Privacy Policy — PrairieCloud LLC
Version: 1.0 Effective Date: 2026-05-02 Last Updated: 2026-05-02
Table of Contents
- Who We Are
- What This Policy Covers
- Information We Collect
- How We Use Your Information
- Legal Basis for Processing (GDPR)
- How We Share Your Information
- International Data Transfers
- Data Retention
- Security
- Cookies and Tracking Technologies
- Your Privacy Rights
- Children's Privacy
- Changes to This Policy
- Contact Us
1. Who We Are
PrairieCloud LLC ("PrairieCloud," "we," "us," or "our") is a technology company incorporated as a Texas limited liability company. We operate the PrairieCloud API — a REST API service that provides programmatic access to U.S. Census Bureau data — along with the developer dashboard at https://dashboard.prairiecloud.io and our marketing website at https://prairiecloud.io.
Our API endpoint: api.prairiecloud.io
We are the data controller for personal information collected from developers, data analysts, and organizations that use our services.
Mailing address: PrairieCloud LLC #1504 3333 Preston Road STE 300 Frisco, TX 75034 United States
Privacy contact: [email protected]
EU/UK Market Posture: PrairieCloud is based in the United States and currently focuses on U.S. customers. We do not actively target or market our services to individuals in the European Economic Area (EEA), United Kingdom, or Switzerland. If we later enter into contracts with customers established in those jurisdictions, or otherwise become subject to EU or UK data protection representative requirements, we will take appropriate steps, which may include appointing a representative and entering into applicable data processing terms.
2. What This Policy Covers
This Privacy Policy explains:
- What personal information we collect when you use PrairieCloud's PrairieCloud API, developer dashboard, and website
- Why we collect it and what we do with it
- Who we share it with
- Where it is stored
- How long we keep it
- Your rights regarding your personal information
What this policy does not cover: The U.S. Census Bureau data served through our API. That data is public information published by the Census Bureau and does not constitute personal information about our users. Refer to the U.S. Census Bureau's privacy policy for information about how the Bureau handles data collection.
This policy applies to:
- Individuals who create an account and use the PrairieCloud API
- Visitors to our website at prairiecloud.io
- Anyone who contacts our support team
3. Information We Collect
3.1 Information You Provide at Signup
When you create a PrairieCloud account, we collect:
| Data | Required? | Purpose |
|---|---|---|
| Email address | Yes | Account creation, login, billing notifications, service communications |
| Full name | Yes | Account identification, billing |
| Company name | No (optional) | Understanding our customer base |
3.2 Information We Collect Automatically
When you use the PrairieCloud API or developer dashboard, we automatically collect:
API Usage Logs. Every API request you make is logged. Each log entry includes:
- API endpoint called (e.g.,
/v1/census/population) - Request parameters (query strings sent with the request)
- Timestamp of the request
- HTTP response code (e.g., 200, 404, 429)
- Response latency (how long the request took)
- Your API key identifier (we store a cryptographic hash of your key — not the key itself)
We use these logs to meter your usage for billing, enforce rate limits, debug errors, and monitor the health of our service.
IP Addresses. We log the IP address from which requests originate. We use IP addresses for security monitoring, abuse detection, and geographic understanding of our user base.
API Key Hashes. When you generate an API key, we store a one-way cryptographic hash of the key for authentication purposes. We do not store your actual API key after it is generated and displayed to you. When you revoke a key, its hash is deleted from our systems.
3.3 Authentication Data (Developer Dashboard)
When you log in to the developer dashboard at https://dashboard.prairiecloud.io, we issue a session token (JWT — JSON Web Token) to maintain your logged-in state. This token is stored in an HTTP-only cookie, meaning it is not accessible to JavaScript in your browser. This is a security measure to protect your session from cross-site scripting (XSS) attacks.
3.4 Payment Information
Payments are processed by Stripe, Inc. We do not receive, store, or process your full credit card number, CVC, or similar payment card data. When you add a payment method:
- Stripe collects and stores your payment card details directly
- We receive only a payment method token and summary information (last four digits, card brand, expiration)
- Stripe is PCI-DSS Level 1 compliant — the highest level of payment security certification
We do store your billing history (invoices, amounts charged, dates) for accounting and legal compliance purposes.
3.5 Support Interactions
If you contact our support team by email or any other channel, we collect and retain the contents of your communication and any information you choose to provide (e.g., your account details, a description of your issue). We use this to respond to your request and improve our support quality.
