Privacy Policy — Structural Diff API

Structural Diff APILast updated: April 10, 2026

1. Overview

The Structural Diff API (“the API”) is a self-hosted REST service developed by Mohamed Yaakoubi that compares structured transcript and spreadsheet rows and generates detailed diff reports. This Privacy Policy explains how the API processes and protects your data.

2. Data You Submit

To use the API, you send JSON payloads containing transcript or spreadsheet rows, configuration options, and an x-api-key authentication header. That data is:

  • Processed in memory only — rows are compared by the diff engine and immediately discarded. No content data is written to any persistent database or file.
  • Not shared — the content of your requests is never sold, rented, or shared with third parties.
  • Not tied to identities — the API does not require any personally identifiable information (PII) in the rows themselves.

3. API Keys and Authentication

Access requires a valid x-api-key header. Keys are provisioned individually and stored as plaintext in the server's API_KEYS environment variable (accessible only to the operator). Comparison is performed via crypto.timingSafeEqual to prevent timing attacks. Keys are never written to any log. Keep your key confidential and report any compromise immediately.

4. Server Logs

The API infrastructure automatically logs:

  • Incoming request IP address (used for rate limiting).
  • Request identifier (x-request-id) for debugging.
  • Timestamp, HTTP status code, and latency.

Logs are written to stdout only via Winston — no log data is written to a database or external service. Retention duration depends on the deployment environment's log policy.

5. Third-Party Services

The API uses no third-party data storage, analytics, or tracking services. There is no Firebase, no database, no telemetry. Production dependencies are: express, helmet, cors, winston, morgan, joi. All processing occurs on the server operated by Mohamed Yaakoubi.

6. Security

All communications with the API occur over HTTPS/TLS. The x-api-key header is mandatory for endpoints that return diff data. Keys are compared in constant time and never logged in plaintext. The API uses helmet to apply standard HTTP security headers on every response.

7. Changes to This Policy

We may update this policy if our practices change. The “Last updated” date at the top will be revised accordingly.

8. Contact

For any questions about this Privacy Policy, reach out via mohamedyaakoubi.com/contact.

← Back to API Docs