Legal

Privacy Policy

Effective: April 19, 2026

Last updated: April 19, 2026

Mataki Labs LLC (“Microwave,” “we,” “us,” or “our”), a Wyoming limited liability company, operates the microwave.sh website, the Microwave utility-API platform, and related services (collectively, the “Services”). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Services.

By using our Services, you agree to the collection and use of information as described in this policy.

Information We Collect

Information You Provide

When you create an account, subscribe to a plan, or contact us, we may collect:

  • Account information: Name, email address, password (hashed), and company or organization name
  • Billing information: Payment method details are collected and processed by our payment processor (Stripe). We do not store full credit card numbers on our servers.
  • Communications: Any information you include when you contact us via email, support tickets, or Discord, including your name, email address, and message content
  • API keys and configuration: Workspace settings, named API keys you create, webhook endpoints, and other content you configure through the Services
  • Request payloads: The data you submit to Microwave Endpoints through any supported Transport (HTTPS, JSON-RPC, or MCP). Depending on the Endpoint you call, request payloads may include postal addresses, IP addresses, currency amounts, timezone identifiers, strings to be parsed, or other general-purpose inputs. Microwave is a utility-API platform and does not broker third-party OAuth connections or store end-user credentials.

Information Collected Automatically

When you use our Services, we automatically collect:

  • Usage data: Request volumes per Endpoint, token consumption, Transport mix, error rates, and feature usage metrics
  • Server logs: IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and request/response metadata
  • Performance data: Page load times, API response latencies, and error logs used to maintain service reliability
  • Device information: Device type, screen resolution, and timezone

How We Use Information

We use the information we collect to:

  • Provide and maintain the Services: Execute requested Endpoints, return responses, meter token usage, manage your account, and handle billing
  • Improve the Services: Analyze aggregate usage patterns to identify bugs, optimize performance, and develop new Endpoints
  • Ensure security: Detect and prevent fraud, abuse, and unauthorized access to accounts or API Keys
  • Communicate with you: Send transactional emails (account verification, billing receipts, quota alerts), respond to support requests, and provide product updates you have opted into
  • Comply with legal obligations: Respond to lawful requests from government authorities and comply with applicable laws

We do not sell your personal information to third parties.

Important: We do not use the content of your request payloads or the responses we generate for any purpose other than operating the Services. Request and response content is not used to train models, to market to you or your end users, or for any purpose beyond service delivery, metering, and short-term operational logging.

Information Sharing and Disclosure

We share information only in the following circumstances:

Service Providers

We use third-party service providers to help operate our Services, including:

  • Stripe for payment processing
  • Cloud infrastructure providers for hosting and data storage
  • Monitoring and logging services for operational visibility

These providers access information only as necessary to perform their services and are bound by contractual obligations to protect your information.

Request and Response Handling

We do not share, transmit, or expose the content of your request payloads or response bodies to any third party beyond the infrastructure providers listed above. Where an Endpoint’s implementation relies on an upstream reference dataset (for example, a currency rate feed), we issue aggregate or anonymized queries as required by our implementation — we do not forward your individual request payloads to third-party APIs unless the specific Endpoint’s documentation explicitly discloses that behavior.

We may disclose information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or government requests. We will notify you of such requests when legally permitted to do so.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our website before your information becomes subject to a different privacy policy.

Data Retention

  • API request logs (including request payloads, response bodies, and associated metadata) are retained for 30 days for operational, debugging, and abuse-detection purposes, after which they are permanently deleted. Enterprise customers may configure shorter retention.
  • Usage and metering records (aggregate counts of requests and tokens consumed, without payload content) are retained for the life of your account plus 90 days to support billing, reporting, and dispute resolution.
  • Audit logs of administrative actions (login, API key creation, configuration changes) are retained according to your plan tier (7 days for Free, 30 days for Pro, 90 days for Scale, as configured for Enterprise).
  • Account data is retained for the life of your account. Upon account deletion, we will remove your personal information within 90 days, except where retention is required by law.
  • Billing records are retained for 7 years as required by applicable tax and accounting regulations.
  • Server logs are retained for 90 days for security and debugging purposes.

Data Security

We implement security measures appropriate to the sensitivity of the data we process:

  • Encryption at rest: Account data, API Keys, and stored configuration are encrypted using AES-256-GCM. Authenticated encryption ensures both confidentiality and integrity of stored material.
  • Per-tenant key isolation: Each workspace’s sensitive material is encrypted with a distinct data encryption key (DEK), preventing cross-tenant exposure. A compromise of one workspace’s key material cannot affect any other workspace.
  • HSM-backed key management: Key encryption keys (KEKs) are managed through hardware security modules (HSMs), ensuring keys are never exposed in plaintext outside secure hardware boundaries. Key rotation is automatic and transparent.
  • API Keys never logged: API Keys are never written to application logs, error reports, crash dumps, or monitoring systems. Log redaction is enforced at the serialization layer.
  • API Keys never displayed in raw form: The Microwave dashboard never displays full API Key values after initial creation. Only masked prefixes are shown for identification purposes.
  • Request payload isolation: Request payloads are processed in-memory for Endpoint execution and written to short-retention logs only for the durations described above. They are not commingled with account credential material.
  • Encryption in transit: All communications use TLS 1.3. Older TLS versions are not supported.
  • Access controls: Employee access to production systems is restricted, logged, and requires multi-party approval.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Enterprise Deployment Options

Enterprise customers may arrange for dedicated infrastructure, private networking, or regional deployments that isolate their request traffic and storage from the shared multi-tenant environment. Under these configurations, request payloads and logs are confined to the dedicated environment agreed in the applicable order form, and Microwave Cloud’s shared services communicate only with the dedicated control plane for billing and orchestration metadata.

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your personal information (subject to legal retention requirements)
  • Export your data in a portable format, including account data and historical usage records
  • Withdraw consent for optional data processing activities

To exercise any of these rights, contact us at privacy@microwave.sh. We will respond to your request within 30 days. If we need additional time to fulfill your request, we will notify you of the delay and the reason for it.

Data Residency

By default, all data is stored in the United States. Enterprise customers may elect EU data residency (in which case account data and request logs are stored within the European Union) or request custom data residency configurations to meet specific regulatory requirements.

Data residency selection is made at the workspace level and applies to all request traffic and stored data within that workspace.

Cookies and Tracking

The Microwave dashboard uses strictly necessary cookies to maintain your authenticated session. We do not use third-party advertising trackers, social media pixels, or cross-site tracking cookies. Analytics, if any, are privacy-respecting and do not track individual users across sites.

Children’s Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

International Data Transfers

Mataki Labs LLC is based in the State of Wyoming, United States. If you access our Services from outside the United States, your information may be transferred to and processed in the United States, unless you have elected an alternative data residency option. By using our Services, you consent to such transfer and processing.

For customers who require specific transfer mechanisms (such as Standard Contractual Clauses), please contact us to discuss available options.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will provide additional notice via email to the address associated with your account.

Governing Law

This Privacy Policy is governed by the laws of the State of Wyoming, United States, without regard to its conflict of law provisions.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Mataki Labs LLC State of Wyoming (address available on request to legal@microwave.sh) Email: privacy@microwave.sh