Privacy & Compliance
ProtectMyAPI is designed with privacy-first principles and complies with major data protection regulations worldwide.
We automatically detect your jurisdiction and apply the appropriate privacy rules.
Supported Regulations
Global Coverage
| Regulation | Region | Key Rights |
|---|---|---|
| GDPR | European Union | Access, erasure, portability, consent |
| UK GDPR | United Kingdom | Same as GDPR (post-Brexit) |
| CCPA/CPRA | California, USA | Know, delete, opt-out of sale |
| LGPD | Brazil | Access, correction, deletion, consent |
| PIPEDA | Canada | Access, correction, complaint |
| POPIA | South Africa | Access, correction, deletion |
| PDPA | Singapore | Access, correction, withdrawal |
| APPs | Australia | Access, correction, anonymity |
Your Privacy Rights
Right to Access
Request a copy of all your personal data:
- Go to Settings → Privacy
- Click Request Data Export
- Receive download link via email (within 24 hours)
Export includes:
- Account information
- Organizations and memberships
- Apps and configurations
- Usage statistics
- Audit logs
Right to Deletion
Request deletion
Go to Settings → Account → Delete Account
Grace period
Account enters deletion queue (varies by jurisdiction):
- GDPR: 30 days
- CCPA: 45 days
- LGPD: 15 days
Cancel if needed
You can cancel deletion during the grace period
Permanent removal
After grace period, all data is permanently deleted
Right to Portability
Export your data in machine-readable JSON format at any time.
Right to Rectification
Update your personal information in Settings → Profile.
Data We Collect
Account Data
| Data | Purpose | Retention |
|---|---|---|
| Email address | Authentication, notifications | Until deletion |
| Name | Display in dashboard | Until deletion |
| Password hash | Authentication | Until deletion |
| IP addresses | Security, fraud prevention | 90 days |
Usage Data
| Data | Purpose | Retention |
|---|---|---|
| Request counts | Analytics, billing | Aggregated indefinitely |
| Error rates | Debugging, monitoring | 30 days |
| Feature usage | Product improvement | Aggregated indefinitely |
What We Don’t Collect
- ❌ Request/response bodies
- ❌ Your users’ personal data
- ❌ Location data (beyond IP country)
- ❌ Device identifiers
- ❌ Biometric data
Consent Management
Required Consents
When creating an account, you must consent to:
- Terms of Service - Required for all users
- Privacy Policy - Required for all users
Optional Consents
These are opt-in and can be changed anytime:
- Marketing emails - Product updates, tips
- Analytics - Help us improve the product
- Third-party sharing - Integration partners
Managing Consents
Go to Settings → Privacy → Manage Consents to view and update your consent preferences.
California Privacy Rights (CCPA/CPRA)
Do Not Sell My Personal Information
ProtectMyAPI does not sell personal information. However, you can still exercise your CCPA rights:
- Go to Settings → Privacy
- Click Do Not Sell or Share
- Confirm your choice
Categories of Personal Information
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Email, name, IP | ✅ |
| Commercial information | Purchase history | ✅ |
| Internet activity | Usage data | ✅ |
| Geolocation | Country from IP | ✅ |
| Professional information | Company name | ✅ |
| Biometric | Fingerprints, face | ❌ |
| Sensitive data | SSN, health | ❌ |
GDPR Compliance
Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Account management | Contract performance |
| Billing | Contract performance |
| Security monitoring | Legitimate interest |
| Product analytics | Legitimate interest (opt-out available) |
| Marketing | Consent (opt-in) |
Data Processing Agreements
We have DPAs with all sub-processors. Request a copy at [email protected].
Sub-Processors
| Provider | Purpose | Location |
|---|---|---|
| Hetzner | Infrastructure | Germany 🇩🇪 |
| Cloudflare | CDN, security | Global (EU processing) |
| Stripe | Payments | USA (SCCs) |
| Resend | USA (SCCs) | |
| Axiom | Logging & analytics | USA (SCCs) |
Data Transfers
For transfers outside the EU/EEA, we rely on:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable
- Supplementary measures as required
Data Retention
Retention Periods
| Data Type | Active Account | After Deletion |
|---|---|---|
| Account data | Indefinite | Purged |
| Usage logs | 30 days | Purged |
| Audit logs | 1 year | Purged |
| Backups | 7 days rolling | 90 days max |
| Analytics | Aggregated | Anonymized |
Automatic Cleanup
- Request logs: Deleted after 30 days
- Failed login attempts: Deleted after 7 days
- IP verification tokens: Deleted after 24 hours
Children’s Privacy
ProtectMyAPI is a business-to-business service not intended for children under 16. We do not knowingly collect personal information from children.
If you believe a child has provided us personal information, contact [email protected] for immediate deletion.
Security Measures
We protect your data with:
- Encryption at rest: AES-256-GCM
- Encryption in transit: TLS 1.3
- Access controls: Role-based with MFA
- Audit logging: All actions tracked
- Regular backups: Encrypted, tested monthly
See our Security page for full details.
Third-Party Services
Services That Access Your Data
| Service | Data Accessed | Purpose |
|---|---|---|
| Stripe | Email, billing info | Payment processing |
| Resend | Email address | Transactional emails |
| Axiom | Error data, logs | Monitoring & debugging |
Services That Don’t Access Your Data
- Your API keys are encrypted and never shared
- Request/response bodies never logged
- No advertising networks
Cookie Policy
Essential Cookies (Required)
| Cookie | Purpose | Duration |
|---|---|---|
session | Authentication | Session |
csrf | Security | Session |
preferences | UI settings | 1 year |
Optional Cookies (Consent Required)
| Cookie | Purpose | Duration |
|---|---|---|
analytics | Product improvement | 1 year |
We do not use:
- Advertising cookies
- Third-party tracking cookies
- Cross-site tracking
Privacy by Design
Built-In Privacy Features
- Data minimization: We only collect what’s necessary
- Purpose limitation: Data used only for stated purposes
- Storage limitation: Automatic deletion of old data
- Integrity: Encryption and access controls
- Confidentiality: Need-to-know access only
Privacy Impact Assessments
We conduct PIAs before:
- Launching new features
- Changing data processing
- Adding new sub-processors
Your Responsibilities
As a ProtectMyAPI user, you are responsible for:
-
Your end users’ privacy: If your app collects user data through our proxy, you must:
- Have a privacy policy
- Obtain necessary consents
- Respond to user requests
-
Team member access: Ensure only authorized team members have access to your organization
-
Secure credentials: Keep your API keys and account credentials secure
Contact Us
Privacy Inquiries
Email: [email protected] Response time: Within 5 business days
Data Protection Officer
For EU/UK inquiries: Email: [email protected]
Supervisory Authority
EU users can lodge complaints with their local Data Protection Authority.
Policy Updates
We may update this policy periodically. Changes will be:
- Posted on this page
- Emailed to all users (for material changes)
- Effective 30 days after posting
Last updated: January 2025
Related Documents
- Terms of Service
- Security Architecture
- Data Processing Agreement (request via email)