Legal

Privacy Policy

Last updated: 2026-07-11 · Undercurrent Labs LLC

1. Who we are

util.beauty is operated by Undercurrent Labs LLC. This policy describes what we collect when you use the website and API, and how we use it.

2. Data we process

  • Accounts: name, email (when provided), API key hashes and display prefixes, credit balances and ledger entries.
  • Requests: path, status, latency, utility name, payment mode, request id; optional Cloudflare country/colo. We do not store request headers, bodies, or query strings in the durable request log.
  • x402: payment flow metadata and hashes of payment proofs — raw EIP-3009 signatures and proofs are never stored or logged.
  • Stripe: checkout session ids, email, SKU, and payment references needed to credit your wallet. Card numbers are handled by Stripe, not by us.
  • Contact form: name, email, subject, message, request type, and optional user-agent / country for spam defense.
  • Artifacts: generated files (screenshots, PDFs) stored in object storage until expiry (~7 days).
  • Crypto utilities: inputs, keys, and outputs are processed in memory and are never persisted or written to logs.

3. Why we process it

To provide the API, meter usage, prevent abuse and fraud, fulfill payments, respond to contact messages, and improve reliability. Legal bases include performance of a contract and legitimate interests in securing a paid API.

4. Processors

We use infrastructure and payment providers such as Cloudflare (Workers, D1, R2, Browser Rendering), Stripe (card checkout), and x402 facilitators for on-chain settlement. They process data only as needed to provide their services.

5. Retention

Account, ledger, and usage records are kept for billing and audit as long as the account is active and for a reasonable period afterward. Artifacts expire after about 7 days. Contact messages are retained until handled and then archived or deleted. x402 audit rows support settlement investigation.

6. Your choices

You may contact us via /contact to request access or deletion where applicable. Some records must be retained for fraud prevention or legal compliance. You can stop using the service at any time; prepaid credits are non-transferable unless we agree otherwise.

7. Security

API keys are stored hashed. Payment proofs are hashed. Transport is HTTPS. No method of transmission or storage is perfectly secure; report issues per security.txt.

8. Changes

We may update this policy by posting a new version here with a revised date.