ZapFetch
Back to Home

Privacy Policy

How Redland Pte. Ltd. (operator of ZapFetch) collects, uses, stores, and protects your information.

Effective date: 2026-04-23

1. Who We Are

The ZapFetch platform — a Web Scraping, Crawling, Search, and Extraction API for LLM-ready data — is operated by Redland Pte. Ltd., a private company limited by shares incorporated in the Republic of Singapore (UEN 202304648K), with its registered office at 1 North Bridge Road, #11-02, High Street Centre, Singapore 179094 ("Redland," "we," "us," or "our"). In this policy, "you" or "your" refers to you as a user of the Services or as a third party whose data we process on behalf of a customer. For the purposes of the Singapore Personal Data Protection Act 2012 ("PDPA"), Redland is the organisation responsible for personal data collected through the Services.

2. What This Policy Covers

This Privacy Policy explains how we collect, manage, store, and use information when you interact with the Services — including our website, Console, API, and any integrations we offer. It should be read alongside our Terms of Service.

3. Why We Publish This

We value your privacy and publish this policy so that you can make an informed decision about using the Services. We welcome feedback on this policy at redland2024@gmail.com.

4. Information Collection and Use

4.1 Personally Identifiable Information We Collect

We collect the following categories of personally identifiable information ("PII"):

  • Name (as provided during sign-up or via OIDC profile);
  • Email address;
  • Authentication identifiers issued by Logto (our OIDC identity provider);
  • Payment information processed by Stripe (card number, cardholder name, and billing address — we do not retain card numbers ourselves);
  • Company or organization information you provide;
  • IP address and geographic region (inferred from IP);
  • Browser and device information (user agent, operating system, language preference);
  • Request timestamps, referrer URLs, and page views;
  • API key identifiers (not the full key after creation — see Section 5.1 for key handling);
  • URLs and prompts you submit to the Services, and content returned by the Services in response to those requests.

4.2 How We Use Personally Identifiable Information

We use personal information for the following purposes:

  • To provide, operate, and secure the Services;
  • To authenticate users via Logto and to enforce API key permissions and quotas;
  • To measure usage and bill customers accordingly via Lago and Stripe;
  • To cache and index responses in Redis so that credit checks and usage lookups are fast;
  • To contact you about Service issues, feature updates, billing, and (if you opt in) product announcements;
  • To improve platform performance and product features based on aggregated usage patterns;
  • To detect, investigate, and respond to abuse, fraud, and violations of the Terms of Service;
  • To comply with legal obligations, including responding to lawful requests from public authorities.

4.3 Who We Share Your Information With and Why

ZapFetch relies on the following third-party sub-processors. We share only the information necessary for each provider to perform its function:

  • Stripe, Inc. — Handles all card payments, tax calculation, and invoicing. Stripe receives your email, cardholder name, card number, and billing address. Privacy policy: stripe.com/privacy.
  • Lago — Usage-metering and subscription management backend. Receives anonymized customer IDs and metered credit-usage events.
  • Logto — OIDC identity provider, operated as a self-hosted instance. Handles sign-in, password/email verification, and JWT issuance. Receives your email and any OIDC profile attributes you choose to share.
  • Cloud infrastructure provider(s) — Our application servers, PostgreSQL database, and Redis cache run on mainstream cloud infrastructure. These providers do not have access to the content of your requests beyond what is required to transport and store them.
  • Container image registry (Alibaba Cloud ACR) — Stores Docker images used to run our services; does not process customer data.

We may share information with law enforcement or other government authorities to the extent necessary to comply with applicable law, respond to valid legal process, or protect the rights, property, or safety of ZapFetch, our users, or others. We will challenge overbroad requests where we are able to.

4.4 Your Choices in What Information You Share

You control what information you submit to the Services. Unregistered users' personal information is not collected except to the extent necessary to serve the marketing website (see Section 4.5). If you are a customer submitting third-party URLs or data to the Services, you represent and warrant that you have the authority to do so and have complied with any applicable notice or consent obligations to the individuals to whom that data relates.

4.5 Non-Personally Identifiable Information

We also collect non-PII, including:

  • Device and connection details (hardware type, operating system, web browser, language preference);
  • Aggregated traffic patterns and anonymized request logs used for performance tuning;
  • Referral source and entry points used to reach the Services.

Website analytics, when deployed, are configured to avoid collecting persistent identifiers where possible.

4.6 How Long We Keep Your Information

We retain account and billing records for as long as your account is active plus a reasonable period afterward to comply with legal and tax-record-retention obligations. Operational logs (request logs, access logs, abuse-detection logs) are retained for a rolling window of no more than 90 days unless required for an ongoing investigation.

Scraped content returned through the API is handled as follows:

  • Standard plans: response bodies may be cached briefly (typically under 10 minutes for authorization/credit metadata and under 24 hours for response de-duplication) and then expire automatically.
  • Zero Data Retention (ZDR) add-on, Business+: raw response content is dropped within 7 seconds and is never written to disk.

On written request at redland2024@gmail.com, we will delete your account and associated PII, subject to legal and tax-record retention obligations.

4.7 Where We Keep and Transfer Your Information

Redland operates global infrastructure. Your information may be stored and processed outside Singapore, including in the United States and other jurisdictions where our cloud infrastructure providers operate, depending on the deployment region applicable to your account. Where personal data originates in Singapore and is transferred outside Singapore, we take reasonable steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection at least comparable to that under the PDPA, as required by Section 26 of the PDPA read with the Personal Data Protection Regulations 2021. For transfers originating in the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses or other valid transfer mechanisms where required.