3.6 Information We Do NOT Collect
To be explicit about what we don't do:
- We do not collect health, financial, or biometric data
- We do not build advertising profiles
- We do not track your activity across third-party websites
- We do not sell your personal information to any third party
- We do not use your data for cross-context behavioral advertising
4. How We Use Your Information
We use the information described in Section 3 for the following purposes:
Account Management and Authentication
We use your email, name, and session token to create and manage your account, verify your identity when you log in, and allow you to access your dashboard and API keys.
API Access and Rate Limiting
We use your API key hash to authenticate each request to the PrairieCloud API and to enforce the rate limits associated with your subscription plan.
Usage Metering and Billing
We use your API usage logs to calculate how many requests you have made in each billing period, to enforce plan limits, and to generate accurate invoices through our Stripe integration.
Service Monitoring, Debugging, and Performance
We use usage logs, IP addresses, and technical data to monitor the health and performance of our systems, identify and resolve errors, and plan infrastructure capacity.
Security and Fraud Prevention
We use IP addresses, usage patterns, and other technical signals to detect and prevent abuse, unauthorized access, unusual activity, and other security threats.
Product Improvement and Analytics
We use aggregated and de-identified usage data to understand how our API is being used, which endpoints are most popular, and where we can improve our service.
We use Cloudflare Web Analytics to understand how our website is used (page views, referrers, device types). Cloudflare Web Analytics is privacy-preserving by design: it does not use cookies, does not collect personal data, does not log IP addresses, and does not use fingerprinting. No GDPR consent banner is required for this analytics tool. Cloudflare processes analytics data as part of our existing CDN relationship (see Section 6).
Communication
We use your email address to send:
- Transactional messages (required): Account setup confirmation, billing receipts and invoices, service alerts, API key creation/revocation notifications, security alerts
- Product updates (opt-out available): Announcements about new features, API updates, or significant changes to our service
- Marketing (opt-in required, GDPR): Newsletters, promotional content — we will only send this if you have explicitly opted in
We do not sell your email address or use it for any purpose other than communications directly related to PrairieCloud.
5. Legal Basis for Processing (GDPR)
This section applies where EU GDPR, UK GDPR, or Swiss data protection law applies to our processing of your personal information. PrairieCloud is U.S.-focused and does not actively target those markets, but this information is provided for transparency and for situations where applicable law requires it.
Where GDPR or UK GDPR applies, we must have a valid legal basis for each way we use your personal information. Here is our legal basis for each processing activity:
| Processing Activity | Legal Basis | Article |
|---|---|---|
| Creating and managing your account | Contract — necessary to provide the service you've signed up for | Art. 6(1)(b) |
| Authenticating API requests | Contract — necessary to deliver the API service | Art. 6(1)(b) |
| Billing and payment processing | Contract — necessary to fulfill our contractual obligations | Art. 6(1)(b) |
| Sending mandatory transactional messages (receipts, security alerts, account notifications) | Contract — necessary to fulfill service obligations | Art. 6(1)(b) |
| Sending product update notifications | Legitimate Interest — keeping users informed of changes that affect their use of the service | Art. 6(1)(f) |
| Service monitoring and debugging | Legitimate Interest — necessary to maintain a reliable, secure service | Art. 6(1)(f) |
| Security and abuse detection | Legitimate Interest — protecting our systems and users from harm | Art. 6(1)(f) |
| IP address logging for security and abuse investigation | Legitimate Interest — protecting our systems and investigating security incidents | Art. 6(1)(f) |
| Product analytics (aggregated/de-identified) | Legitimate Interest — improving our service in ways that benefit users | Art. 6(1)(f) |
| Retaining billing records | Legal Obligation — tax and financial record-keeping requirements | Art. 6(1)(c) |
| Marketing communications | Consent — we will only send marketing if you have opted in | Art. 6(1)(a) |
Legitimate Interest Balancing: Where we rely on legitimate interest, we have weighed our interests against your rights and freedoms. We believe our interests (maintaining a secure, reliable, improving service) are proportionate and do not override your fundamental rights, given that:
- We collect only what is necessary for service delivery
- We do not use data for advertising or profiling
- We apply appropriate security measures
- You have clear rights to object (see Section 11)
Withdrawing Consent: Where we process your data based on consent (e.g., marketing emails), you may withdraw your consent at any time without affecting the lawfulness of processing before withdrawal. Use the unsubscribe link in any marketing email or contact us at [email protected].
