Privacy Policy

Effective February 1, 2026

Opelyx (“Opelyx,” “we,” “us,” or “our”) operates the opelyx.com platform, including the Health Plans API, Markets & Trading API, MCP Server, and associated developer dashboard at dashboard.opelyx.com (collectively, the “Services”). This Privacy Policy explains what information we collect, how we use it, how we protect it, and the rights you have with respect to your information. We encourage you to read this policy carefully before using the Services.

By registering for an account or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please do not use the Services.

1. Information We Collect

Account and Registration Data

When you create a Opelyx account, we collect the information you provide directly to us, which may include:

  • Your email address, used as your account identifier and for service communications
  • A display name or username (if provided)
  • A hashed representation of your password (we never store plaintext passwords)
  • Account subscription tier (Free, Pro, or Enterprise)
  • Billing information, including your name and payment method details (processed by Stripe; see Section 7)

API Keys

When you generate an API key, we store a SHA-256 cryptographic hash of the key — not the key itself. The plaintext key (in the format op_ followed by 40 hexadecimal characters) is shown to you exactly once upon generation and is never stored by us in recoverable form. If you lose a key, you must revoke it and generate a new one. We associate key metadata with your account: creation date, last-used timestamp, an optional human-readable label you assign, and the tier at the time of generation.

API Usage Logs

To enforce rate limits, calculate billing, and detect abuse, we record structured logs for each API request made with your key. A usage log entry contains:

  • The SHA-256 hash of the API key that made the request (not the key itself)
  • The endpoint path and HTTP method (e.g., GET /v1/health/plans/search)
  • The HTTP response status code
  • The timestamp of the request (UTC)
  • The Cloudflare data center region that served the request (e.g., “DFW”)
  • Request duration in milliseconds

We do not log the full request body or query parameters in usage logs. Search parameters such as ZIP codes, ages, or income values are not persisted as part of the usage log entry; they exist only transiently during request processing.

Authentication Session Data

When you sign in to the developer dashboard at dashboard.opelyx.com, BetterAuth creates a session record stored in our D1 database. This record contains your account identifier, session token (hashed), session expiry timestamp, and the IP address at the time of sign-in. Sessions expire automatically and are deleted upon sign-out.

Cloudflare Access Data

All traffic to Opelyx services passes through Cloudflare’s Zero Trust network. Cloudflare Access issues a short-lived JSON Web Token (JWT) stored as a session cookie in your browser for authenticated dashboard sessions. This cookie is managed entirely by Cloudflare and is governed by Cloudflare’s Privacy Policy. We do not have access to the contents of this cookie beyond verifying the cryptographic signature.

Technical and Infrastructure Logs

As with any internet service, our infrastructure (hosted on Cloudflare Workers) may generate logs containing IP addresses, user-agent strings, and request metadata for security, debugging, and abuse prevention purposes. These logs are ephemeral, typically retained for fewer than 7 days, and are not linked to your account profile.

2. What We Do Not Collect

We designed Opelyx with data minimization as a core principle. There are several categories of data that we explicitly do not collect or store:

  • Health plan query content: When you query the Health Plans API with a ZIP code, age, household size, or income, those values are used only to fulfill the request in real time. They are not stored in your account record, associated with your API key in the usage log, or used to build any profile about you or your end users.
  • End-user data: If you build a product on top of Opelyx APIs that involves your own users, we receive API requests from your server — not from your end users directly. We have no visibility into who your end users are.
  • Tracking or advertising cookies: We do not use any advertising networks, tracking pixels, third-party analytics services, or behavioral profiling technologies on any Opelyx domain.
  • Social login data: We do not offer sign-in with Google, GitHub, or any other OAuth provider. Account creation requires only an email address and password.
  • Biometric or sensitive personal data: We have no mechanism to collect, and we never request, biometric identifiers, government ID numbers, Social Security numbers, or health records about you.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Account management: To create and maintain your account, authenticate your identity, and manage your subscription tier.
  • Service delivery: To process your API requests, authenticate your API keys, and route traffic to the appropriate data endpoints.
  • Rate limiting: To enforce per-tier daily request quotas (100 requests/day on Free, 10,000 requests/day on Pro, custom limits on Enterprise) by counting usage against your key’s daily counter in our Cloudflare KV store.
  • Billing: To calculate usage for invoicing, reconcile your subscription tier, and pass payment processing details to our payment provider (Stripe). We do not store your full payment card number.
  • Security and abuse prevention: To detect anomalous request patterns, investigate suspected abuse of the API, revoke compromised keys, and protect other users of the service.
  • Service improvement: To understand aggregate usage patterns (e.g., which endpoints are most frequently called, error rates by endpoint), improve API reliability, and prioritize new data verticals.
  • Communications: To send you transactional emails related to your account (e.g., API key creation confirmations, subscription changes, password resets, notices of policy changes). We do not send unsolicited marketing email. You may opt out of non-transactional communications at any time.
  • Legal compliance: To comply with applicable law, respond to lawful requests from government authorities, and enforce our Terms of Service.

