Legal

Privacy Policy

This policy explains how Decode Hash collects, uses, stores, and protects your information when you use our phone hash lookup API service.

Last updated: March 2026

1. Information We Collect

When you create a Decode Hash account and use our API service, we collect the following types of information:

Account Information

When you register, we collect your name, email address, and password (stored as a hash). This information is necessary to create your account, generate API keys, and communicate with you about your service.

API Usage Data

We record metadata about your API usage, including the number of requests made, timestamps, response status codes, and rate limit consumption. We do not store the phone number hashes you submit or the phone numbers returned in response.

Payment Information

If you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your full credit card number or bank details. We retain only the information needed to associate your Stripe subscription with your Decode Hash account (such as your Stripe customer ID and subscription status).

Technical Data

We automatically collect certain technical data when you access our website or API, including IP addresses, browser type, operating system, and referring URLs. This data helps us maintain security and improve our service.

2. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Decode Hash API service, including authenticating your requests and enforcing rate limits
  • Process your phone hash lookup queries and return the corresponding phone numbers
  • Process payments and manage your subscription through Stripe
  • Send important service notifications, such as changes to your plan, usage alerts, or security notices
  • Monitor and analyze usage patterns to improve performance, reliability, and security of our API
  • Comply with legal obligations, including the Kenya Data Protection Act 2019 and, where applicable, the EU General Data Protection Regulation (GDPR)

We do not sell your personal data to third parties. We do not use your data for advertising or profiling purposes.

3. Data Processing

Decode Hash provides a phone hash lookup service. When you send a phone number hash to our API, here is how we handle that data:

  • Your submitted hash is processed in memory to identify the corresponding Kenyan phone number.
  • The matched phone number is returned to you in the API response.
  • We do not store the hash you submitted or the phone number returned. Only the fact that a lookup occurred is recorded (for usage counting and rate limiting).
  • Query and result data is not written to disk, logged, or retained after the response is sent.

This design ensures that the sensitive data flowing through our system is ephemeral. We act as a data processor for the lookup queries: we process data on your behalf but do not retain it.

4. Data Storage and Security

Your account data (name, email, hashed password, API keys, and usage counts) is stored in a PostgreSQL database managed by Supabase. Our infrastructure uses the following security measures:

  • All data in transit is encrypted using TLS (HTTPS for the API and dashboard)
  • Database access is restricted through role-based access controls and row-level security policies in Supabase
  • API keys are generated using cryptographically secure methods
  • Passwords are hashed using industry-standard algorithms before storage
  • Lookup query data is processed in memory and never persisted to disk

While we implement reasonable security measures to protect your data, no method of transmission or storage is completely secure. We encourage you to protect your API keys and account credentials.

5. Third-Party Services

We use the following third-party service providers to operate Decode Hash:

Stripe

We use Stripe to process payments and manage subscriptions. When you enter payment details, that information is sent directly to Stripe and is subject to Stripe's Privacy Policy. We do not have access to your full payment card details.

Supabase

We use Supabase for authentication and database hosting. Your account data is stored in Supabase-managed PostgreSQL databases. Supabase's data handling practices are described in Supabase's Privacy Policy.

We ensure that our third-party providers maintain appropriate data protection standards. We do not share your personal data with any other third parties except as required by law.

6. Data Retention

We retain your data according to the following practices:

  • Account data (name, email, API keys) is retained for as long as your account is active. If you delete your account, this data is removed within 30 days.
  • Usage data (API call counts, timestamps) is retained for up to 12 months for billing and analytics purposes, after which it is aggregated and anonymized.
  • Payment records are retained as required by applicable tax and financial regulations (typically 7 years).
  • Lookup query data (hashes and phone numbers) is not stored at all — it exists only in memory during processing and is discarded immediately after the response is sent.

7. Your Rights

Under the Kenya Data Protection Act 2019 and the GDPR (where applicable), you have the following rights regarding your personal data:

  • Right of access — You can request a copy of the personal data we hold about you.
  • Right to rectification — You can ask us to correct inaccurate or incomplete personal data.
  • Right to erasure — You can request that we delete your personal data. You can also delete your account directly from your dashboard.
  • Right to restrict processing — You can ask us to limit how we use your data in certain circumstances.
  • Right to data portability — You can request your data in a structured, commonly used, machine-readable format.
  • Right to object — You can object to our processing of your personal data in certain circumstances.

To exercise any of these rights, please contact us at privacy@cowdi.co. We will respond to your request within 30 days, as required by the Kenya Data Protection Act.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC) or, where applicable, your local data protection authority.

8. Cookies

Decode Hash uses minimal cookies, limited to what is necessary for the service to function:

  • Session cookies — Used to keep you logged into the Decode Hash dashboard. These are essential for authentication and expire when you log out or after a set inactivity period.
  • Security cookies — Used to help prevent cross-site request forgery (CSRF) and other security threats.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. We do not track you across other websites.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make changes:

  • We will update the “Last updated” date at the top of this page.
  • For significant changes, we will notify you by email or through a notice in your dashboard.
  • Your continued use of the service after changes are posted constitutes acceptance of the updated policy.

10. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:

General inquiries: hello@cowdi.co
Data Protection Officer: dpo@cowdi.co

We are committed to resolving any concerns you may have about your privacy and our collection or use of your personal data.