Privacy Policy

Last updated: February 2025

1. Introduction

Tornado API, operated by Velys Software, a technology company specializing in web access engineering and large-scale automated data extraction ("we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our API services and website.

By accessing or using Tornado API, you agree to this Privacy Policy. If you do not agree with the terms of this policy, please do not access the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Company name (if applicable)
  • Billing information for paid plans (processed through our third-party payment processor)
  • API keys and authentication credentials

2.2 Usage Data

We automatically collect certain information when you use our API:

  • API request logs (endpoints accessed, timestamps, response codes)
  • Data transfer volumes and file sizes
  • IP addresses
  • Error logs for debugging purposes

2.3 Cloud Storage Credentials

To deliver downloaded content to your cloud storage, you provide us with storage credentials (such as AWS access keys, Azure connection strings, or GCS service account keys). The handling of these credentials is detailed in Section 4.

3. How We Use Your Information

We use the collected information for:

  • Providing and maintaining our API services, including processing download requests and delivering files to your cloud storage
  • Processing transactions and sending billing information
  • Sending technical notices, updates, and support messages
  • Monitoring and analyzing usage patterns to improve our services
  • Detecting and preventing fraud, abuse, and violations of our Terms of Service and Acceptable Use Policy
  • Responding to DMCA notices and other legal requests
  • Complying with legal obligations

4. Cloud Storage Credential Security

We understand that cloud storage credentials are highly sensitive. We implement the following measures to protect them:

4.1 Encryption

  • At Rest: All cloud storage credentials are encrypted at rest using AES-256 encryption
  • In Transit: All credential data is transmitted exclusively over TLS 1.3 encrypted connections

4.2 Access and Retention

  • Credentials are stored only for the duration needed to complete your download jobs and are accessible only to the systems directly responsible for file delivery
  • Access to credential storage systems is restricted through role-based access controls and audit logging
  • Credentials are never logged in plaintext in application logs or error reports

4.3 Scoped Permissions

We strongly recommend that you provide credentials with the minimum permissions necessary for the Service to function (for example, write-only access to a specific bucket or container). Tornado uses only the permissions required to deliver files to your specified storage destination and does not access, read, modify, or delete any other data in your storage accounts.

4.4 Credential Management

You may rotate or revoke your cloud storage credentials at any time through your account dashboard or via the API. We recommend rotating credentials periodically as a security best practice. If you revoke credentials, any pending or in-progress download jobs that depend on those credentials may fail.

5. Download Activity Logs

We maintain logs of download activity processed through the Service. This section explains what is logged, how long it is retained, and how it is used.

5.1 What We Log

For each download request, we may log the following information:

  • Source URLs submitted for download
  • Timestamps of request submission, processing, and completion
  • File sizes and format information
  • Job status and outcome (success, failure, error codes)
  • Destination storage provider and bucket/container identifiers (not full credential data)
  • API key identifier used for the request
  • IP address of the requesting client

5.2 Retention Period

Download activity logs are retained for up to 90 days for operational purposes. Aggregated and anonymized usage statistics may be retained indefinitely for analytics and service improvement. Billing-related records are retained as required by applicable law and our business needs.

5.3 How Logs Are Used

Download activity logs are used for the following purposes:

  • Billing: To accurately calculate usage-based charges and generate invoices
  • Debugging: To diagnose and resolve technical issues, failed downloads, and service errors
  • Abuse Prevention: To detect patterns indicative of misuse, policy violations, or fraudulent activity
  • DMCA Compliance: To respond to valid DMCA takedown notices and identify repeat infringers as required by law
  • Legal Compliance: To respond to lawful requests from law enforcement or regulatory authorities

6. Data Storage and Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit using TLS 1.3
  • Sensitive data, including cloud storage credentials, is encrypted at rest using AES-256
  • Access to user data is restricted to authorized personnel through role-based access controls
  • Regular security reviews and infrastructure monitoring

Important: We do not persistently store the media content you download through our API. Files are transferred directly from the source to your specified cloud storage destination. Temporary processing data may exist in memory or ephemeral storage during the transfer process but is not retained after job completion.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

  • Service Providers: With third-party vendors who assist in operating our services (payment processors, cloud infrastructure providers)
  • Legal Requirements: When required by law, subpoena, court order, or to respond to legal process
  • DMCA Compliance: We may disclose relevant account information in connection with DMCA notices, counter-notifications, or related legal proceedings
  • Protection of Rights: To protect the rights, property, or safety of Velys Software, our users, or others
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

8. Your Rights

Depending on your location, you may have the following rights:

  • Access and receive a copy of your personal data
  • Rectify inaccurate personal data
  • Request deletion of your personal data
  • Object to or restrict processing of your data
  • Data portability
  • Withdraw consent at any time

9. Cookies and Tracking

Our website uses essential cookies for functionality purposes. We use minimal analytics to understand how our website is used. You can control cookies through your browser settings.

10. Data Retention

We retain your account information for as long as your account is active and for a reasonable period thereafter. Usage logs are retained for operational, security, and legal purposes as described in Section 5. Billing records are retained as required by law and for our business purposes.

Data Deletion Requests: You may request deletion of your data by contacting us. However, we reserve the right to retain certain information as necessary for legal compliance, DMCA compliance, fraud prevention, dispute resolution, and enforcement of our Terms of Service. Data deletion requests do not entitle you to any refund.

11. Limitation of Liability for Data

While we implement reasonable security measures, we cannot guarantee the absolute security of your data. You acknowledge that:

  • We are not liable for any data loss, data breach, or unauthorized access to your information
  • We are not responsible for the actions of third parties, including hackers or malicious actors
  • You use our services at your own risk regarding data security
  • We make no guarantees about data integrity, availability, or backup
  • Any damages arising from data-related issues do not entitle you to compensation or refunds

12. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including countries that may not have equivalent data protection laws. By using our services, you consent to such transfers.

13. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy at any time without prior notice. Changes become effective immediately upon posting. It is your responsibility to review this policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Velys Software

Email: [email protected]

Website: velys.software