6. How We Share Your Information
We do not sell, rent, or trade your personal information. We share your data only in the following limited circumstances:
Sub-Processors (Service Providers)
We use third-party companies that process personal data on our behalf (called "sub-processors" under GDPR). These companies are contractually prohibited from using your data for their own purposes.
| Sub-Processor | Purpose | Location | Data Shared |
|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure — servers, databases | Nuremberg, Germany (EU) | All data stored on our platform |
| Cloudflare, Inc. | CDN, DDoS protection, DNS, edge security | Global (US-headquartered) | IP addresses, request metadata |
| Stripe, Inc. | Payment processing | United States | Billing details, email (for receipts) |
| Clerk, Inc. | Dashboard authentication and user management | United States | Email address, full name, session data, authentication events |
| Cloudflare Web Analytics | Website analytics (page views, referrers, device types) | Global (US-headquartered) | No personal data collected; no cookies; no IP logging |
Legal Requirements
We may disclose your information if required to do so by law, regulation, court order, or legal process, or if we believe disclosure is necessary to:
- Comply with applicable law or respond to lawful government requests
- Protect the rights, property, or safety of PrairieCloud, our users, or others
- Prevent or investigate possible fraud, violations of our Terms of Service, or other illegal activity
We will notify you of any such request to the extent permitted by law, and we will take commercially reasonable steps to challenge requests we believe are overbroad or legally deficient.
Business Transfers
If PrairieCloud LLC is acquired, merged, or substantially all of its assets are transferred, your personal information may be transferred as part of that transaction. We will provide notice (via email and/or a prominent notice on our website) before your personal information is transferred and becomes subject to a different privacy policy. You will have the opportunity to delete your account before any such transfer.
No Sale of Personal Information
We do not sell personal information to third parties. This applies to California consumers under CCPA/CPRA and to all users globally.
7. International Data Transfers
Where Your Data Is Stored
Your personal information is stored on servers operated by Hetzner Online GmbH, located in Nuremberg, Germany — within the European Union. This means your data benefits from the strong data protection standards required by EU law, regardless of where you are located.
Our primary database (PostgreSQL 16) and caching layer (Redis) are both hosted on these EU-based servers.
Transfers Outside the EU
While your data is stored in the EU, some of our sub-processors are U.S.-based (Cloudflare, Stripe, Clerk), which means portions of your data may be processed in the United States or other countries with different data protection laws.
How we protect your data in transfers:
-
Cloudflare: Cloudflare is subject to its own Data Processing Addendum which includes Standard Contractual Clauses (SCCs) adopted by the European Commission. As a CDN, Cloudflare processes request metadata at edge nodes globally but does not store persistent personal data beyond caching durations.
-
Stripe: Stripe participates in cross-border data transfer mechanisms and provides Standard Contractual Clauses for EU customers. Stripe's data processing addendum is available at https://stripe.com/legal/dpa.
-
Clerk: Clerk, Inc. provides dashboard authentication services from the United States. Clerk's data processing addendum includes Standard Contractual Clauses (SCCs) for EU data transfers. Details are available at clerk.com/legal/dpa.
If EU/UK Data Protection Law Applies
PrairieCloud is a U.S.-incorporated company and does not currently target individuals in the EEA, United Kingdom, or Switzerland. If we enter into a contract with a customer established in those jurisdictions, or if EU/UK/Swiss data protection law otherwise applies to our processing, we will handle applicable personal data in accordance with the relevant requirements. See Section 5 for our legal bases for processing and Section 11 for rights that may apply.
8. Data Retention
We retain your personal information only as long as necessary for the purposes described in this policy or as required by law.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account information (name, email, company) | Duration of active account + 30 days after account deletion | Allows account recovery within a reasonable window; permanent deletion provides closure |
| API usage logs | 24 months | Supports billing disputes, debugging, capacity planning, and security investigation |
| API key hashes | Deleted upon key revocation | No ongoing purpose after revocation |
| JWT session tokens | Session duration (expires upon logout or timeout) | Short-lived by design |
| Billing records (invoices, payment history) | 7 years from transaction date | U.S. and international tax and accounting legal requirements |
| Support communications | 3 years | Reference for ongoing support needs; evidence retention for potential disputes |
| IP address logs | 12 months | Security and fraud investigation; minimized to reduce privacy exposure |
When we delete data, we take reasonable steps to ensure it is permanently destroyed or anonymized within 30 days from the end of the retention period.
