myapimonitorPrivacy Policy
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:
myapimonitor, Florian Alraun, Meßhäuser Weg 7, 29614 Soltau, Germany. Email: info@myapimonitor.com. Phone: +49 30 4397920277
2. General Information on Data Processing
We only process personal data of our users insofar as this is necessary to provide a functional website and our content and services. The processing of personal data of our users takes place regularly only after the user has given consent. An exception applies in cases where prior consent cannot be obtained for practical reasons and the processing of data is permitted by statutory provisions.
We base the technical and organizational protection of our data processing procedures on the recommendations of the German Federal Office for Information Security (BSI), in particular the BSI IT-Grundschutz Compendium, and implement appropriate measures to ensure an adequate level of protection (Art. 32 GDPR).
3. Legal Basis for Data Processing
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) (a) GDPR serves as the legal basis.
For the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures (e.g., registration, booking a monthly subscription).
Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.
If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights, and freedoms of the data subject do not override the former interest, Art. 6 (1) (f) GDPR serves as the legal basis for the processing.
4. Categories of Data Collected and Processing Purposes
Account data: During registration, we collect name (optional), email address, and password (stored encrypted). This data is processed for contract performance and account management (Art. 6 (1) (b) GDPR).
Payment and subscription data: For paid monthly subscriptions (Pro, Pro+, Business), payment processing is handled entirely by Paddle (Paddle.com Market Limited, 15 Dock Street, London, E1 8JN, United Kingdom), which acts as the Merchant of Record. Payment method information (e.g., credit card details), billing address, and transaction data are processed exclusively for payment processing and billing history management (Art. 6 (1) (b) GDPR). Complete payment data is stored exclusively by Paddle; we only store reference data (e.g., Paddle customer ID, subscription ID) and payment status.
Usage data: To provide and improve our services (webhook reception, API monitoring, data forwarding, payload validation, address validation, schema validation), we process uploaded files and input data. This data is used exclusively for the processing task initiated by the user and is not stored permanently unless a data logging feature is active in the respective plan.
Server log data: When accessing our platform, information is automatically stored in server log files: IP address (anonymized after 7 days), browser type and version, operating system used, referrer URL, hostname of the accessing computer, time of the server request. This data cannot be attributed to a specific person and is processed for security purposes and system stabilization (Art. 6 (1) (f) GDPR).
5. Cookies, Local Storage, and Tracking
Our platform does not set any cookies itself. For the technically necessary management of login sessions, language settings, and theme settings, only local browser storage (localStorage) is used. This does not contain any tracking and is not subject to the cookie consent requirement pursuant to § 25 (2) TDDDG (formerly TTDSG), as it is technically necessary for the operation of the platform.
On the Pricing (/pricing) and Account (/account) pages, JavaScript from Paddle (cdn.paddle.com) is loaded, which is required for payment processing. Paddle may set technically necessary cookies for fraud prevention and transaction processing purposes. These cookies are set by Paddle independently as part of payment processing and are required to provide the payment service (Art. 6 (1) (b) GDPR).
We do not use tracking cookies, analytics cookies, or advertising cookies. No third-party tracking (e.g., Google Analytics) is used.
6. Monthly Subscription – Special Notes on Data Processing
When subscribing to a monthly plan, you enter into a contract with us for recurring monthly services. All payment processing is handled by Paddle (Paddle.com Market Limited, 15 Dock Street, London, E1 8JN, United Kingdom, and Paddle.com, Inc., 2185 The Alameda, Suite 250, San Jose, CA 95126, USA).
Paddle as Merchant of Record: Paddle acts as the so-called Merchant of Record. This means: Paddle receives payments in its own name, issues invoices, remits sales tax, and handles refunds and chargebacks. For the payment transaction, Paddle is therefore your direct contractual partner; your contractual service relationship regarding platform use remains with myapimonitor.
Data processed by Paddle: As part of payment processing, we transmit your email address and the selected subscription tier to Paddle. Paddle independently collects and processes your name, billing address, payment method information (e.g., credit card details), and transaction and purchase data. Paddle processes this data based on its own privacy policy, available at https://www.paddle.com/legal/privacy.