4. Data Storage and Security

Infrastructure

All Opelyx services run on Cloudflare’s global edge network. Account data and API key metadata are stored in Cloudflare D1 (distributed SQLite) within Cloudflare’s infrastructure. Rate limit counters are stored in Cloudflare KV. Cloudflare maintains SOC 2 Type II certification and GDPR Data Processing Agreements.

Encryption

All data transmitted between your client and Opelyx services is encrypted in transit using TLS 1.2 or higher. Cloudflare enforces HTTPS on all domains. Data stored in D1 and KV is encrypted at rest using AES-256 by Cloudflare’s underlying storage infrastructure. We do not manage encryption keys directly; Cloudflare manages this on our behalf.

API Key Security

API keys are never stored in plaintext. Upon generation, we immediately compute a SHA-256 hash of the key and store only the hash. All authentication lookups are performed against this hash. This means that even if our database were accessed without authorization, your API key could not be recovered from the stored data.

Access Controls

Administrative access to Opelyx infrastructure requires authentication through Cloudflare Zero Trust with short-lived certificates. No long-lived credentials are used for infrastructure access. Database access from application code is limited to parameterized queries via Drizzle ORM — raw SQL access to production databases is not used in application paths.

Vulnerability Disclosure

If you discover a security vulnerability in the Opelyx platform, please report it to support@opelyx.com. We will acknowledge your report within 48 hours and work to remediate confirmed vulnerabilities promptly.

5. Cookies and Tracking Technologies

Opelyx uses a minimal cookie footprint. We use cookies solely for the following purposes:

  • Cloudflare Access JWT (CF_Authorization): A session cookie issued by Cloudflare Access when you authenticate to the developer dashboard. This cookie contains a signed JWT that proves you have passed the Zero Trust authentication check. It is a session cookie (expires when the browser closes or when the JWT’s expiry is reached, whichever comes first). It does not contain any personal information beyond your account identifier in encrypted form. This cookie is strictly necessary for the dashboard to function.
  • BetterAuth session cookie: A session identifier cookie set by our authentication layer at dashboard.opelyx.com when you sign in. This cookie allows the dashboard to recognize your authenticated session across page loads. It is a session cookie scoped to the .opelyx.com domain and is cleared on sign-out.

We do not use any of the following: advertising cookies, analytics cookies, social media tracking pixels, first-party or third-party behavioral tracking, fingerprinting scripts, or persistent identifiers for advertising purposes. There is no cookie consent banner because there are no tracking or advertising cookies to consent to. Marketing pages (opelyx.com, health.opelyx.com, trading.opelyx.com) set no cookies at all.

6. Data Retention

We retain different categories of data for different periods based on operational need:

  • API usage logs: 90 days from the date of the request. After 90 days, usage log records are purged from the database. Aggregate statistical summaries (e.g., monthly request counts per account) may be retained for longer for billing reconciliation.
  • Rate limit counters: Daily counters in Cloudflare KV expire automatically at midnight UTC each day. They contain only a count and a key hash, not any personal information.
  • Account data (email, subscription tier, key metadata): Retained for the duration of your account. If you delete your account, personal account data is deleted within 30 days. API key hashes may be retained in anonymized audit logs for up to 12 months to support fraud investigation.
  • Authentication sessions: Sessions are deleted upon sign-out or expiry (whichever occurs first). Expired sessions are purged within 7 days.
  • Infrastructure logs: Ephemeral Cloudflare infrastructure logs containing IP addresses and request metadata are retained for fewer than 7 days.
  • Billing records: Payment transaction records are retained for 7 years to comply with financial recordkeeping obligations under applicable law.

7. Third-Party Services

Opelyx uses the following third-party services to operate. Each is subject to its own privacy policy, which you are encouraged to review:

  • Cloudflare, Inc.: Provides DNS, CDN, DDoS protection, Workers edge compute, D1 database, KV storage, R2 object storage, and Zero Trust access control. All Opelyx traffic transits Cloudflare’s network. Cloudflare acts as a data processor on our behalf and is bound by a Data Processing Addendum. Cloudflare Privacy Policy
  • Stripe, Inc.: Processes subscription payments for Pro and Enterprise tiers. When you enter payment information, it is transmitted directly to Stripe and never passes through Opelyx servers in raw form. Stripe is PCI DSS Level 1 certified. Opelyx receives only a tokenized reference to your payment method. Stripe Privacy Policy
  • Resend: Provides transactional email delivery for account notifications (e.g., API key creation, subscription confirmations, password resets). We transmit your email address to Resend for the purpose of sending you these messages. Resend Privacy Policy

We do not sell, rent, or share your personal information with any third party for that third party’s own marketing or advertising purposes. We do not use advertising networks or data brokers.

8. Data Sources and Underlying Data

The data served through Opelyx APIs is sourced from public government datasets and public market APIs. No personal information about individuals is contained in our API responses. Specifically:

  • Health Plans API: Data is sourced from the Centers for Medicare & Medicaid Services (CMS) Public Use Files (PUFs), which contain standardized plan and rate data for Affordable Care Act marketplace plans. These are aggregate plan attributes (premiums, deductibles, coverage details) and do not contain information about enrolled individuals.
  • SEC Filings API: Data is sourced from the U.S. Securities and Exchange Commission’s EDGAR system, which is public record. This data relates to publicly traded companies, not individuals, except where executives are named as filers in their public capacity.
  • Prediction Markets API: Data is sourced from public APIs provided by Polymarket, Kalshi, and Manifold Markets, reflecting publicly available market prices and contract information.