9. Security
We take the security of your personal information seriously. Our security measures include:
Technical Measures:
- All data in transit is encrypted using TLS 1.2 or higher
- API keys are stored as one-way cryptographic hashes (never in plaintext)
- Session tokens use HTTP-only cookies (inaccessible to JavaScript)
- Our databases (PostgreSQL 16, Redis) are not publicly exposed to the internet
- Server infrastructure is hosted on Hetzner Cloud with network-level isolation
- Cloudflare provides DDoS protection and Web Application Firewall (WAF) coverage at the edge
Organizational Measures:
- Access to production systems is restricted to authorized personnel only
- We follow the principle of least privilege for internal system access
- We maintain incident response procedures for security events
Limitations: No method of data transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee absolute security.
Security Incidents: If we become aware of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law (GDPR: within 72 hours of becoming aware; state breach notification laws may impose shorter timelines for California and other states).
10. Cookies and Tracking Technologies
What Are Cookies?
Cookies are small text files that websites store on your device. We use them only where technically necessary.
Cookies We Use
Authentication Cookie (Developer Dashboard Only)
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
prairiecloud_session | HTTP-only, Secure | Stores your JWT session token to keep you logged in to the developer dashboard | Session (expires after 7 days of inactivity or upon explicit logout) |
This cookie is set only on the developer dashboard domain, not on the marketing website or API endpoint. It is an HTTP-only cookie, meaning browser-side JavaScript cannot read it — this is a security feature.
Cloudflare Cookies
Cloudflare, our CDN and security provider, may set cookies on visitors' browsers for security and performance purposes. These cookies are set by Cloudflare, not directly by PrairieCloud.
| Cookie Name | Purpose | Duration |
|---|---|---|
__cf_bm | Bot management and abuse prevention | 30 minutes |
_cfuvid | Rate limiting (may be set in some configurations) | Session |
For more information, see Cloudflare's Cookie Policy.
Cookies We Do NOT Use
- Analytics cookies: We do not currently use Google Analytics, Mixpanel, Amplitude, or similar analytics tracking cookies on our website or dashboard.
- Advertising cookies: We do not use any advertising or retargeting cookies.
- Third-party tracking pixels: We do not embed third-party tracking pixels or beacons.
Note: We use Cloudflare Web Analytics for website analytics. This tool does not set cookies, does not collect personal data, and does not require a GDPR consent banner. It is included in our existing Cloudflare CDN service and is not listed separately in the cookies table above because it uses no cookies or client-side tracking.
Managing Cookies
You can control cookies through your browser settings. Note that disabling our authentication cookie will prevent you from staying logged in to the developer dashboard. The Cloudflare cookies are set for security purposes and are not under our control.
Most browsers allow you to:
- View what cookies are stored on your device
- Delete individual cookies or all cookies
- Block third-party cookies
- Set preferences for future cookie handling
11. Your Privacy Rights
11.1 Rights Under EU/UK/Swiss Data Protection Law
Where EU GDPR, UK GDPR, or Swiss data protection law applies to our processing of your personal information, you may have the following rights. We will respond to verified requests within 30 days where GDPR/UK GDPR applies (with the possibility of a 60-day extension for complex requests, with notice).
| Right | What It Means | How to Exercise |
|---|---|---|
| Right of Access (Art. 15) | Receive a copy of all personal data we hold about you and information about how we use it | Email [email protected] |
| Right to Rectification (Art. 16) | Have inaccurate or incomplete data corrected | Email [email protected] or update in dashboard |
| Right to Erasure / "Right to Be Forgotten" (Art. 17) | Request deletion of your personal data (subject to legal retention obligations — e.g., we must retain billing records for legal/tax compliance) | Email [email protected] |
| Right to Restriction of Processing (Art. 18) | Ask us to pause processing your data in certain circumstances (e.g., while contesting its accuracy) | Email [email protected] |
| Right to Data Portability (Art. 20) | Receive your data in a structured, machine-readable format (applies to data processed by contract or consent) | Email [email protected] |
| Right to Object (Art. 21) | Object to processing based on legitimate interest, including profiling | Email [email protected] |
| Right to Withdraw Consent (Art. 7(3)) | Withdraw consent for processing based on consent (e.g., marketing emails) at any time | Unsubscribe link in emails or email [email protected] |
| Right re: Automated Decision-Making (Art. 22) | PrairieCloud does not make decisions about you based solely on automated processing that produce legal or similarly significant effects. If this changes, we will update this policy and inform you of the logic involved. | N/A — not currently applicable |
| Right to Lodge a Complaint | Complain to your national Data Protection Authority (DPA) if you believe we have not handled your data lawfully | See list of EU DPAs at edpb.europa.eu |
We will not discriminate against you for exercising these rights.