Data transfer to third countries: Paddle is headquartered in the United Kingdom, which has been recognized as a safe third country since Brexit based on an adequacy decision by the EU Commission pursuant to Art. 45 GDPR. For any data transfers to the USA, Paddle relies on EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR. The requirements of Art. 44 et seq. GDPR are met.
Recurring billing: Monthly automatic debiting is carried out by Paddle using the payment method you have stored with Paddle. We do not store any complete payment method information ourselves, only reference data (e.g., Paddle customer ID, subscription ID) and payment status.
Cancellation: After cancellation of the subscription, your personal data stored by us will be retained for the duration of statutory retention periods (generally 10 years for tax-relevant documents pursuant to § 147 AO / § 257 HGB) and subsequently deleted. For data stored by Paddle, the retention periods and deletion regulations according to Paddle's privacy policy apply.
Invoices and payment receipts are retained by Paddle and by us in accordance with statutory commercial and tax law retention obligations for at least 10 years.
7. Disclosure of Data to Third Parties
Your personal data will not be transmitted to third parties for purposes other than those listed below.
Processors and independent third parties: We use external service providers (as processors pursuant to Art. 28 GDPR). In addition, we use Paddle (Paddle.com Market Limited, United Kingdom) as a payment service provider, which in its role as Merchant of Record processes personal data (in particular payment and transaction data) independently as an independent controller within the meaning of Art. 4 (7) GDPR.
Web hosting and database hosting: Our website and database are hosted by 1&1 IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany). All servers are located in the IONOS data center in Berlin and are fully subject to the GDPR. The cooperation is based on a data processing agreement pursuant to Art. 28 GDPR. Further information can be found in the IONOS privacy policy at https://www.ionos.de/terms-gtc/datenschutzerklaerung/.
Transactional email delivery: For the automated sending of technical emails (e.g., registration confirmation, email verification, password reset), we use Amazon Simple Email Service (Amazon SES) from Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. Email delivery is restricted to the AWS region eu-central-1 (Frankfurt am Main, Germany); data is processed exclusively within the EU/EEA. The cooperation is based on a data processing agreement pursuant to Art. 28 GDPR. Further information can be found in the AWS privacy policy at https://aws.amazon.com/privacy/.
Legal obligations: Insofar as we are legally obliged or official requests exist, data may be transmitted to competent authorities (Art. 6 (1) (c) GDPR).
Transfer to third countries outside the EU/EEA only takes place if an adequate level of data protection is ensured (e.g., through EU Standard Contractual Clauses pursuant to Art. 46 GDPR or an adequacy decision by the EU Commission).
8. Use of an AI-Powered Voice Assistant for Receiving Incoming Calls
For the automated processing of telephone inquiries, we use the IONOS AI phone assistant. This processes call content on our behalf to capture, forward, or answer your concern. This involves automatic speech recognition (speech-to-text), semantic analysis (natural language processing), and, where applicable, text generation (text-to-speech).
Call content may be recorded, transcribed, or documented. This only occurs if you have been informed accordingly at the beginning of the call and continue the conversation. You can end the connection at any time to avoid processing.
Data processed includes in particular your statements during the call, technical connection data (date, time, duration), and, where voluntarily provided, personal data such as name or phone number. Additionally, interaction data is processed, for example regarding call management or disconnections.
Legal bases are Art. 6 (1) (b) GDPR (for contract initiation or performance) and Art. 6 (1) (f) GDPR (legitimate interest in efficient and scalable communication).
For technical implementation, we use subprocessors, particularly for hosting, speech recognition, and semantic analysis. Personal data may also be transferred to the USA by the subprocessor. In principle, this is based on an adequacy decision pursuant to Art. 45 GDPR, as the service providers are certified under the EU-U.S. Data Privacy Framework. If no such decision exists, the transfer is based on Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR and supplementary protective measures. The requirements of Art. 44 GDPR are met.