9. Your Rights and Choices

Access and Portability

You may view the personal information associated with your account at any time by signing in to the developer dashboard at dashboard.opelyx.com. Your account page displays your email address, subscription tier, API key metadata (labels, creation dates, last-used timestamps), and recent usage statistics. If you need a machine-readable export of your account data, contact us at support@opelyx.com and we will provide it within 30 days.

Correction

You may update your account information, including your email address and display name, through the account settings page in the dashboard. If you are unable to update information yourself, contact us at support@opelyx.com.

Deletion

You may request deletion of your Opelyx account by emailing support@opelyx.com with the subject line “Account Deletion Request.” Upon verification of your identity, we will delete your account and associated personal data within 30 days. Please note that:

  • API usage logs older than 30 days will be purged on their normal 90-day schedule
  • Billing transaction records must be retained for 7 years as required by law
  • Anonymized API key hashes may be retained in security audit logs for up to 12 months

Opt-Out of Non-Transactional Communications

We do not send marketing email. Any email you receive from Opelyx relates directly to your account or the service. If we ever introduce optional communications (such as a product newsletter), we will obtain separate consent, and every such email will include a one-click unsubscribe link.

10. California Residents — CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights regarding your personal information.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

  • Identifiers (email address, account ID)
  • Internet or other electronic network activity information (API usage logs, request metadata)
  • Commercial information (subscription tier, billing history)

We do not collect sensitive personal information as defined by the CPRA (Social Security numbers, financial account numbers, geolocation data, health or medical information, racial or ethnic origin, contents of communications, or biometric data).

Purposes for Collection

We collect the above categories for the business purposes described in Section 3 of this policy: account management, service delivery, rate limiting, billing, security, service improvement, and legal compliance.

Sale or Sharing of Personal Information

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising. As such, there is no opt-out mechanism for “sale” or “sharing” because neither occurs.

Your California Rights

California residents have the right to:

  • Know what personal information we have collected, used, disclosed, and sold about you
  • Delete personal information we have collected, subject to certain exceptions
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information (not applicable, as we do not sell or share)
  • Non-discrimination for exercising your CCPA rights
  • Limit use of sensitive personal information (not applicable, as we do not collect it)

To exercise these rights, contact us at support@opelyx.com with the subject line “CCPA Rights Request.” We will respond within 45 days as required by law. We may need to verify your identity before processing your request.

11. European Residents — GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent national laws.

Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract performance (Article 6(1)(b)): Processing your account data, API key metadata, and usage logs is necessary to provide the Services you have contracted with us to receive.
  • Legitimate interests (Article 6(1)(f)): We process infrastructure logs and usage telemetry based on our legitimate interest in securing the platform, detecting abuse, and improving service reliability. Our legitimate interests do not override your fundamental rights.
  • Legal obligation (Article 6(1)(c)): We retain billing records to comply with applicable financial recordkeeping laws.

International Data Transfers

Opelyx operates on Cloudflare’s global network, which means your data may be processed in data centers located outside the EEA, including in the United States. Cloudflare participates in the EU-U.S. Data Privacy Framework and maintains Standard Contractual Clauses (SCCs) for international data transfers. By using the Services, you acknowledge that your data may be transferred and processed globally.

Your GDPR Rights

You have the following rights under the GDPR:

  • Right of access (Article 15): Obtain a copy of your personal data
  • Right to rectification (Article 16): Correct inaccurate data
  • Right to erasure (Article 17): Request deletion of your data
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20): Receive your data in a structured, machine-readable format
  • Right to object (Article 21): Object to processing based on legitimate interests
  • Right to withdraw consent (where consent is the legal basis)

To exercise any of these rights, email support@opelyx.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority if you believe we have processed your data in violation of applicable law.

12. Children’s Privacy

The Opelyx Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe we have inadvertently collected personal information from a child under 13, please contact us at support@opelyx.com and we will delete such information promptly. Users under the age of 18 should review this policy with a parent or guardian before using the Services.

13. Links to Third-Party Sites

Our websites and documentation may contain links to third-party websites, including API documentation, government data sources, and partner services. We are not responsible for the privacy practices of these external sites and encourage you to review their privacy policies before providing any personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will notify you by sending an email to the address associated with your account and by updating the effective date at the top of this page. We will provide at least 30 days’ notice before material changes take effect, unless a shorter notice period is required by law.

Your continued use of the Services after the effective date of a revised Privacy Policy constitutes your acceptance of those changes. If you do not agree with the revised policy, you must stop using the Services and may request account deletion as described in Section 9.

15. Contact Information

If you have questions, concerns, or requests related to this Privacy Policy or the handling of your personal information, please contact us:

We aim to respond to all privacy-related inquiries within 5 business days and to fulfill substantive requests within the timeframes mandated by applicable law.