Privacy Policy
Effective: June 2, 2026
Introduction
This Privacy Policy describes how Two Minute Warning LLC ("we", "us") collects, uses, and protects personal data when you use the Two Minute Warning Service ("the Service"). We collect as little as we can to operate the Service and keep your account safe, and we don't sell personal data.
1. Data we collect
Provided by you
| Data | When |
|---|---|
| Email address | Account creation; ongoing for notifications. |
| Password (free tier signup) | Stored only as a bcrypt hash. We never store plaintext passwords. |
| Billing address & tax info | Collected by Stripe during checkout. We see only your billing country/state for tax computation, not your card details. |
Generated by your use of the Service
| Data | Purpose |
|---|---|
| API key (hashed) | We store only a bcrypt hash of your key and the first 14 characters as a display prefix. The plaintext is shown to you once and not stored. |
| Per-day API request count | Rate-limit enforcement and overage billing. |
| "Last used" timestamp | Shown in your dashboard. |
| Stripe customer ID and subscription ID | Tie your account to your Stripe billing record. |
Collected automatically
| Data | Purpose |
|---|---|
| IP address & user-agent (on API requests and dashboard visits) | Security, abuse prevention, basic operational telemetry. Not used for advertising or profiling. |
| Operational request logs | Short-window logs (typically < 30 days) used for debugging and incident response. |
Data we deliberately do NOT collect
- We do not see the contents of the requests you make beyond the entity ID or query parameters that affect routing. We do not log the response bodies we serve to you.
- We do not see your card details - Stripe handles payment data in compliance with PCI-DSS.
- We do not track or fingerprint visitors to
2mw.io's public pages (pricing, docs, terms, privacy) for marketing or analytics. - We do not sell, rent, or trade personal data with any third party for any purpose.
2. How we use your data
- Provide the Service. Authenticate API requests, enforce rate limits, send service-related email (welcome, sign-in links, billing receipts via Stripe).
- Bill you. Process payments via Stripe (cards, taxes, invoices). We retain Stripe customer/subscription IDs to coordinate billing actions.
- Security & abuse prevention. Detect suspicious activity, prevent fraud, defend against attacks on the Service.
- Comply with law. Respond to lawful requests from authorities; meet tax, accounting, and regulatory requirements.
- Improve the Service. Aggregate, anonymized request patterns help us debug and optimize. We never use this data to profile individual customers.
3. Legal basis for processing (EU/UK residents)
Under GDPR, we process your personal data on the following legal bases:
- Contract. Most processing (account creation, authentication, rate limiting, billing) is necessary to deliver the Service you signed up for.
- Legitimate interests. Security, fraud prevention, and operational improvements, balanced against your privacy.
- Legal obligation. Tax records, billing records, and responding to lawful information requests.
- Consent. Only used where required (e.g. opt-in marketing emails, if you choose to subscribe).
4. Who we share data with
We share personal data only with the service providers ("subprocessors") needed to operate the Service. We do not sell data to anyone.
| Subprocessor | Purpose | Data shared |
|---|---|---|
| Stripe Inc. (US) | Payment processing, tax computation, customer billing portal | Email, billing address, payment-method details (entered by you on Stripe) |
| Cloudflare Inc. (US) | CDN, DNS, edge security, Cloudflare Pages hosting for our public storefront | IP address, user-agent, request headers (transient) |
| Amazon Web Services (US) | Transactional email delivery (Amazon SES) for sign-in links and billing notifications | Email address, message content |
| Our hosting + database provider | Server infrastructure for the API and account database | All account and request data described above; segregated by access controls |
We also share data when legally required (e.g. valid court order, subpoena) or to protect rights, safety, or the integrity of the Service.
5. Data retention
- Account data (email, hashed password, hashed API key) - kept while your account is active and for up to 30 days after deletion (in case of accidental closure), then purged.
- Billing records - retained for the period required by applicable tax and accounting law (typically 7 years for US records).
- API usage counters - retained for the current billing period plus 90 days for billing reconciliation, then aggregated to monthly totals; raw daily counters older than that may be deleted.
- Operational request logs - typically purged on a rolling 30-day window.
6. Security
- Passwords stored only as bcrypt hashes.
- API keys stored only as bcrypt hashes; plaintext is shown to you once and never retained.
- All data in transit between your client and the Service is encrypted (HTTPS / TLS 1.2+).
- Session tokens used by the dashboard are short-lived (24-hour HMAC-signed) and stored client-side in localStorage; we do not persist a server-side session.
- Access to our infrastructure is restricted, audited, and authenticated.
No system is perfectly secure. If we become aware of a personal-data breach affecting you, we will notify you and the appropriate authorities as required by law (in the EU/UK, within 72 hours where feasible).
7. Your rights
Depending on where you live, you may have the following rights regarding your personal data:
- Access. Request a copy of the personal data we hold about you.
- Rectification. Correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"). Have your account and associated data deleted.
- Restriction. Limit how we process your data in specific situations.
- Portability. Receive your data in a portable, machine-readable format.
- Object. Object to processing based on legitimate interests, including for direct marketing.
- Withdraw consent. Where processing is based on consent, withdraw it at any time.
To exercise any of these rights, contact [email protected]. We will respond within 30 days. Routine actions (rotating your API key, signing out) can also be done directly from your dashboard.
If you live in the EU/UK and believe we are mishandling your personal data, you also have the right to lodge a complaint with your local data-protection authority.
8. California residents (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect about you and how we use it.
- Request deletion of your personal information (with statutory exceptions, e.g. billing records).
- Request correction of inaccurate personal information.
- Opt out of "sale" or "sharing" of personal information - we do not sell or share personal information for cross-context behavioral advertising, but you may confirm or formally opt out at any time.
- Non-discrimination - we will not deny service or charge a different price for exercising these rights.
To exercise these rights, contact [email protected]. We may verify your identity by matching information to your account.
9. Cookies & tracking
The public-facing 2mw.io pages (pricing, docs, terms, privacy, signup, signin) do not set tracking cookies and do not include third-party analytics or advertising trackers.
The dashboard uses your browser's localStorage to remember your sign-in session (a 24-hour HMAC-signed token). This is local to your device and is not transmitted to any third party. Signing out clears it.
Stripe-hosted payment and customer-portal pages may set their own cookies necessary for payment processing and fraud prevention; their privacy policy applies on those pages.
10. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have, contact [email protected] and we will delete the data.
11. International data transfers
Two Minute Warning LLC is based in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. Our subprocessors are also US-based.
For EU/UK residents: where we transfer personal data out of the EU/UK, we rely on the Standard Contractual Clauses or other lawful transfer mechanisms required under GDPR/UK GDPR.
12. Changes to this Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at the address associated with your account at least 14 days before they take effect. The current version is always at this URL with the effective date at the top.
13. Contact
Privacy-related inquiries and data-rights requests:
Two Minute Warning LLC
[email protected]
For other legal notices, see Terms of Service ยง14.