Faq

Blog

Request access

Privacy Policy

Privacy Policy

Last Updated: February 2, 2026 · Version 2.0

1. Introduction

Welcome to ProtectMyAPI ("we," "our," "us," or the "Company"). ProtectMyAPI is a secure API proxy platform designed for mobile applications (iOS and Android) that uses device attestation technology (Apple App Attest, Google Play Integrity) to protect third-party API keys from reverse engineering and unauthorized access.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (protectmyapi.com), dashboard (dashboard.protectmyapi.com), API services, documentation, and mobile SDKs (collectively, the "Service").

We are committed to protecting your privacy and complying with applicable data protection laws worldwide, including but not limited to:

  • General Data Protection Regulation (GDPR) – European Union
  • UK General Data Protection Regulation (UK GDPR) – United Kingdom
  • California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA) – USA
  • Lei Geral de Proteção de Dados (LGPD) – Brazil
  • Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
  • Protection of Personal Information Act (POPIA) – South Africa
  • Personal Data Protection Act (PDPA) – Singapore
  • Australian Privacy Principles (APPs) – Australia

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Who We Are (Data Controller)

For the purposes of applicable data protection laws, the data controller is:

ProtectMyAPI
Email: privacy@protectmyapi.com
Website: https://protectmyapi.com

For EU/UK data protection inquiries, you may contact our Data Protection Officer:
Email: dpo@protectmyapi.com

3. Definitions

"Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or deletion.

"Data Subject" means an individual whose Personal Data is processed.

"Service Provider" or "Sub-Processor" means a third party that processes Personal Data on our behalf.

"User" means any individual who accesses or uses the Service, whether as a registered account holder or visitor.

"Organization" means a company or entity created within our platform that may have multiple team members.

"App" means a mobile application configured within our platform.

"Device Attestation" means the cryptographic verification of device integrity using Apple App Attest or Google Play Integrity APIs.

4. Information We Collect

4.1 Account Information

When you create an account, we collect:

  • Email address (required)
  • Full name (optional)
  • Password (stored as bcrypt hash, never in plain text)
  • Avatar/profile picture URL (optional)
  • Company/organization name

4.2 Authentication and Security Data

To secure your account and prevent unauthorized access, we process:

A) Email/Password Authentication

  • Password hash (bcrypt algorithm, never stored in plain text)
  • Login timestamps (successful and failed attempts)
  • IP addresses used for authentication
  • User agent strings (browser type, version, operating system)
  • Two-factor authentication (2FA) status
  • Encrypted 2FA secret (TOTP seed, AES-256-GCM encrypted)
  • Email verification status and tokens
  • Password reset tokens (temporary, expire in 1 hour)

B) Trusted IP System

When you log in from a new IP address, we verify it's really you:

  • New IP addresses trigger email verification
  • Trusted IP list stored per user (IP address + user agent)
  • IP verification tokens (temporary, expire in 24 hours)
  • Location data derived from IP (city, country – optional)
  • Last used timestamp for each trusted IP

C) OAuth/Social Login Authentication

If you sign in with Google, GitHub, or Apple (see Section 9.8 for details):

  • OAuth provider type (google, github, or apple)
  • Provider account ID (unique identifier from provider)
  • OAuth access tokens (AES-256-GCM encrypted)
  • OAuth refresh tokens (AES-256-GCM encrypted)
  • Token expiration dates
  • Token type (e.g., "Bearer")
  • OAuth scopes granted
  • Account link timestamp

D) Session Management

  • JWT access tokens (short-lived, stored in httpOnly cookies)
  • JWT refresh tokens (longer-lived, stored in httpOnly cookies)
  • Session creation and expiration timestamps
  • Device/browser fingerprint (for session binding)

E) Security Events

  • Failed login attempts (rate limited, logged for security)
  • Password change events
  • 2FA enable/disable events
  • OAuth account link/unlink events
  • Suspicious activity flags

4.3 Organization and Team Data

For organizations you create or join:

  • Organization name and slug (URL identifier)
  • Team member roles (owner, admin, developer, viewer)
  • Invitation records
  • Billing information (via Stripe – see Section 9)

4.4 Application Configuration Data

For mobile apps you configure:

