Privacy Policy

Edge (“we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, store, share, and protect data when you use the Edge platform, APIs, dashboard, and related services (collectively, the “Services”).

This policy applies to all users of the Services, including account holders, organization members, and visitors to our website. By using the Services, you consent to the practices described in this policy. If you do not agree, please discontinue use of the Services.

Edge is operated from the Kingdom of Bahrain and is committed to compliance with the Bahrain Personal Data Protection Law (PDPL), Law No. 30 of 2018, and where applicable, the EU General Data Protection Regulation (GDPR).

Edge is the data controller responsible for your personal data collected through the Services. For questions about data processing or to exercise your rights, contact:

3.1 Account Information

When you register, we collect your name, email address, organization name, and other details necessary to create and manage your Account. If you sign up via third-party OAuth providers (e.g., Google, GitHub), we receive your name, email, and profile identifier from that provider.

3.2 Organization and Team Data

When you create or join an Organization, we collect organization name, member email addresses, roles, and permission assignments. This data is used to manage access control within your team.

3.3 API Usage Data

We log API requests for operational, billing, and security purposes. Logged data includes:

• Timestamps of requests
• API endpoints called and HTTP methods
• Response status codes
• Credit consumption per request
• IP address of the requester
• API Key identifier (hashed, not the raw key)
• Request and response body metadata (truncated to 10KB maximum, with sensitive fields redacted)

Important: IBAN numbers and financial data submitted for validation are processed in real-time and are logged only in truncated/redacted form. We do not retain full IBAN numbers or financial data beyond what is necessary for request logging and debugging.

3.4 Payment and Billing Information

Payment processing is handled exclusively by third-party payment providers. We do not store full credit card numbers, CVVs, or banking credentials on our servers. We retain:

• Transaction records (amounts, dates, currency)
• Credit allocation records
• Payment method identifiers provided by the payment processor (e.g., last four digits, card brand)
• Billing address (if provided)

3.5 Technical and Device Data

We automatically collect technical information when you access the dashboard or API endpoints:

• IP addresses
• Browser type and version
• Operating system
• Device type and screen resolution
• Referring URLs
• Pages visited and time spent on the dashboard

3.6 Communication Data

When you contact us for support or provide feedback, we collect the content of your communications, including email addresses, subject lines, and message content, to respond to your inquiries and improve our Services.

We process your personal data on the following legal bases, as applicable under the Bahrain PDPL and GDPR:

• Contract Performance: Processing necessary to provide the Services you have requested, including account management, API access, credit management, and billing.
• Legitimate Interest: Processing necessary for our legitimate business interests, such as fraud prevention, security monitoring, service improvement, and analytics, provided these interests are not overridden by your rights.
• Legal Obligation: Processing required to comply with applicable laws, regulations, or legal processes.
• Consent: Where required, we obtain your explicit consent for specific processing activities. You may withdraw consent at any time by contacting us.

We use the information we collect to:

• Provide, operate, maintain, and improve the Services.
• Create and manage your Account and Organization.
• Process credit purchases, track API usage, and manage billing.
• Authenticate API requests, enforce rate limits, and manage credit balances.
• Detect, investigate, and prevent fraud, abuse, security incidents, and unauthorized access.
• Communicate with you about your Account, service updates, security alerts, and support inquiries.
• Comply with legal obligations, respond to legal requests, and enforce our Terms and Conditions.
• Generate anonymized, aggregated analytics to improve platform performance, reliability, and user experience.
• Monitor system health and performance and troubleshoot technical issues.

We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you.

API keys are hashed using SHA-256 before storage. We never store raw API keys after initial generation. The plain-text key is displayed exactly once upon creation and cannot be retrieved afterward.

API key lookups are performed using constant-time hash comparison to prevent timing attacks. This ensures that even in the event of a data breach, your API keys remain cryptographically protected.

We log API key identifiers (the first and last characters) for audit purposes but never log the full key or its hash in application logs.

Our dashboard uses the following types of cookies:

Essential Cookies

• Session cookies: Used to maintain your authenticated session across page loads. These are strictly necessary for the dashboard to function.
• CSRF tokens: Used to protect against cross-site request forgery attacks.
• Organization preference: Used to remember your selected Organization within the dashboard.

Analytics Cookies

We may use privacy-respecting analytics tools to understand how the dashboard is used and identify areas for improvement. These tools do not use third-party tracking cookies and do not share data with advertisers.