International users should recognise that some jurisdictions may not provide the same level of data protection as your country of residence. We do not intentionally process special-category data (data revealing race; ethnic origin; political, religious, or philosophical beliefs; trade-union membership; health; sexual activity; or sexual orientation). You should not submit such data to the Services.

4.8 Your Rights Under the Singapore PDPA

Under the Singapore Personal Data Protection Act 2012, you have the following rights with respect to personal data that we hold about you:

  • Access — request confirmation that we hold personal data about you, and a copy of that data and information about how it has been used or disclosed in the preceding 12 months;
  • Correction — request correction of personal data that is inaccurate or incomplete;
  • Withdrawal of consent — withdraw, at any time, any consent previously given for our collection, use, or disclosure of your personal data for a specified purpose, subject to legal and contractual restrictions and reasonable notice;
  • Data portability — once the portability provisions of the PDPA come into force, request that we transmit specified categories of your data to another organisation in a commonly used format.

To exercise these rights, contact our Data Protection Officer at redland2024@gmail.com. We will respond within thirty (30) days where reasonably practicable. We may charge a reasonable fee for access requests as permitted by the PDPA and will inform you of the fee in advance.

If you are not satisfied with our response, you have the right to lodge a complaint with the Singapore Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

4.9 Your Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you additionally have the following rights:

  • Be informed about what personal data we hold about you and how it is processed;
  • Access your data;
  • Correct inaccurate data;
  • Request erasure of your data;
  • Restrict or object to processing;
  • Data portability;
  • Object to automated decision-making and profiling.

We respect these rights for all users regardless of location. To exercise them, contact redland2024@gmail.com. You also have the right to lodge a complaint with the supervisory authority in your place of residence.

4.10 Your Rights Under CCPA (California Residents)

Under the California Consumer Privacy Act, California residents may:

  • Request a summary of the personal information we have collected about them, up to twice per 12-month period;
  • Request deletion of personal information we have collected, subject to legal retention requirements;
  • Opt out of the sale of personal information (we do not sell personal information).

We may require identity verification before processing these requests. Submit requests to redland2024@gmail.com.

5. Protecting Your Information

5.1 Keeping It Safe

We implement reasonable and commercially feasible measures to keep your information safe, including:

  • TLS 1.2+ for all traffic between your client and our API edge;
  • At-rest encryption for databases and object storage;
  • Least-privilege access controls for internal staff, with authorization changes audited;
  • API keys are shown once on creation and stored hashed after that — we cannot recover a lost key, you must rotate;
  • Short-lived (15-minute) JWT access tokens with Redis-backed revocation for administrative actions;
  • Separate health-admin endpoints protected by a dedicated admin token and reachable only from within the cluster network.

No organisation can guarantee 100% data protection. If we become aware of a data breach that results in, or is likely to result in, significant harm to any individual, or that is of a significant scale, we will notify the Singapore Personal Data Protection Commission (PDPC) as soon as practicable (and in any event no later than three (3) calendar days after assessment, as required by Section 26D of the PDPA) and notify affected individuals without undue delay. Where other laws such as the GDPR apply, we will additionally comply with their notification obligations (including the 72-hour supervisory-authority notification requirement under GDPR Article 33).

5.2 Data Protection Officer

As required by Section 11(3) of the PDPA, Redland has designated a Data Protection Officer ("DPO") responsible for ensuring our compliance with the PDPA. You may contact the DPO at:

  • Email: redland2024@gmail.com
  • Mail: Data Protection Officer, Redland Pte. Ltd., 1 North Bridge Road, #11-02, High Street Centre, Singapore 179094

5.3 Third-Party Providers

We do not control the privacy practices of third-party providers. You should review their terms directly; the providers we rely on are listed in Section 4.3.

5.4 Posting Content

When you share content through the Services or post it on external platforms (for example, by embedding scraped data in a public application you build), that information may become public. We cannot compel third parties to erase information that you have made public.

5.5 Do Not Track Signals and Cookies

We honour browser "Do Not Track" signals on our marketing website where feasible. The Console uses strictly-necessary cookies (session, CSRF) and does not use advertising cookies.

5.6 Minors' Data

We do not intentionally collect data from individuals under 13 (or under 16, where local law sets a higher threshold). If you believe a child's data has been collected, contact redland2024@gmail.com and we will remove it after identity verification.

5.7 Compliance with Regulations

We periodically review this policy to ensure legal compliance and respond to formal written complaints as soon as practicable. We will work with regulatory authorities to resolve concerns you raise. You retain the right to file complaints with your home country's supervisory authority.

6. General Information

6.1 No Unsolicited Requests for Personal Information

We will not request your password, full API key, or payment details via unsolicited letters, calls, or emails. Legitimate ZapFetch communications about your account are accessible from the Console.

6.2 Changes to This Policy

We may update this policy at any time. Material changes will be notified to active users via the Console or email. We will not reduce your rights under this policy without your consent.

6.3 Complaints and Questions

For privacy-related questions, concerns, or to exercise your rights, contact redland2024@gmail.com.

For legal questions, contact redland2024@gmail.com.

For general support, contact redland2024@gmail.com.

By accessing the Services, you affirm that you understand and agree with the terms of this Privacy Policy.