  • App name, description, and icon URL
  • App platform (iOS or Android)
  • API tokens (generated, encrypted)
  • iOS-specific: Bundle ID, Team ID, App Store credentials (encrypted)
  • Android-specific: Package name, SHA256 certificate fingerprints
  • Google Play Integrity configuration (encrypted)
  • Attestation enforcement settings

4.5 API Endpoint Configuration

For API endpoints you configure:

  • Endpoint names and descriptions
  • Target URLs
  • HTTP methods and authentication types
  • Request/response transformation rules
  • Rate limiting configurations
  • Caching settings
  • Retry and circuit breaker configurations

4.6 Secrets and Credentials

For secrets stored in your vault:

  • Secret names (visible)
  • Secret values (AES-256-GCM encrypted, never stored in plain text)
  • Access timestamps and counts
  • Rotation history

Important: Secret values are encrypted using AES-256-GCM encryption with a unique encryption key. We cannot read your secret values in plain text.

4.7 Device Attestation Data

For devices using your apps:

  • Device attestation tokens (cryptographic identifiers)
  • Key IDs and public keys
  • Attestation objects and receipts
  • Device model and OS version
  • App version
  • Risk scores and fraud assessment results
  • Simulator/emulator detection flags
  • Debug build detection
  • Assertion counters

Important: Device attestation data does not include personal identifiers of your end users. It contains cryptographic tokens used solely for security verification.

4.8 Usage and Analytics Data

We collect aggregated usage data including:

  • Request counts and timestamps
  • Success/failure rates
  • Response times
  • Bytes transferred
  • Token usage (for AI APIs)
  • Cache hit rates
  • Error codes and messages (sanitized)

We do NOT collect or log:

  • Request bodies
  • Response bodies
  • Your end users' personal data
  • API response content

4.9 Audit Logs

For security and compliance, we log:

  • User actions (login, logout, settings changes)
  • Resource modifications (create, update, delete)
  • IP addresses and user agents
  • Timestamps

4.10 Privacy Consent Records

To comply with privacy regulations, we maintain:

  • Consent type (terms, privacy policy, marketing, analytics, etc.)
  • Consent status (granted/revoked)
  • Timestamps of consent actions
  • IP address and user agent at time of consent
  • Policy version consented to
  • Geographic location (country/region) at time of consent

4.11 Technical Data

Automatically collected when you use our Service:

  • IP address
  • Browser type and version
  • Operating system
  • Device type
  • Referring URLs
  • Pages visited
  • Time spent on pages
  • Click patterns

5. How We Collect Information

5.1 Directly From You

  • When you create an account (email, password, name)
  • When you fill out forms (profile information, organization details)
  • When you contact support (communication content)
  • When you configure apps and endpoints (configuration data)
  • When you provide consent preferences (privacy choices)
  • When you store secrets in your vault (encrypted values)

5.2 Automatically

  • Through cookies and similar technologies (session, preferences)
  • Through server logs (IP address, user agent, timestamps)
  • Through our analytics systems (page views, feature usage)
  • Through device attestation flows (device security verification)
  • Through API request monitoring (usage metrics, error rates)

5.3 From OAuth/Social Login Providers

When you choose to authenticate using a social login provider, we receive information directly from that provider. This is a one-time data transfer that occurs during the OAuth authentication flow.

From Google (when you click "Continue with Google"):

  • Your Google account user ID (numeric identifier)
  • Your email address
  • Your display name
  • Your profile picture URL
  • OAuth tokens for authentication

From GitHub (when you click "Continue with GitHub"):

  • Your GitHub account user ID (numeric identifier)
  • Your username
  • Your email address (including private email if set)
  • Your display name
  • Your avatar URL
  • OAuth tokens for authentication

From Apple (when you click "Continue with Apple"):

  • Your Apple user ID (unique to our app)
  • Your email address (real or Private Relay address)
  • Your name (first login only)
  • OAuth tokens for authentication

Important: We only receive this data when YOU initiate the OAuth flow by clicking the social login button and authorizing access on the provider's consent screen. We cannot access your data from these providers without your explicit action.

