Privacy Policy
Last updated: March 29, 2026
This Privacy Policy explains what information the Trademark Search API ("the Service"), available at https://tmsearchapi.com, collects, how it is used, and how long it is retained.
1. Who Operates This Service
The Service is operated by:
Goodhue, Coleman & Owens, P.C.
7300 Westown Parkway, Suite 110
West Des Moines, Iowa
Email: info@goodhue.com
If you have questions about data handling, contact us at the address above.
2. What Data We Collect
2.1 IP Addresses (Free Tier Rate Limiting)
When you make a request to any /search/* endpoint without an API key, we record your IP address and a daily call count. This is used solely to enforce the free-tier limit of 50 requests per day.
- Where it is stored: In-memory only on the API server.
- How long it is kept: Until the server restarts or until midnight UTC, whichever comes first. The count resets at midnight UTC each day.
- No logging to disk: IP addresses are not written to any log file, database, or external service.
Visiting the website (tmsearchapi.com), documentation pages, or legal pages does not record your IP address.
2.2 API Keys (Paid Tier)
When you call POST /api/keys, we generate a random API key (prefixed with tm_) and store a cryptographic hash (SHA-256) of that key in our database, along with a credit balance and an expiry date.
- What we store: A SHA-256 hash of the API key string, your credit balance, and your 30-day expiry date.
- What we do not store: The plaintext API key. It is shown to you once at creation and is not recoverable. We cannot read or reconstruct your key from the hash.
- Where it is stored: In a PostgreSQL database that persists across server restarts.
- How long it is kept: Indefinitely, until manually purged by the operator. There is no automatic deletion of API key records.
- We do not associate API keys with your identity, email address, or any personal information.
2.3 Blockchain Transaction Hashes (Payment Deduplication)
When you submit a payment proof via the X-Payment header, we record the on-chain transaction hash to prevent the same payment from being credited more than once.
- What we store: The transaction hash (a public on-chain identifier) and the API key hash it was applied to.
- Where it is stored: In a PostgreSQL database that persists across server restarts.
- How long it is kept: Indefinitely, until manually purged by the operator.
- We do not store wallet addresses, private keys, or any other blockchain identity information.
2.4 What We Do Not Collect
- Names, email addresses, or any contact information
- Passwords or authentication credentials (beyond the hashed API key described above)
- Payment card data
- Cookies, browser data, or device fingerprints — the website does not use cookies, tracking pixels, analytics scripts, or any form of browser fingerprinting
- The content of your search queries is not retained after the response is sent
3. How We Use the Data
| Data | Storage | Purpose |
|---|---|---|
| IP address | In-memory (transient) | Enforce the 50-requests/day free-tier rate limit on search endpoints |
| API key hash | PostgreSQL (persistent) | Authenticate paid API callers across requests and server restarts |
| Credit balance & expiry date | PostgreSQL (persistent) | Track remaining paid credits and enforce the 30-day window |
| Transaction hash | PostgreSQL (persistent) | Prevent a single on-chain payment from unlocking credits more than once |
We do not use any of this data for marketing, analytics, profiling, or any purpose other than operating the rate limiter and payment system described above.
4. Third-Party Services
4.1 Base Mainnet RPC
When you submit a payment proof, we send the transaction hash to a public Base Mainnet JSON-RPC endpoint (mainnet.base.org) to verify the on-chain transfer. This is a read-only lookup of publicly available blockchain data. No personal data is transmitted; only the transaction hash is sent.
4.2 USPTO
The trademark records served by this API come from public bulk data published by the United States Patent and Trademark Office (USPTO). We do not share any data with the USPTO.
4.3 Hosting Platform
The Service is hosted on a cloud platform (Replit). The hosting provider operates the PostgreSQL database and underlying infrastructure. The hosting provider may have access to database contents and server logs as part of normal infrastructure operation. We do not control or have visibility into what the hosting provider retains beyond the data described in this policy.
5. Data Retention
| Data | Retention |
|---|---|
| IP rate-limit counts | Cleared on server restart or at midnight UTC, whichever comes first |
| API key hashes, credit balances, expiry dates | Stored persistently in PostgreSQL; retained indefinitely unless manually deleted by the operator |
| Transaction hashes | Stored persistently in PostgreSQL; retained indefinitely to prevent payment replay |
The operator does not currently have a scheduled deletion policy for persistent data. If you wish to request deletion of your API key record, contact the operator (see Section 1). Because API keys are stored as hashes and are not linked to any identity, the operator can only delete a record if you provide the exact API key string so the matching hash can be located.
6. Data Sharing
We do not sell, rent, or share any data with third parties, except as described in Section 4 (the Base Mainnet RPC call involving only public blockchain data, and the hosting platform's standard infrastructure access).
7. Security
API keys are stored as SHA-256 hashes, so the plaintext key is never written to disk or the database. Transaction hashes are public on-chain data. Credit balances and expiry dates are stored in a standard PostgreSQL database protected by the hosting platform's access controls. We recommend treating your API key like a password — do not share it, and generate a new one if you believe it has been compromised.
8. Your Rights
If you wish to request deletion of your API key and associated payment records, contact the operator at info@goodhue.com with your exact API key string. Because keys are stored as hashes, we require the plaintext key to locate the record.
IP-based rate limit counts are transient and are automatically discarded; there is no action needed to clear them.
9. Children
The Service is not directed at children under the age of 13 and does not knowingly collect information from them.
10. Changes to This Policy
If this policy changes materially, the "Last updated" date above will be revised. Continued use of the Service after a policy change constitutes acceptance of the revised policy.