Privacy Policy

Last updated: February 23, 2026

1. Introduction

APICrate ("we", "our", "us") is operated by Apicrate sp. Z.o.o, Warszawa, ul. Grojecka 104. Poland (data controller). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our API services and website at apicrate.io and api.apicrate.io.

Please read this policy carefully. Where we rely on your consent as a legal basis for processing, we will ask for it separately. For all other processing, the legal bases are described in Section 10 below.

2. Information We Collect

Account Information

When you register for an API key or create an account, we may collect:

• Email address
• Name or company name
• Password (stored securely hashed)

Billing Information

If you subscribe to a paid plan, we collect:

• Payment information (processed by our payment provider; we do not store full card details)
• Billing address
• Transaction history

Usage Data

We automatically collect certain information when you use our APIs:

• API endpoints accessed and request timestamps
• Request volumes and response codes
• IP address
• Browser type and device information (when accessing the website)

API Request Data

When you call our API endpoints, the data you submit (e.g. user-agent strings, hashes, postal codes) is processed in memory to generate a response and is not stored, logged, or persisted beyond the immediate request. We do not use API request payloads for analytics, model training, or any secondary purpose.

Cookies

Our website uses cookies for essential site functionality and self-hosted analytics. We use Matomo (self-hosted) to understand how our website is used. Matomo data is not shared with any third party.

• Essential cookies — required for site operation (session, CSRF protection). Cannot be disabled.
• Analytics cookies — Matomo tracking. We respect the Do Not Track (DNT) and Global Privacy Control (GPC) browser signals; if enabled, no analytics cookies are set.

3. How We Use Your Information

We use the information we collect for the purposes and legal bases listed below:

• Provide, operate, and maintain our API services — contract performance
• Process transactions and manage billing — contract performance
• Enforce rate limits and usage quotas — contract performance / legitimate interest
• Communicate about your account, service updates, and support requests — contract performance
• Monitor and improve performance, security, and reliability — legitimate interest
• Detect and prevent fraud, abuse, and unauthorized access — legitimate interest
• Analytics (Matomo) — legitimate interest (or consent, where required by local law)
• Comply with legal obligations — legal obligation

4. Information Sharing

We do not sell, rent, or trade your personal information.

We may share your information only in the following circumstances:

• Service providers (sub-processors):
  • Stripe, Inc. — payment processing (privacy policy)
  • Hetzner Online GmbH — server hosting, EU data centres (privacy policy)
• Legal requirements — when required by law, regulation, or legal process
• Business transfers — in connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction

We do not share data with any other third parties. An up-to-date list of sub-processors is available upon request at privacy@apicrate.io.

5. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS/HTTPS)
• Secure, hashed password storage
• Access controls and least-privilege principles
• Regular security assessments

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, in accordance with GDPR Articles 33 and 34.

6. Data Retention

• Account data — retained while your account is active, then deleted within 30 days of account deletion
• Usage and API logs — retained for up to 24 months
• Billing data — retained for up to 7 years for tax and legal compliance
• Support communications — retained for up to 3 years

7. Your Rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Restrict or object to certain processing
• Data portability (receive your data in a structured, machine-readable format)
• Withdraw consent at any time, where processing is based on consent
• Opt out of marketing communications

To exercise any of these rights, please contact us at privacy@apicrate.io. We will respond to your request within 30 days.

8. Third-Party Services

Our services may contain links to or integrations with third-party websites and services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies independently.

9. International Data Transfers

Our servers are located in the European Union (Hetzner, Germany). Your personal data is stored and processed within the EU.

Certain sub-processors (e.g. Stripe for payment processing) may process data outside the EU. Where this occurs, we ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission.

10. GDPR (EEA/UK/Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR).

Legal Bases for Processing

• Contract performance — providing the API service, managing your account, processing payments, enforcing quotas
• Legitimate interest — security monitoring, fraud prevention, service improvement, analytics (with appropriate safeguards)
• Consent — analytics cookies where required by local law; marketing communications
• Legal obligation — tax records, regulatory compliance

Where we rely on legitimate interest, we have assessed that our interests do not override your rights and freedoms.

Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is the [YOUR COUNTRY'S DATA PROTECTION AUTHORITY, e.g. Bundesbeauftragte für den Datenschutz (BfDI)].

Data Protection Officer

Given the scale of our operations, we are not required to appoint a Data Protection Officer under Article 37 of the GDPR. For any privacy-related inquiries, please contact us at privacy@apicrate.io.

11. Automated Decision-Making

We use automated systems to enforce API rate limits and usage quotas. When your quota is exceeded, API requests are automatically rejected (HTTP 429). This processing is necessary for the performance of our contract with you and does not produce legal effects or similarly significant effects beyond temporary service restriction.

We do not use automated profiling to make decisions that produce legal effects concerning you.

12. Children's Privacy

Our services are not directed to children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of our services after any changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us at privacy@apicrate.io.