To improve speech processing, pseudonymized data may be used for training purposes. Tracing back to individual persons is excluded or significantly impeded. No automated decision-making within the meaning of Art. 22 GDPR takes place.
Storage only takes place as long as necessary for the stated purposes. Subsequently, the data is automatically deleted or anonymized.
9. Data Security (BSI Measures)
We implement technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. These measures are based on the recommendations of the BSI IT-Grundschutz Compendium and include in particular:
Transport encryption: All data is transmitted exclusively via encrypted connections (TLS/HTTPS).
Password security: Passwords are stored using modern cryptographic hash functions (bcrypt); passwords are never stored in plain text.
Access controls: Data access is restricted to the minimum necessary for service provision (principle of least privilege).
Regular security reviews: Our systems are regularly checked for security vulnerabilities.
Data minimization: We only collect data that is actually necessary for the respective processing purpose (Art. 5 (1) (c) GDPR).
10. Storage Duration and Deletion
Personal data is deleted or blocked as soon as the purpose of storage ceases to apply and no statutory retention obligations apply.
Account data: After deletion of the user account, all personal account data is deleted within 30 days, unless statutory retention obligations exist.
Payment and billing data: Retained for at least 10 years pursuant to § 147 AO and § 257 HGB.
Server log data: Complete IP addresses are anonymized after 7 days at the latest; anonymized log data may be retained for up to 90 days for security purposes.
Uploaded files and processing content: Deleted immediately after processing is complete, unless a data logging feature is active in the selected plan.
11. Your Rights as a Data Subject
You have the following rights with regard to your personal data:
Right of access (Art. 15 GDPR): You may request information about the data stored by us about you.
Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate or the completion of your personal data stored by us.
Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data stored by us, unless the processing is necessary for exercising the right of freedom of expression, for fulfilling a legal obligation, for reasons of public interest, or for establishing, exercising, or defending legal claims.
Right to restriction of processing (Art. 18 GDPR): You may request the restriction of the processing of your personal data.
Right to data portability (Art. 20 GDPR): You may receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format, or request the transfer to another controller.
Right to object (Art. 21 GDPR): If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) (f) GDPR, you have the right to object to the processing of your personal data.
Right to withdraw consent (Art. 7 (3) GDPR): If the data processing is based on consent, you may withdraw this consent at any time with effect for the future.
To exercise your rights, please contact us by email at: info@myapimonitor.com or by phone at: +49 30 4397920277
12. Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of personal data relating to you violates the GDPR (Art. 77 GDPR).
The competent supervisory authority for Germany is generally the data protection authority of the federal state in which our company is based. An overview of all German data protection authorities can be found at: https://www.bfdi.bund.de
13. Changes to this Privacy Policy
We reserve the right to amend this privacy policy to ensure it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services or when legal requirements change.
The new privacy policy will then apply to your next visit. The date of the last change is indicated at the top of this page.
14. Address Validation via OpenCage Geocoding
Our service offers optional address validation for API payloads. For this purpose, address data submitted through your API endpoints may be forwarded to the OpenCage geocoding service (opencagedata.com) operated by OpenCage GmbH, Cologne, Germany.
Data transmitted: Only the address components (street, city, postal code, country) contained in the API payload are sent to OpenCage. No personal user data (email, IP address, account information) is transmitted.
Purpose: The geocoding service is used to verify and validate postal addresses by comparing them against geographic databases. This helps detect invalid, incomplete or suspicious addresses in incoming API data.
Legal basis: Processing is based on Art. 6(1)(f) GDPR (legitimate interest in data quality) and, where applicable, Art. 6(1)(b) GDPR (contract performance).
Data retention: OpenCage processes the address data in real time and does not store query data beyond what is necessary for rate limiting and abuse prevention. For details, see the OpenCage Privacy Policy.
Opt-out: Address validation is only activated when you explicitly enable the "Address Validation" rule type for an endpoint. If you do not configure address validation rules, no data is sent to OpenCage.