# Halfway API data handling

## External processing

The two submitted origin strings are sent over HTTPS to Geoapify, the external location-data provider, for geocoding. The resulting coordinates are used for Geoapify routing, place search, and travel-time matrix calls. Returned venue data includes attribution to Geoapify and OpenStreetMap contributors.

## Storage and retention

- Raw submitted origin strings: excluded from logs, Analytics Engine records, and cache values. They are represented only by non-reversible keyed cache identifiers and returned to the caller in that caller's response.
- Provider-resolved geocodes: application-encrypted in Cloudflare KV for at most 30 days.
- Routes and travel-time matrices: application-encrypted in Cloudflare KV for at most 3 days.
- Nearby-place results: application-encrypted in Cloudflare KV for at most 1 day.
- Complete computed results: application-encrypted in Cloudflare KV for at most 6 hours; the cached value excludes raw submitted origin strings.
- Deterministic no-result errors: application-encrypted in Cloudflare KV for at most 10 minutes.
- Payment signatures, payer identities, and entitlements: never stored in KV. Replay protection uses a non-reversible identifier in a Cloudflare Durable Object.

KV values use AES-GCM application encryption and carry both embedded expirations and Cloudflare KV TTLs. Operational analytics are allowlisted aggregates such as route, status, cache outcome, travel mode, venue type, latency, and settled revenue; they exclude origins, IP addresses, user agents, payer details, signatures, and full URLs.