5.4 From Payment Processors

From Stripe (when you subscribe to a paid plan):

  • Transaction status and history
  • Subscription status
  • Payment method type (e.g., "Visa ending in 4242")
  • Billing address (if required by your jurisdiction)

Note: We do NOT receive or store your full credit card number. All payment card data is handled directly by Stripe.

5.5 From Analytics Services (With Consent)

When you consent to analytics, we may receive:

  • Aggregated usage statistics
  • Conversion data (from Facebook Pixel)
  • Session recordings data (if enabled in future)

6. Legal Basis for Processing (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your Personal Data based on the following legal bases:

6.1 Contract Performance (Article 6(1)(b))

Processing necessary to provide our Service to you:

  • Account creation and management
  • Service delivery and support
  • Billing and payment processing
  • API proxy functionality

6.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests:

  • Security monitoring and fraud prevention
  • Service improvement and analytics
  • Bug fixes and technical support
  • Legal compliance and dispute resolution

6.3 Consent (Article 6(1)(a))

Processing based on your explicit consent:

  • Marketing communications
  • Non-essential analytics
  • Third-party data sharing
  • Cross-border data transfers (where required)
  • Profiling (if applicable)

You may withdraw consent at any time through your privacy settings.

6.4 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal requirements:

  • Tax and accounting obligations
  • Response to legal requests
  • Fraud prevention requirements

7. How We Use Your Information

We use collected information for the following purposes:

7.1 Service Provision

  • Create and manage your account
  • Authenticate your identity
  • Process API proxy requests
  • Store and manage your secrets securely
  • Verify device attestation
  • Enforce rate limits and usage quotas

7.2 Billing and Payments

  • Process subscription payments
  • Track usage for billing purposes
  • Send invoices and payment receipts
  • Handle refunds and disputes

7.3 Communication

  • Send transactional emails (password reset, verification, alerts)
  • Respond to support inquiries
  • Send marketing communications (with consent)
  • Notify about service changes or incidents

7.4 Security

  • Detect and prevent fraud
  • Verify new login locations
  • Monitor for suspicious activity
  • Enforce two-factor authentication
  • Maintain audit logs

7.5 Improvement

  • Analyze usage patterns
  • Identify and fix bugs
  • Develop new features
  • Optimize performance

7.6 Legal Compliance

  • Respond to legal requests
  • Enforce our Terms of Service
  • Protect our rights and property
  • Prevent illegal activities

8. Information Sharing and Disclosure

We do NOT sell your Personal Information to third parties.

We may share your information in the following circumstances:

8.1 With Service Providers

We share data with third-party service providers who perform services on our behalf (see Section 9 for complete list).

8.2 With Your Organization

If you are part of an organization, organization administrators may access information about your account activity within that organization.

8.3 For Legal Reasons

We may disclose information if required by law, legal process, litigation, or requests from governmental authorities.

8.4 Business Transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

8.5 With Your Consent

We may share information for other purposes with your explicit consent.

8.6 Aggregated Data

We may share aggregated, anonymized data that cannot identify you for research, marketing, or analytics purposes.

9. Third-Party Services and Sub-Processors

We use the following third-party services to operate our platform:

9.1 Infrastructure

Hetzner Online GmbH

9.2 Content Delivery and Security

Cloudflare, Inc.

9.3 Payment Processing

Stripe, Inc.

  • Purpose: Payment processing and billing
  • Location: United States (Standard Contractual Clauses apply)
  • Data Processed: Email, name, payment card details
  • Privacy Policy: https://stripe.com/privacy

9.4 Email Services

Resend, Inc.

  • Purpose: Transactional and marketing emails
  • Location: United States (Standard Contractual Clauses apply)
  • Data Processed: Email addresses, email content
  • Privacy Policy: https://resend.com/legal/privacy-policy

9.5 Logging and Monitoring

Axiom, Inc.

  • Purpose: Application logging, error tracking, monitoring
  • Location: United States (Standard Contractual Clauses apply)
  • Data Processed: Error logs, performance data (no PII in logs)
  • Privacy Policy: https://axiom.co/privacy

9.6 Analytics (Optional – Consent Required)

Google Analytics (Google LLC)

Google Tag Manager (Google LLC)

9.7 Marketing and Advertising (Optional – Consent Required)

Facebook/Meta Pixel (Meta Platforms, Inc.)

