Privacy Policy

ColdState Inc. ("ColdState," "we," "us," or "our") is an Ohio corporation that operates the ColdState Services search API platform at services.coldstate.ai and the API endpoint at cold-api.coldstate.ai.

For questions about this policy, contact us at [email protected].

Account Information

• Email address
• Company name
• Hashed password (bcrypt — we never store plaintext passwords)

Payment Information

• Payments are processed by Stripe, Inc. We do not store credit card numbers, CVVs, or full card details on our servers. Stripe acts as an independent data controller for payment data under their own Privacy Policy.
• We store your Stripe customer ID to link your account to your subscription.

Usage Data

• API query counts, timestamps, and associated index identifiers
• Rate-limit and burst-limit events
• IP addresses (for rate limiting and abuse prevention only)

Content You Provide

• Documents you upload to indexes are encrypted at rest using AES-256-GCM and are only accessible via your authenticated API keys.
• Search queries are processed in memory and are not stored after the response is returned.

Cookies and Local Storage

• Session token — stored in localStorage to maintain your authenticated session. This is strictly necessary for the service to function.
• Theme preference — stored in localStorage to remember your light/dark mode choice.
• Cookie consent — stored in localStorage to remember your consent choice.
• We do not use third-party tracking cookies, analytics scripts, or advertising pixels.

• To create and manage your account
• To authenticate API requests
• To process payments and manage subscriptions
• To enforce rate limits and usage quotas per your plan tier
• To detect and prevent abuse or unauthorized access
• To send critical service notifications (outages, security alerts, billing issues)

We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not use your data to train machine learning models.

• Account data is retained while your account is active and for 30 days after deletion.
• Usage logs are retained for 12 months for billing reconciliation, then aggregated and anonymized.
• Index data (your documents) is deleted immediately when you delete an index, and within 24 hours of account deletion.
• IaaS downloads expire and are purged after 24 hours.

We protect your data with:

• AES-256-GCM field-level encryption for sensitive data at rest
• bcrypt hashing for passwords
• SHA-256 hashing for deterministic lookups (email, collection names)
• TLS/HTTPS for all data in transit
• API key authentication with encrypted storage

No system is 100% secure. If we become aware of a data breach, we will notify affected users within 72 hours as required by applicable law.

Depending on your jurisdiction, you may have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account and associated data
• Export your data in a portable format
• Object to processing of your data

To exercise any of these rights, email [email protected]. We will respond within 30 days.

ColdState is based in Ohio, United States. If you access the service from the European Union, United Kingdom, or other jurisdictions with data protection laws, your data will be transferred to and processed in the United States. By using the service, you consent to this transfer. We process data under the lawful basis of contract performance (providing the service you signed up for) and legitimate interest (security and abuse prevention).

ColdState Services is not directed to individuals under 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it.

We use the following third-party services:

• Stripe — payment processing (privacy policy)
• Cloudflare — DNS, CDN, and DDoS protection (privacy policy)

We may update this policy from time to time. Material changes will be communicated via email or a notice on the dashboard. Continued use of the service after changes constitutes acceptance.