Legal

Privacy Policy

This policy explains how Cowdi Ltd (“we”, “us”, “our”), operating the Decode Hash service, collects, uses, stores, and protects your information.

Last updated: 13 March 2026

1. Who We Are

Decode Hash is a product of Cowdi Ltd, a private limited company registered in England and Wales (company number 16269890), with its registered office at 3rd Floor, 86-90 Paul Street, London, England, EC2A 4NE.

For the purposes of the UK GDPR, the EU General Data Protection Regulation (GDPR), and the Kenya Data Protection Act 2019, Cowdi Ltd is the data controller for the personal data we collect about you (such as your name, email, and account information). When you submit phone number hashes for lookup via our API, we act as a data processor on your behalf — we process the hash to return a result and do not retain it.

2. Information We Collect

When you create a Decode Hash account and use our API service, we collect the following types of information:

Account Information

When you register, we collect your name, email address, and password (stored as a cryptographic hash). If you sign in using a third-party provider (Google or GitHub), we receive your name and email address from that provider. This information is necessary to create your account, generate API keys, and communicate with you about your service.

API Usage Data

We record metadata about your API usage, including the number of requests made, timestamps, rate limit consumption, and truncated hash prefixes (the first 12 characters of submitted hashes) in activity logs for auditing and abuse prevention. We do not store full phone number hashes or the phone numbers returned in responses.

Payment Information

If you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your full credit card number or bank details. We retain only the information needed to associate your Stripe subscription with your Decode Hash account (such as your Stripe customer ID and subscription status).

Technical Data

We automatically collect certain technical data when you access our website or API, including IP addresses, browser type, operating system, and referring URLs. This data helps us maintain security and improve our service.

3. Legal Basis for Processing

We process your personal data on the following legal grounds under the UK GDPR, EU GDPR, and the Kenya Data Protection Act 2019:

Performance of a contract — Processing your account data, API keys, and usage records is necessary to provide the Decode Hash service you signed up for (Article 6(1)(b) GDPR).
Legitimate interests — We process technical data, truncated hash prefixes in activity logs, and usage analytics to maintain security, prevent abuse, improve our service, and enforce rate limits (Article 6(1)(f) GDPR). We have assessed that these interests do not override your fundamental rights.
Legal obligation — We may process and retain certain data to comply with tax, financial reporting, or law enforcement obligations (Article 6(1)(c) GDPR).
Consent — Where you sign in via Google or GitHub OAuth, your authorisation to share profile data with us constitutes consent. You can revoke this at any time by unlinking your social account.

4. How We Use Your Information

We use the information we collect to:

Provide and maintain the Decode Hash API service, including authenticating your requests and enforcing rate limits
Process your phone hash lookup queries and return the corresponding phone numbers
Process payments and manage your subscription through Stripe
Send important service notifications, such as changes to your plan, usage alerts, or security notices
Monitor and analyse usage patterns to improve performance, reliability, and security of our API
Comply with legal obligations, including the Kenya Data Protection Act 2019, the UK GDPR, and where applicable the EU GDPR

We do not sell your personal data to third parties. We do not use your data for advertising or profiling purposes.

5. Data Processing

Decode Hash provides a phone hash lookup service. When you send a phone number hash to our API, here is how we handle that data:

Your submitted hash is processed in memory to identify the corresponding Kenyan phone number.
The matched phone number is returned to you in the API response.
We store a truncated hash prefix (first 12 characters) in activity logs for auditing and abuse prevention. We do not store the full hash or the resolved phone number.
Full query and result data is not written to disk, logged, or retained after the response is sent.

This design ensures that the sensitive data flowing through our system is ephemeral. For lookup queries, we act as a data processor on your behalf — we process the data to provide a result and do not retain it beyond the truncated prefix needed for audit.

6. Data Storage and Security

Your account data (name, email, hashed password, API keys, and usage counts) is stored in a PostgreSQL database managed by Supabase. Our infrastructure uses the following security measures:

All data in transit is encrypted using TLS (HTTPS for the API and dashboard)
Database access is restricted through role-based access controls and row-level security policies in Supabase
API keys are generated using cryptographically secure methods and stored as SHA-256 hashes
Passwords are hashed using industry-standard algorithms before storage (minimum 8 characters with mixed case, numbers, and special characters required)
Lookup query data is processed in memory and never persisted to disk

While we implement reasonable security measures to protect your data, no method of transmission or storage is completely secure. We encourage you to protect your API keys and account credentials.