Note: Facebook/Meta tracking is only activated with your explicit consent and can be disabled at any time through your privacy settings.

9.8 Single Sign-On (SSO) Authentication Providers

We offer optional authentication through third-party identity providers. When you choose to sign in with a social account, we receive information from these providers as described below.

Important: Using social login is entirely optional. You can always create an account using email and password instead.

9.8.1 Google Sign-In (Google LLC)

When you authenticate with Google, we interact with Google's OAuth 2.0 service.

OAuth Scopes Requested:

  • openid: Verify your identity
  • email: Access your email address
  • profile: Access your name and profile picture

Data We Receive From Google:

Data Field Purpose Stored Encrypted
Google User ID Unique identifier for login Yes No*
Email address Account identification Yes No
Full name Display in dashboard Yes No
Profile picture URL Avatar display Yes No
Access token API access (temporary) Yes AES-256
Refresh token Token renewal Yes AES-256
Token expiration Session management Yes No
Token type Authentication Yes No
Granted scopes Permission tracking Yes No

*Google User ID is a pseudonymous identifier that doesn't reveal your identity to third parties.

Data We Do Not Receive: Your Google password, contacts, Google Drive files, Google Calendar, Gmail messages, Google Photos, location history, search history, or any other Google account data.

How We Use Google Data:

  1. Create or authenticate your ProtectMyAPI account
  2. Pre-fill your profile information (name, avatar)
  3. Send notifications to your email address
  4. Verify your identity on subsequent logins

Google's Privacy Policy: https://policies.google.com/privacy

Manage permissions: https://myaccount.google.com/permissions

9.8.2 GitHub Sign-In (GitHub, Inc. / Microsoft)

When you authenticate with GitHub, we interact with GitHub's OAuth service.

OAuth Scopes Requested:

  • read:user: Read your public profile information
  • user:email: Access your email addresses (including private emails)

Data We Receive From GitHub:

Data Field Purpose Stored Encrypted
GitHub User ID Unique identifier for login Yes No*
Username (login) Fallback identifier No** N/A
Email address Account identification Yes No
Full name Display in dashboard Yes No
Avatar URL Profile picture display Yes No
Access token API access Yes AES-256
Token type Authentication Yes No
Granted scopes Permission tracking Yes No

*GitHub User ID is a numeric identifier that doesn't reveal your identity.
**Username is used only during authentication, not stored long-term.

Data We Do Not Receive: Your GitHub password, private repositories, repository contents or code, issues or pull requests, GitHub Actions or workflows, billing information, SSH keys or GPG keys, or organization memberships (beyond what's public).

GitHub's Privacy Statement: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement

Manage applications: https://github.com/settings/applications

9.8.3 Apple Sign-In (Apple Inc.)

When you authenticate with Apple, we interact with Apple's Sign in with Apple service, which provides enhanced privacy features.

OAuth Scopes Requested:

  • name: Access your name (first login only)
  • email: Access your email address

Data We Receive From Apple:

Data Field Purpose Stored Encrypted
Apple User ID (sub) Unique identifier for login Yes No*
Email address Account identification Yes** No
Full name Display in dashboard Yes*** No
Access token (JWT) Identity verification Yes AES-256
Refresh token Token renewal Yes AES-256
Token expiration Session management Yes No
Token type Authentication Yes No

*Apple User ID is a unique, stable identifier specific to our app. It cannot be used to track you across other apps or services.
**Apple Private Email Relay: Apple offers a unique privacy feature called "Hide My Email" that generates a random, unique email address that forwards to your real email. If you choose this option, we only see the relay address.
***Apple only provides your name on the FIRST authentication.

Data We Do Not Receive: Your Apple ID password, real email (if using Private Email Relay), iCloud data, Apple Pay information, device information, Apple subscriptions, Find My data, Health data, or any other Apple services data.

