Privacy Policy

1. Controller

The data controller responsible for your personal data is:

2. What data we collect

We collect only the data necessary to provide the service:

• Account data: email address, hashed password (if you register with email/password), and your name or avatar from Google or GitHub if you use OAuth login.
• API key: a generated key used to authenticate your API and MCP requests. Stored in our database.
• Usage data: the number of queries you make each month, your current quota limit, and the date your quota resets. This is required to enforce tier limits.
• Billing data: if you subscribe to a paid plan, we store your Stripe Customer ID. Payment card details are handled exclusively by Stripe and are never stored on our servers.
• Contact messages: if you submit the contact form, we store your name, email, subject, and message in order to respond to you.

3. Legal basis for processing

We process your data on the following legal bases under Article 6 GDPR:

• Contract performance (Art. 6(1)(b)): account data, API key, and usage data are processed to provide the service you signed up for.
• Legal obligation (Art. 6(1)(c)): billing records may be retained as required by Austrian tax law (Bundesabgabenordnung).
• Legitimate interest (Art. 6(1)(f)): temporary rate-limiting counters (stored in Redis, auto-expiring within 60 seconds) to protect the service from abuse.

4. Analytics

This website uses Umami, a self-hosted, open-source analytics tool running on our own infrastructure. Umami collects anonymised page view statistics (page URL, referrer, browser, country) without using cookies and without assigning persistent identifiers to individual visitors.

No analytics data is shared with any third party. All data stays on our servers.

5. Third-party processors

We share data with the following sub-processors:

• Stripe, Inc. — payment processing. When you subscribe to a paid plan, Stripe processes your payment details under their own privacy policy. We only receive a Stripe Customer ID and subscription status.
• Google / GitHub — only if you choose to sign in via OAuth. We receive your email and public profile from these providers solely to create and identify your account.

We do not sell, rent, or share your personal data with any other third parties.

6. Data retention

• Your account and all associated data is retained for as long as your account is active.
• If you request account deletion, all personal data is permanently deleted within 30 days, except where retention is required by law (e.g. invoicing records under Austrian tax law).
• Rate-limiting counters in Redis expire automatically within 60 seconds and are never persisted to long-term storage.

7. Your rights

Under GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): request a copy of all data we hold about you.
• Right to rectification (Art. 16): correct inaccurate data.
• Right to erasure (Art. 17): request deletion of your account and all personal data. You can do this directly from your dashboard.
• Right to data portability (Art. 20): receive your data in a machine-readable format.
• Right to restriction (Art. 18): request that we restrict processing of your data.
• Right to object (Art. 21): object to processing based on legitimate interests.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

8. Right to lodge a complaint

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Austrian Data Protection Authority:

9. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users by email of any material changes. The date at the top of this page always reflects the latest revision.