11.2 Rights for California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the following rights. We will respond to verified requests within 45 days (extendable by 45 days with notice).
Right to Know: You have the right to request that we disclose what personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (e.g., we may retain information needed to complete transactions, detect fraud, or comply with legal obligations).
Right to Correct: You have the right to request that we correct inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising. No opt-out is necessary because we do not engage in these practices. However, if this changes in the future, we will update this policy and provide an opt-out mechanism.
Right to Limit Use of Sensitive Personal Information: We do not collect or use sensitive personal information (as defined under CPRA — e.g., Social Security numbers, precise geolocation, financial account numbers) for purposes beyond what is permitted without an opt-out. The limited data we collect (email, name, IP address, usage logs) does not fall into sensitive categories.
Right to Non-Discrimination: We will not discriminate against you for exercising your California privacy rights. We will not deny you our services, charge you different prices, or provide a different quality of service because you exercised your rights.
Submitting a California Privacy Request: Email: [email protected] Subject line: "California Privacy Request"
We will verify your identity before processing your request (typically by confirming details associated with your account).
Authorized Agents: You may designate an authorized agent to submit requests on your behalf. We will require written authorization and may still contact you directly to verify your identity.
Categories of Sources of Personal Information: We collect personal information from the following categories of sources: (a) directly from you when you create an account, provide payment information, or contact support; (b) automatically from your use of our services, including API usage logs, IP addresses, and authentication data; (c) from our service providers, including payment confirmation data from Stripe and authentication data from Clerk.
Categories of Personal Information Collected (CCPA Categories):
| CCPA Category | Examples We Collect | Sold? | Shared for Advertising? |
|---|---|---|---|
| Identifiers | Email address, name, IP address | No | No |
| Commercial Information | Billing history, subscription plan | No | No |
| Internet or Network Activity | API usage logs, request metadata | No | No |
| Professional/Employment Information | Company name (optional) | No | No |
11.3 How to Submit a Privacy Request
For all users (GDPR, CCPA, or general privacy requests):
- Email: [email protected]
- Subject line: Include "Privacy Request" and your request type
- We'll ask you to verify: For account-related requests, we'll ask you to confirm from the email on your account or through a verification step in the dashboard
We aim to acknowledge requests within 5 business days and complete them within the legally required timeframes noted above.
12. Children's Privacy
The PrairieCloud API is a professional developer tool designed for software developers, data analysts, and businesses. It is not directed at or intended for use by children under the age of 13 (or 16 in the European Union, where GDPR sets a higher standard for online services).
We do not knowingly collect personal information from children under 13 (or 16 for EU residents). Our signup process requires users to represent that they are at least 18 years old or have parental consent if younger.
If you believe we have inadvertently collected information from a child under the applicable age threshold, please contact us immediately at [email protected] and we will take prompt steps to delete that information.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law.
How we'll notify you:
- Material changes: We will notify you by email (to the address on your account) and by posting a prominent notice on our website and developer dashboard at least 30 days before the change takes effect.
- Minor changes: We may update the policy and change the "Last Updated" date. We encourage you to review this policy periodically.
Your continued use of the PrairieCloud API after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you may close your account before the effective date.
We will maintain a version history of this policy at prairiecloud.io/legal/privacy/changelog so you can review what changed and when.
14. Contact Us
If you have questions about this Privacy Policy, want to exercise your privacy rights, or have a concern about how we handle your data, please reach out:
PrairieCloud LLC Privacy & Data Protection #1504 3333 Preston Road STE 300 Frisco, TX 75034 United States
Email: [email protected] Website: https://prairiecloud.io
Response time: We aim to respond to all privacy inquiries within 5 business days.
EU/UK Representative: PrairieCloud does not currently appoint an EU or UK representative because we do not actively target individuals in the EEA or United Kingdom. If we later enter into contracts with customers established in those jurisdictions, or otherwise become subject to representative requirements, we will update this Policy and take the required steps.
Where EU/UK data protection law applies, you may have the right to contact your national data protection authority. A list of EU data protection authorities is available at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.