Apple's Privacy Policy: https://www.apple.com/legal/privacy/

Manage Sign in with Apple: Settings → [Your Name] → Password & Security → Apps Using Apple ID

9.8.4 OAuth Security Measures

We implement the following security measures for all OAuth providers:

  • State Parameter Protection: We generate a cryptographically random state parameter for each OAuth request, bound to your IP address hash to prevent session fixation attacks. State expires after 10 minutes.
  • IP Binding: OAuth state is bound to a SHA-256 hash of your IP address. If you initiate OAuth from one IP and complete from another, it will fail.
  • Token Encryption: All OAuth access tokens and refresh tokens are encrypted using AES-256-GCM. Encryption keys are stored separately from the database.
  • Secure Token Storage: Tokens are stored in our PostgreSQL database with encrypted columns. Database connections use TLS encryption.
  • Token Lifecycle: Tokens are refreshed automatically when needed. Expired tokens are not used for authentication. Tokens are deleted immediately when you unlink an OAuth account.

9.8.5 Your Rights Regarding OAuth Data

Linking and Unlinking:

  • You can link multiple OAuth providers to a single account
  • You can unlink any OAuth provider at any time (Settings → Security)
  • You must maintain at least one authentication method (password or OAuth)
  • Unlinking deletes all stored tokens for that provider

What Happens When You Unlink:

  1. OAuth account record is deleted from our database
  2. All stored tokens (access, refresh) are permanently deleted
  3. You will no longer be able to sign in with that provider
  4. Your ProtectMyAPI account remains active
  5. We recommend also revoking access in the provider's settings

Data Portability: Your OAuth connection information is included in data exports. Export includes: provider name, link date, and email (not tokens). Tokens are never included in exports for security reasons.

Account Deletion: When you delete your ProtectMyAPI account, all OAuth data is deleted. We do not retain OAuth tokens after account deletion. We cannot delete data stored by the OAuth provider – to remove data from the provider, visit their respective privacy settings.

9.8.6 OAuth Data Flow Diagram

The following describes the data flow when you sign in with an OAuth provider:

  1. YOU click "Continue with [Provider]" on our login page
  2. WE generate a secure state token and redirect you to the provider
  3. PROVIDER shows their consent screen asking you to authorize ProtectMyAPI
  4. YOU review permissions and click "Allow" or "Authorize"
  5. PROVIDER redirects you back to ProtectMyAPI with an authorization code
  6. WE exchange the code for access tokens directly with the provider's servers
  7. WE request your profile information using the access token
  8. WE create or update your account with the received information
  9. WE encrypt and store the tokens for future authentication
  10. YOU are logged in to ProtectMyAPI

At no point do we see or have access to your provider password.

10. International Data Transfers

Your information may be transferred to and processed in countries outside your country of residence, including the United States, which may have different data protection laws.

10.1 Transfer Mechanisms

For transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (UK IDTA) where applicable
  • Adequacy decisions for countries deemed to provide adequate protection
  • Supplementary measures as required (encryption, access controls)

10.2 Your Rights

If you are subject to GDPR or UK GDPR, you may request a copy of the safeguards used for international transfers by contacting us.

11. Data Retention

We retain Personal Data only as long as necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required by law.

11.1 Active Accounts

Data Type Retention Period
Account information Duration of account + 30 days
Organization data Duration of account
App configurations Duration of account
Secrets (encrypted) Until deleted by user
Device attestations Until revoked or app deleted

11.2 Usage and Logs

Data Type Retention Period
Request logs 30 days
Audit logs 1 year
Error logs 30 days
Failed login attempts 7 days
IP verification tokens 24 hours
Analytics (aggregated) Indefinite (anonymized)

11.3 After Account Deletion

Data Type Retention Period
Backups containing user data 90 days maximum
Billing records 7 years (legal requirement)
Anonymized analytics Indefinite

11.4 Jurisdiction-Specific Retention

Data retention may vary based on your applicable privacy regulation:

Regulation Maximum Retention After Last Activity
GDPR 3 years
UK GDPR 3 years
CCPA/CPRA 3 years
LGPD 5 years
PIPEDA 7 years
POPIA 5 years
PDPA (SG) 5 years
APPs 7 years

12. Your Privacy Rights

Depending on your location, you may have the following rights regarding your Personal Data:

12.1 Right to Access

You have the right to request a copy of the Personal Data we hold about you.

How to exercise: Go to Settings → Privacy → Request Data Export, or contact privacy@protectmyapi.com

Response time: Within 30 days (45 days for CCPA)

12.2 Right to Rectification

You have the right to request correction of inaccurate Personal Data.

