Privacy Statement

Anyone may access the Epidata API anonymously without providing any personal data. For anyone looking for COVIDCast data licensing, please visit our COVIDCast Data Licensing.

Some features of the API are only available by registering for an API key. We require an email address for all registrations so that we can contact you to resolve problems with excessive or abnormal usage patterns. Any additional personal information you provide to us at registration will be much appreciated, because it will help us understand what our data is used for and inform our plans and priorities, but is voluntary.

You may also choose to share personal information with us to participate in user surveys.

We log information about API traffic including the query parameters, API key, and source IP address for each request. We retain these logs for a period of not longer than five years. We use this information for the following purposes:

  • to monitor the responsiveness of the API service
  • to monitor the relative popularity of different data and features, alone and in concert with user survey results
  • to identify excessive or abnormal usage patterns which may harm our system

The logs are only available to members of our operations team, and are expunged at or before they reach five years in age.

If you provide us with your email address, we will only use it to contact you in the following scenarios:

  • you asked a question in a user survey and we have an answer for you
  • we make improvements or other changes to the Epidata API service
  • the API service experiences an outage
  • your API key is about to expire
  • your API usage becomes excessive or abnormal
  • a voluntary survey of our users, but no more than once every 6 months

We store the mapping from tokens to email addresses in a location separate from server logs, using security measures consistent with our internal information security practices to help us keep your information secure. We only retrieve this mapping to resolve cases of excessive or abnormal usage. We automatically disassociate an email address from its API key when the API key has not been used for six months, or upon user request. You can request that your email address be removed from our records by filling out a deletion request.

For more information, see Carnegie Mellon’s privacy notice. Further questions can be directed to delphi-support+privacy@andrew.cmu.edu.