CCPA request, email [email protected]. You may authorize an agent to make a request on your behalf with appropriate verification.

9. Retention

We keep personal information only as long as we need it for the purposes described in this policy or as required by law.

Data category	Retention
Account profile	While your account is active. Deleted or anonymized within 30 days after you close the account.
Hashed API keys	Same as account. Rotated keys are deleted immediately.
Request logs	Up to 13 months, to support a full year of analytics. May be deleted earlier on request.
Bulk job results	6 hours after the job completes.
Billing records	Up to 7 years, as required by tax and accounting laws.
Login attempts	Up to 30 days after the last attempt.
OAuth state, password reset tokens	Minutes to hours; deleted after they are used or expire.
Support correspondence	Up to 3 years after the last interaction.

After these periods, we delete or anonymize the data. Anonymized aggregates that no longer identify any individual may be retained indefinitely for analytics and product research.

10. Security

We take reasonable technical and organizational measures to protect personal information. Among other things:

Passwords are stored as salted hashes; we never store passwords in plaintext.
API keys are stored as SHA-256 hashes. We cannot recover the raw value of a lost key — you can only rotate to issue a new one.
All traffic to wellmarked.io and api.wellmarked.io is served over HTTPS, with HSTS, strict referrer policy, and standard browser security headers.
We rate-limit registration and login endpoints, and we track failed login attempts to defend against brute-force attacks.
We use signed, scoped service-to-service secrets between our backend services.
Access to production data inside our team is limited to the people who need it to operate the Service.

No security program can guarantee absolute protection. If we become aware of a security incident that affects your personal information, we will notify you and the appropriate regulators as required by applicable law.

11. Children's privacy

The Service is intended for developers and businesses and is not directed to children. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a child, please contact us at [email protected] and we will delete it.

12. Third-party content

The Service fetches content from URLs you submit. The privacy practices of those third-party websites are not covered by this policy. You should consult the privacy policies and terms of any site whose content you submit to the Service.

13. Automated decision-making

We do not make decisions about you that produce legal or similarly significant effects using solely automated processing.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a notice in the dashboard at least 14 days before the changes take effect. The "Effective date" and "Last updated" dates at the top of this policy identify the most recent version. We keep prior versions available on request.

15. How to contact us

Questions, requests, or complaints about this policy or our handling of personal information can be sent to:

Email: [email protected]
Support: [email protected]
Postal address: Provided on request to verified inquirers — please email [email protected] first so we can verify your identity before sharing it.