How to exercise: Update your information in Settings → Profile, or contact us.

12.3 Right to Erasure ("Right to Be Forgotten")

You have the right to request deletion of your Personal Data, subject to certain exceptions.

How to exercise: Go to Settings → Account → Delete Account

12.4 Right to Data Portability

You have the right to receive your Personal Data in a structured, commonly used, machine-readable format.

How to exercise: Use the data export feature in Settings → Privacy

12.5 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances.

How to exercise: Contact privacy@protectmyapi.com

12.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

How to exercise: Contact privacy@protectmyapi.com or update marketing preferences

12.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

How to exercise: Update consent preferences in Settings → Privacy → Manage Consents

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

13.1 Right to Know

You have the right to request disclosure of:

  • Categories of Personal Information collected
  • Sources of Personal Information
  • Business purposes for collection
  • Categories of third parties with whom we share
  • Specific pieces of Personal Information collected

13.2 Right to Delete

You have the right to request deletion of Personal Information collected from you, subject to certain exceptions.

13.3 Right to Correct

You have the right to request correction of inaccurate Personal Information (added by CPRA).

13.4 Right to Opt-Out of Sale/Sharing

You have the right to opt-out of the "sale" or "sharing" of Personal Information.

Notice: ProtectMyAPI does NOT sell your Personal Information. However, certain third-party integrations (such as Facebook Pixel) may constitute "sharing" under CPRA. You can opt-out via Settings → Privacy → Do Not Sell or Share.

13.5 Right to Limit Use of Sensitive Personal Information

You have the right to limit the use and disclosure of Sensitive Personal Information (added by CPRA).

We do NOT collect sensitive personal information such as: Social Security numbers, driver's license numbers, financial account credentials (stored by Stripe, not us), precise geolocation, racial/ethnic origin, religious beliefs, health information, sexual orientation, or genetic/biometric data.

13.6 Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising your privacy rights.

13.7 Categories of Personal Information

Category Collected Sold Shared
Identifiers (email, name, IP) Yes No Yes*
Commercial info (purchases) Yes No No
Internet activity (usage data) Yes No Yes*
Geolocation (country from IP) Yes No Yes*
Professional info (company) Yes No No
Biometric data No No No
Sensitive personal information No No No

*Shared with analytics providers (Google Analytics, Facebook) when you consent.

13.8 Exercising Your Rights

To exercise your California privacy rights:

  • Online: Settings → Privacy
  • Email: privacy@protectmyapi.com

We will verify your identity before processing requests. You may designate an authorized agent to make requests on your behalf.

14. European Privacy Rights (GDPR/UK GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following additional rights:

14.1 Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects.

We do not make such automated decisions about you.

14.2 Right to Lodge a Complaint

You have the right to lodge a complaint with your local Data Protection Authority (DPA):

14.3 Data Protection Officer

For any GDPR-related inquiries, contact our Data Protection Officer:
Email: dpo@protectmyapi.com

15. Brazilian Privacy Rights (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD):

15.1 Confirmation and Access

You have the right to confirm whether we process your data and access it.

15.2 Correction

You have the right to request correction of incomplete, inaccurate, or outdated data.

15.3 Anonymization, Blocking, or Deletion

You have the right to request anonymization, blocking, or deletion of unnecessary or non-compliant data.

15.4 Data Portability

You have the right to receive your data in a structured format.

15.5 Deletion of Data Processed with Consent

You have the right to request deletion of data processed based on consent.

15.6 Information About Sharing

You have the right to know which third parties we share your data with.

15.7 Information About Non-Consent

You have the right to be informed about the consequences of not providing consent.

15.8 Consent Withdrawal

You have the right to withdraw consent at any time.