We do not use:

• Third-party advertising cookies
• Cross-site tracking technologies
• Browser fingerprinting
• Tracking pixels for advertising purposes

Session cookies are scoped to our domain and are transmitted only over secure connections. You may configure your browser to reject cookies, but doing so may prevent you from using the dashboard.

We do not sell, rent, or trade your personal information. We may share data with third parties only in the following limited circumstances:

• Service Providers: We engage trusted third-party service providers to assist in delivering the Services, including cloud hosting, payment processing, email delivery, and infrastructure management. These providers are bound by contractual confidentiality obligations and are permitted to process your data only for the purposes specified by Edge.
• Legal Requirements: We may disclose data when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect the rights, safety, or property of Edge, our users, or the public.
• Business Transfers: In connection with a merger, acquisition, corporate reorganization, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such transfer and any changes to this Privacy Policy.
• With Your Consent: We may share data with third parties when you have given us explicit consent to do so.

We maintain a list of our sub-processors and their roles, available upon request by contacting privacy@edge.bh.

We retain your data according to the following schedule:

• Account Data: Retained for as long as your Account is active. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
• API Request Logs: Retained for up to 90 days for operational and debugging purposes, after which they are automatically purged or anonymized.
• Billing and Transaction Records: Retained for up to 7 years to comply with tax and accounting regulations.
• Security Logs: Retained for up to 1 year for security monitoring and incident investigation.
• Communication Records: Retained for up to 2 years after the last communication.

When data is no longer needed for its original purpose, it is securely deleted or irreversibly anonymized.

We implement comprehensive security measures to protect your data, including:

• Encryption in Transit: All data transmitted between your systems and ours is encrypted using TLS 1.2 or higher.
• Encryption at Rest: Sensitive data stored in our databases is encrypted at rest.
• API Key Protection: API keys are SHA-256 hashed before storage. Passwords are hashed using bcrypt with appropriate cost factors.
• Access Control: Role-based access control (RBAC) is enforced at the application and database level. Access to production systems is restricted to authorized personnel.
• Database Security: All database queries use parameterized statements to prevent SQL injection. Credit transactions use database-level row locking to prevent race conditions.
• CSRF Protection: Cross-site request forgery protection is enforced on all dashboard endpoints.
• CORS Policy: Strict cross-origin resource sharing policies with explicit origin allowlists. Wildcard origins are never used with credentials.
• Log Redaction: Passwords, full API keys, and other sensitive fields are automatically redacted before logging. Request and response bodies are truncated to 10KB.
• Infrastructure Security: Our infrastructure is hosted on secure, reputable cloud platforms with physical security, network isolation, and regular security audits.

While we take extensive precautions, no system is completely secure. You are responsible for safeguarding your Account credentials and API Keys.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant data protection authority within the timeframes required by applicable law (72 hours under GDPR, as required under Bahrain PDPL).
• Notify affected users without undue delay via email and/or dashboard notification.
• Provide information about the nature of the breach, the data affected, the measures taken to address the breach, and recommended actions you should take.

Under the Bahrain PDPL, GDPR (where applicable), and other applicable data protection laws, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you, including the purposes of processing and categories of data.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data, subject to legal retention requirements and legitimate business needs.
• Right to Restrict Processing: Request that we limit the processing of your data in certain circumstances.
• Right to Data Portability: Request your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV).
• Right to Object: Object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the relevant data protection authority. In Bahrain, this is the Personal Data Protection Authority. In the EU, this is your local supervisory authority.

To exercise any of these rights, contact us at privacy@edge.bh. We will respond within 30 days. We may request verification of your identity before processing your request.

We will not discriminate against you for exercising your privacy rights.

Edge operates from the Kingdom of Bahrain. If you access the Services from outside Bahrain, your data may be transferred to and processed in Bahrain or other jurisdictions where our service providers operate.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data processing agreements with our service providers that include equivalent protections.
• Technical and organizational security measures as described in this policy.

By using the Services, you acknowledge and consent to the transfer and processing of your data as described above.

The Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take immediate steps to delete it. If you believe that a child has provided us with personal data, please contact us at privacy@edge.bh.

Our Services do not currently respond to “Do Not Track” (DNT) browser signals. However, as stated above, we do not engage in cross-site tracking or third-party advertising tracking.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated via:

• Email notification to the address associated with your Account.
• A prominent notice on our dashboard or website.

We will provide at least 30 days’ notice before material changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Your continued use of the Services after the revised policy takes effect constitutes your acceptance of the changes. We maintain an archive of previous versions of this policy, available upon request.

If you have questions, concerns, or complaints about this Privacy Policy, our data practices, or wish to exercise your data protection rights, please contact us: