Capitis
Sign inStart building

Privacy Policy

Last updated: 11 June 2026

This Privacy Policy describes how Capitis ("we," "us," or "our") collects, uses, and shares information about you when you use our website at capitis.app and our API services (collectively, the "Services"). Capitis is currently operated by its founding team as an early-access service; a dedicated legal entity is being established, and this policy will be updated with its name and registered address once registration completes.

What we collect

When you sign up and use Capitis, we collect:

  • Account information. Your email address, name (if provided via Google or GitHub), and authentication metadata necessary to maintain your session.
  • Usage data. API request logs, click events, and conversion attribution records that you send us through your integration.
  • Hashed identifiers. When you use the identity-graph features, we receive HMAC-SHA256 hashes of identifiers you've submitted (email, phone, card token, bank link, wallet). We never receive the raw values. Note that these hashes are deterministic: the same input always produces the same hash, which is what makes cross-publisher matching possible. It also means a party who holds both the hashing parameters and a candidate raw value could check whether that value matches a stored hash. Treat hashed identifiers as pseudonymous personal data, not anonymous data — we do. Each identifier can be revoked individually, which removes it from matching.
  • Billing information. Processed and stored by our payment processor (Stripe). We do not store your payment card details.

How we use information

  • To operate, maintain, and improve the Services.
  • To send transactional email (sign-in links, account notifications, billing).
  • To enforce our Terms of Service and prevent abuse.
  • To comply with legal obligations.

Subprocessors

We use the following subprocessors to operate Capitis:

  • Hostinger — VPS hosting infrastructure
  • Stripe, Inc. — payment processing and billing
  • Resend — transactional email delivery
  • ImprovMX — inbound email forwarding
  • Google LLC — OAuth sign-in (if you choose Google)
  • GitHub, Inc. — OAuth sign-in (if you choose GitHub)

A current list of subprocessors is maintained on this page. We will update it when we add or change subprocessors.

Data retention

We retain account information for as long as your account is active. We retain billing records as required by tax law (typically 7 years). We retain usage logs for 90 days for operational purposes.

Your end-users

If you are a publisher submitting hashed identifiers on behalf of your own users, you are the controller of that data and responsible for disclosing this processing to your users; we process it on your instructions. End-users who want an identifier removed can ask their publisher to revoke it, or contact us directly at privacy@capitis.app.

Your rights

If you are in the EU/EEA, UK, or California, you have rights under GDPR / UK GDPR / CCPA including the right to access, correct, delete, or export your data. To exercise these rights, email privacy@capitis.app and we will respond within 30 days. Account deletion currently runs as a manual process handled by the team; a self-service deletion control is in development.

Cookies

We use only essential cookies for authentication. We do not use tracking or advertising cookies.

Children

Capitis is not directed at children under 16. We do not knowingly collect data from children.

Changes

We may update this policy. Material changes will be announced via email at least 30 days before they take effect.

Contact

Privacy questions: privacy@capitis.app · General: support@capitis.app

Capitis is operated by its founding team while a dedicated legal entity is being registered. The entity's name and registered address will be added here when registration completes.