15.9 Contact for LGPD Inquiries

Email: privacy@protectmyapi.com
Response time: 15 days

16. Other Jurisdiction-Specific Rights

16.1 Canada (PIPEDA)

Canadian residents have rights to:

  • Access their Personal Information
  • Challenge accuracy and completeness
  • Know how information is used
  • Withdraw consent (with limitations)
  • Complain to the Privacy Commissioner of Canada

16.2 South Africa (POPIA)

South African residents have rights to:

  • Access Personal Information
  • Request correction or deletion
  • Object to processing
  • Complain to the Information Regulator

16.3 Singapore (PDPA)

Singapore residents have rights to:

  • Access Personal Data
  • Request correction
  • Withdraw consent
  • Request data portability

16.4 Australia (APPs)

Australian residents have rights to:

  • Access Personal Information
  • Request correction
  • Complain to the OAIC
  • Use a pseudonym where practical

17. Cookies and Tracking Technologies

17.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. We use cookies and similar technologies (local storage, session storage) to operate and improve our Service.

17.2 Essential Cookies (Required)

These cookies are necessary for the Service to function and cannot be disabled:

Cookie Name Purpose Duration
session User authentication Session
csrf Security (CSRF protection) Session
preferences UI settings and language 1 year
consent Record of cookie consent 1 year

17.3 Analytics Cookies (Consent Required)

These cookies help us understand how visitors use our Service:

Cookie Name Provider Purpose Duration
_ga Google Analytics User identification 2 years
_ga_* Google Analytics Session tracking 2 years
_gid Google Analytics Daily user tracking 24 hours
_gat Google Analytics Throttling requests 1 minute

17.4 Marketing Cookies (Consent Required)

These cookies are used for advertising and marketing purposes:

Cookie Name Provider Purpose Duration
_fbp Facebook/Meta Advertising tracking 3 months
_fbc Facebook/Meta Click tracking 3 months
fr Facebook/Meta Advertising delivery 3 months

17.5 Managing Cookies

You can manage cookie preferences:

  • Through our cookie consent banner
  • In Settings → Privacy → Cookie Preferences
  • Through your browser settings
  • Using the opt-out links in Section 9

Note: Disabling essential cookies may affect Service functionality.

17.6 Do Not Track

Some browsers have a "Do Not Track" feature. We currently do not respond to DNT signals. However, you can use our privacy controls to limit tracking.

18. Third-Party Analytics and Advertising

18.1 Google Analytics

We use Google Analytics to understand how users interact with our Service. Google Analytics collects:

  • Pages visited and time spent
  • Device and browser information
  • IP address (anonymized)
  • Referral sources

Data is processed in accordance with Google's Privacy Policy. You can opt-out:

  • Via our consent preferences
  • Using Google Analytics Opt-out Browser Add-on
  • Through Google's Ads Settings

18.2 Google Tag Manager

We use Google Tag Manager to manage tracking tags and scripts. GTM itself does not collect personal data but enables other services that may.

18.3 Facebook Pixel

With your consent, we use Facebook Pixel to:

  • Measure ad effectiveness
  • Build custom audiences for advertising
  • Track website conversions

Facebook Pixel collects:

  • HTTP headers (IP, browser info)
  • Pixel-specific data (page views, button clicks)
  • Optionally: hashed email for matching

You can control Facebook tracking:

  • Via our consent preferences
  • In Facebook Ad Preferences
  • Using Facebook's Off-Facebook Activity tool

18.4 Opting Out of Interest-Based Advertising

You can opt-out of interest-based advertising through:

19. Security Measures

We implement comprehensive security measures to protect your Personal Data:

19.1 Encryption

  • Data at rest: AES-256-GCM encryption for sensitive data (secrets, credentials)
  • Data in transit: TLS 1.3 for all connections
  • Password storage: bcrypt with appropriate cost factor
  • Database encryption: PostgreSQL with encrypted connections

19.2 Access Controls

  • Role-based access control (RBAC) for organizations
  • Multi-factor authentication (2FA) option
  • IP verification for new login locations
  • Session management with secure token rotation

19.3 Infrastructure Security

  • Hosted on Hetzner (Germany, EU)
  • DDoS protection via Cloudflare
  • Regular security updates and patches
  • Network segmentation and firewalls

19.4 Monitoring

  • Real-time security monitoring
  • Automated threat detection
  • Comprehensive audit logging
  • Incident response procedures

19.5 Data Handling

  • Need-to-know access principle
  • Employee security training
  • Data Processing Agreements with all vendors
  • Regular security assessments

19.6 Incident Response

In the event of a data breach affecting your Personal Data, we will:

  • Notify affected users within 72 hours (as required by GDPR)
  • Notify relevant supervisory authorities
  • Document the breach and response actions
  • Take measures to mitigate harm

20. Children's Privacy

ProtectMyAPI is a business-to-business service designed for developers and organizations. Our Service is not intended for children.

