Privacy Policy

1. Controller

The controller of your personal data under Regulation (EU) 2016/679 (GDPR) is the operator of SECfinAPI. Full identification — legal name, registered seat, company ID (IČO), VAT ID (DIČ), and supervisory authority — is published on the Imprint page.

For any data-protection request (access, rectification, erasure, restriction, portability, objection) contact privacy@secfinapi.com. We respond within 30 days as required by Article 12(3) GDPR.

2. What we collect and why

We collect the minimum necessary to operate the service. For each category we list the data, the purpose, and the legal basis under Article 6(1) GDPR.

• Account data — name, email, hashed password, hashed API key. Purpose: authenticate you, deliver the API key, send transactional emails. Legal basis: Art. 6(1)(b) — performance of the contract.
• Billing data — Stripe customer ID, subscription ID, plan tier, status, invoice records, last 4 digits of card (never the full PAN). Purpose: process payments, generate VAT invoices, comply with accounting law. Legal basis: Art. 6(1)(b) contract + Art. 6(1)(c) legal obligation (Czech Act 235/2004 Sb. on VAT, Act 563/1991 Sb. on accounting — 5–10 year retention).
• Usage data — per-day API request counts per key. Purpose: enforce rate limits, show usage in your dashboard. Legal basis: Art. 6(1)(b) contract.
• Operational logs — request method, path, timestamp, request ID, the prefix of your API key (never the full key), IP address as logged by our hosting provider. Purpose: debugging, security incident response, fraud and abuse prevention. Legal basis: Art. 6(1)(f) legitimate interest in operating a secure and reliable service.
• Anti-fraud / abuse signals — failed-login counters, registration rate-limit buckets, Stripe Radar fraud scores. Purpose: prevent credential stuffing, mass-registration, payment fraud. Legal basis: Art. 6(1)(f) legitimate interest.

We do not use analytics trackers, advertising cookies, or third-party telemetry. We do not profile users and we do not make automated decisions with legal or similarly significant effect within the meaning of Article 22 GDPR.

3. Recipients and sub-processors

Personal data is shared only with the following processors, each under a written data-processing agreement (Art. 28 GDPR):

• Stripe Payments Europe, Ltd. (Ireland, EU) — payment processing, invoice issuance, chargeback handling. Stripe is a separate controller for fraud-prevention purposes. See stripe.com/privacy.
• Resend, Inc. (USA) — transactional email delivery (verification, password reset, receipts). Transfer to the USA relies on the EU–US Data Privacy Framework and/or Standard Contractual Clauses. See resend.com/legal/privacy-policy.
• Vercel Inc. (USA) — frontend hosting and edge caching for secfinapi.com. SCCs in place. See vercel.com/legal/privacy-policy.
• Railway Corp. (USA) — backend hosting. SCCs in place. See railway.com/legal/privacy.
• Cloudflare R2 (Cloudflare, Inc., USA) — encrypted database backups. SCCs in place. See cloudflare.com/privacypolicy.
• Sentry / Functional Software, Inc. (USA) — error monitoring, if enabled. SCCs in place. We strip request bodies and PII fields from breadcrumbs.

We do not sell personal data, do not share it for behavioural advertising, and do not transfer it to recipients outside this list except where compelled by a lawful order from a competent authority.

4. International transfers

Several of our sub-processors are located in the United States. Transfers rely on (a) the EU–US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795) where the recipient is self-certified, and/or (b) Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914) supplemented by technical safeguards (TLS in transit, encryption at rest, access controls).

5. Retention

We retain personal data only as long as necessary for the stated purpose:

• Account + usage data — for the duration of your account. When you delete the account, all rows (email, password hash, API key hash, per-day usage counters) are removed in the same request.
• Invoices and tax records — retained 10 years as required by Czech Act 235/2004 Sb. on VAT (§ 35) for VAT payers and Act 563/1991 Sb. on accounting (§ 31). This obligation overrides the account-deletion request for these specific records.
• Operational logs — rotated automatically after 30 days.
• Database backups — Cloudflare R2 retains the 14 most recent snapshots; older are overwritten. A residual record of you may persist in backups for up to ~14 days after deletion.
• Anti-fraud signals (Stripe)— up to 7 years per Stripe's policy and applicable anti-money-laundering rules.

6. Your rights (GDPR Articles 15–22)

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data (your name and email are editable directly in the account settings).
• Erasure ("right to be forgotten") — delete your account at any time from /account. Tax-record retention (Section 5) is the only carve-out.
• Restriction — ask us to suspend processing while a complaint is being resolved.
• Portability — receive your account and usage data in a structured, machine-readable JSON export. Email privacy@secfinapi.com to request it.
• Objection — object to processing based on legitimate interest (Section 2).
• Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
• Lodge a complaint with the Czech data-protection authority Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, uoou.cz, or with the supervisory authority of your EU country of residence.

7. Security

Passwords are hashed with bcrypt; API keys are stored as SHA-256 hashes only. All traffic is encrypted over TLS 1.2+. Database backups are encrypted at rest. We do not store card numbers — payment data is tokenised by Stripe. Personnel access to production systems is limited to the operator and protected by 2FA. We will notify you and the supervisory authority within 72 hours of becoming aware of a personal-data breach likely to result in a risk to your rights and freedoms, as required by Articles 33 and 34 GDPR.

8. Cookies and similar storage

We use only strictly necessary storage— a JSON Web Token in your browser's localStorage that keeps you signed in, and a small acknowledgement flag for the cookie notice itself. Under § 89 of Czech Act 127/2005 Sb. and Article 5(3) of Directive 2002/58/EC (ePrivacy), strictly necessary storage does not require consent. We do not use analytics, advertising, or third-party tracking cookies. If we ever add non-essential cookies, an explicit opt-in consent banner will be shown first.

9. Children

The service is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has registered, contact privacy@secfinapi.com and we will delete the account.

10. Changes to this policy

We may update this policy. Material changes (new processing purposes, new processors handling your data, broadened retention) are notified by email at least 30 days in advance. The current version and the "Last updated" date are always available on this page.

11. Contact

Data-protection requests: privacy@secfinapi.com — General support: support@secfinapi.com.