7. Third-Party Services

We use the following third-party service providers to operate Decode Hash. Each provider processes data only as necessary to deliver the specific service described:

Supabase (Database & Authentication)

We use Supabase for user authentication and database hosting. Your account data is stored in Supabase-managed PostgreSQL databases in the EU (Zurich). Supabase's data handling practices are described in Supabase's Privacy Policy.

Stripe (Payment Processing)

We use Stripe to process payments and manage subscriptions. When you enter payment details, that information is sent directly to Stripe and is subject to Stripe's Privacy Policy. We do not have access to your full payment card details. Stripe is PCI DSS Level 1 certified.

Amazon Web Services (Data Storage)

Our phone number lookup database is stored in AWS S3 in the EU (Frankfurt, eu-central-1). This data is accessed read-only by our API servers. AWS's data handling practices are described in the AWS Privacy Notice.

Railway (API Hosting)

Our API backend is hosted on Railway's infrastructure. Railway processes API requests on our behalf. Railway's practices are described in the Railway Privacy Policy.

Google & GitHub (OAuth Authentication)

If you choose to sign in with Google or GitHub, we receive your name and email address from the provider. We do not receive your password or any other account data. You can revoke access at any time through the respective provider's settings.

We ensure that our third-party providers maintain appropriate data protection standards. We do not share your personal data with any other third parties except as required by law.

8. International Data Transfers

Cowdi Ltd is registered in the United Kingdom. Our primary infrastructure is located in the European Union:

Database (Supabase) — EU (Zurich, Switzerland)
Lookup data (AWS S3) — EU (Frankfurt, Germany)
API hosting (Railway) — may process data in the US or EU depending on the deployment region
Payment processing (Stripe) — Stripe may process data in the US under its certified adequacy mechanisms (UK-US Data Bridge and EU-US Data Privacy Framework)

Where personal data is transferred outside the UK or EEA, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or equivalent safeguards as required by applicable data protection law. For transfers to Kenya, we rely on the protections afforded by the Kenya Data Protection Act 2019.

9. Data Retention

We retain your data according to the following practices:

Account data (name, email, API keys) is retained for as long as your account is active. If you delete your account, this data is removed within 30 days.
Usage data (API call counts, timestamps, hash prefixes in activity logs) is retained for up to 12 months for billing and auditing purposes, after which it is aggregated and anonymised.
Payment records are retained as required by applicable tax and financial regulations (typically 7 years under UK HMRC requirements).
Lookup query data (full hashes and phone numbers) is not stored at all — it exists only in memory during processing and is discarded immediately after the response is sent.

10. Your Rights

Under the UK GDPR, the EU GDPR (where applicable), and the Kenya Data Protection Act 2019, you have the following rights regarding your personal data:

Right of access — You can request a copy of the personal data we hold about you.
Right to rectification — You can ask us to correct inaccurate or incomplete personal data.
Right to erasure — You can request that we delete your personal data. You can also delete your account directly from your dashboard.
Right to restrict processing — You can ask us to limit how we use your data in certain circumstances.
Right to data portability — You can request your data in a structured, commonly used, machine-readable format.
Right to object — You can object to our processing of your personal data where we rely on legitimate interests.
Right to withdraw consent — Where we process data based on your consent (e.g. OAuth sign-in), you can withdraw that consent at any time.

To exercise any of these rights, please contact us at privacy@cowdi.co. We will respond to your request within 30 days (UK GDPR) or as required by applicable law.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO), the Office of the Data Protection Commissioner of Kenya (ODPC), or where applicable, your local data protection authority.

11. Cookies

Decode Hash uses minimal cookies, limited to what is necessary for the service to function:

Authentication cookies — Used to keep you logged into the Decode Hash dashboard. These are essential for authentication and expire when you log out or after a set inactivity period.
Security cookies — Used to help prevent cross-site request forgery (CSRF) and other security threats.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. We do not track you across other websites.

12. Children’s Privacy

The Decode Hash service is intended for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that we have inadvertently collected data from a child under 18, please contact us at privacy@cowdi.co and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make changes:

We will update the “Last updated” date at the top of this page.
For significant changes, we will notify you by email or through a notice in your dashboard.
Your continued use of the service after changes are posted constitutes acceptance of the updated policy.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:

Data controller: Cowdi Ltd (company number 16269890)

Registered address: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE, United Kingdom

Privacy enquiries: privacy@cowdi.co

General enquiries: hello@cowdi.co

Data Protection Officer: dpo@cowdi.co

We are committed to resolving any concerns you may have about your privacy and our collection or use of your personal data.