20.1 Age Requirements

  • General minimum age: 16 years (or age of digital consent in your jurisdiction)
  • UK: 13 years
  • Brazil: 18 years (or parental consent)
  • Singapore: 18 years
  • Australia: 18 years

20.2 No Knowing Collection

We do not knowingly collect Personal Information from children under the applicable age of consent.

20.3 Parental Notification

If you believe we have collected Personal Information from a child without proper consent, please contact us immediately at privacy@protectmyapi.com. We will delete such information promptly.

21. Account Deletion

21.1 Requesting Deletion

You can request account deletion through:

  • Settings → Account → Delete Account
  • Email: privacy@protectmyapi.com

21.2 Grace Period

Account deletion includes a grace period based on your jurisdiction:

Regulation Grace Period Cancel Option
GDPR 30 days Yes
UK GDPR 30 days Yes
CCPA/CPRA 45 days Yes
LGPD 15 days Yes
PIPEDA 30 days Yes
POPIA 30 days Yes
PDPA (SG) 30 days Yes
APPs 30 days Yes
Default 30 days Yes

21.3 Immediate Effects

Upon deletion request:

  • Active subscription is canceled (no further charges)
  • API access is immediately blocked
  • You can still access your account to cancel deletion

21.4 After Grace Period

Once the grace period expires:

  • All Personal Data is permanently deleted
  • All organizations you own are deleted
  • All apps and configurations are deleted
  • All secrets are securely destroyed
  • Audit logs are anonymized or deleted

21.5 Data We Retain

Even after deletion, we may retain:

  • Anonymized, aggregated analytics data
  • Billing records as required by law (up to 7 years)
  • Data in encrypted backups (deleted within 90 days)

22. Do Not Track Signals

"Do Not Track" (DNT) is a privacy preference you can set in your browser. Currently, there is no industry-standard interpretation of DNT signals.

Our current response to DNT signals:

  • We do not currently respond to DNT browser signals
  • You can control tracking through our privacy settings instead
  • We honor Global Privacy Control (GPC) signals where legally required

To limit tracking:

  1. Use our privacy settings: Settings → Privacy
  2. Manage cookie preferences through our consent banner
  3. Use browser privacy features or extensions
  4. Opt-out of third-party tracking (see Section 18.4)

23. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons.

23.1 Notification of Changes

  • Material changes: We will notify you via email and/or prominent notice on our Service at least 30 days before the changes take effect
  • Minor changes: Posted on this page with updated "Last Updated" date

23.2 Review of Changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the revised Privacy Policy.

23.3 Version History

Previous versions of this Privacy Policy are available upon request.

24. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

24.1 General Privacy Inquiries

Email: privacy@protectmyapi.com
Response time: Within 5 business days

24.2 Data Protection Officer (EU/UK)

For GDPR/UK GDPR related inquiries:
Email: dpo@protectmyapi.com

24.3 California Consumer Requests

For CCPA/CPRA requests:
Email: privacy@protectmyapi.com
Include "California Privacy Request" in subject line

24.4 Brazil (LGPD) Requests

For LGPD requests:
Email: privacy@protectmyapi.com
Response time: 15 days

24.5 Mailing Address

ProtectMyAPI
[Your Business Address]
[City, State, ZIP]
[Country]

24.6 Supervisory Authorities

You have the right to lodge a complaint with your local data protection authority. A list of EU/EEA authorities is available at:
https://edpb.europa.eu/about-edpb/board/members_en

© 2026 ProtectMyAPI. All rights reserved.

This Privacy Policy was last updated on February 2, 2026.

Protect your

API in minutes.

Try for Free

© 2026 Bakery Scent Srl

LLMs

LLMs-full

Privacy

Terms

Protect your

API in minutes.

Try for Free

© 2026 Bakery Scent Srl

LLMs

LLMs-full

Privacy

Terms

Protect your

API in minutes.

Try for Free

© 2026 Bakery Scent Srl

LLMs

LLMs-full

Privacy

Terms