Privacy Policy

Last Update: 21st December 2025

At ipapi.is, we are committed to protecting your privacy and personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable German data protection laws. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal data.

1. Data Controller

The data controller responsible for the processing of your personal data is:

ipapi.is (Nikolai Tschacher)
Vat No: DE325806975
Berlin, Germany
Email: info@ipapi.is

2. Scope of This Policy

This Privacy Policy applies to our website ipapi.is and the associated API services. It covers all personal data collected through our online services. This policy does not apply to third-party websites that may be linked from our site.

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account Registration Data

When you register for an account, we collect:

  • Email address (required)
  • Name (optional)
  • Company name (optional, for business accounts)
  • Billing address (for paid accounts)
  • VAT number (optional, for EU business accounts requiring VAT exemption)

3.2 Communication Data

When you contact us via email or support channels, we may collect:

  • Your name and email address
  • The content of your messages
  • Any information you voluntarily provide

3.3 Technical Data (Aggregated Only)

We collect aggregated, anonymized usage statistics only:

  • Total API request counts per account (for billing purposes)
  • General service performance metrics

Important: We do NOT log or store:

  • IP addresses from API queries
  • Individual API request details or queried data
  • Browsing behavior or session information
  • Any tracking or behavioral data

4. Legal Basis and Purpose of Data Processing

We process your personal data based on the following legal grounds under Art. 6(1) GDPR:

4.1 Contractual Necessity (Art. 6(1)(b) GDPR)

  • Account management: Processing account registration data to provide API access and manage your account
  • Service delivery: Operating and maintaining the API services you subscribe to
  • Billing: Processing payment information and usage data for paid accounts

4.2 Legitimate Interest (Art. 6(1)(f) GDPR)

  • Service improvement: Analyzing aggregated usage statistics to improve service quality and performance
  • Fraud prevention: Detecting and preventing fraudulent or abusive use of our services
  • Customer support: Responding to your inquiries and providing technical support

4.3 Legal Obligation (Art. 6(1)(c) GDPR)

  • Tax compliance: Retaining billing information as required by German tax law
  • Accounting: Maintaining financial records as mandated by commercial law

We do NOT use your personal data for:

  • Targeted advertising or profiling
  • Selling or sharing with third parties for marketing purposes
  • Automated decision-making with legal or similarly significant effects
  • Tracking across websites or detailed behavioral analysis

5. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

  • Account data: Retained for the duration of your active account plus 30 days after account closure (unless longer retention is required by law)
  • Billing and invoicing data: Retained for 10 years as required by German tax law (§ 147 AO, § 257 HGB)
  • Communication records: Retained for 3 years after last correspondence for customer service purposes
  • Aggregated usage statistics: Retained indefinitely as they contain no personal data

After the retention period expires, personal data will be securely deleted or anonymized.

6. Data Collection and API Usage Logging

Privacy-First Approach: ipapi.is is designed with privacy as a core principle. We do NOT log or monitor:

  • IP addresses from API queries
  • The specific data you query through our API
  • Individual API request details or parameters
  • User session information or browsing behavior
  • Any personally identifiable information from API usage

We only collect and store aggregated, anonymized data for:

  • Usage statistics: Total number of API requests per account (for billing purposes only)
  • Service monitoring: General service health and performance metrics

This aggregated data is anonymized and cannot be used to identify individual users, trace specific queries, or reconstruct any personal information. Your API usage remains completely private.

7. Analytics and Tracking

No Third-Party Analytics: We do NOT use any third-party analytics or tracking services. Specifically:

  • No Google Analytics, Matomo, Plausible, or any other analytics platforms
  • No tracking pixels, web beacons, or similar tracking technologies
  • No cross-site tracking or behavioral profiling
  • No data sharing with analytics providers
  • No external JavaScript libraries for monitoring or tracking

Your browsing behavior on our website is not tracked, monitored, or analyzed by us or any third party. Any service statistics we maintain are based solely on aggregated, anonymized data as described in Section 6.

8. Cookies and Similar Technologies

ipapi.is uses cookies exclusively for strictly necessary technical purposes:

8.1 Strictly Necessary Cookies

We use session cookies only for:

  • User authentication (login/logout functionality)
  • Maintaining your logged-in session
  • Security and fraud prevention (CSRF protection)

Legal basis: These cookies are strictly necessary for the provision of our services (Art. 6(1)(b) GDPR) and do not require separate consent under ePrivacy regulations.

8.2 What We Do NOT Use

We do NOT use:

  • Analytics cookies
  • Marketing or advertising cookies
  • Third-party tracking cookies
  • Social media cookies
  • Persistent cookies beyond session management

You can manage cookie preferences in your browser settings. However, disabling authentication cookies will prevent you from logging into your account.

9. Third-Party Services and Data Sharing

No Advertising: We do not use any advertising networks, ad servers, or marketing partners. There are no third-party advertisements on ipapi.is.

9.1 Payment Processing

For paid accounts, we use third-party payment processors to handle billing and payments. When you provide payment information, it is transmitted directly to the payment processor and is not stored on our servers. Payment processors operate under their own privacy policies and GDPR-compliant data processing agreements.

9.2 Data We Do NOT Share

We do NOT:

  • Sell, rent, or trade your personal data to third parties
  • Share your data with advertising networks or data brokers
  • Provide your data to analytics companies
  • Share your API usage data or queried information with anyone
  • Transfer data outside the European Economic Area (EEA) except as specified below

9.3 International Data Transfers

We process and store all personal data within the European Economic Area (EEA). If we need to transfer data outside the EEA (e.g., for payment processing), we ensure appropriate safeguards are in place as required by Art. 44-50 GDPR, such as:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules where applicable

10. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

10.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of your personal data. The first copy is provided free of charge. Additional copies may incur a reasonable administrative fee.

10.2 Right to Rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

10.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to the processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note: This right may be limited if we are required to retain data for legal obligations (e.g., tax records).

10.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing when:

  • You contest the accuracy of the personal data
  • The processing is unlawful and you oppose erasure
  • We no longer need the data, but you need it for legal claims
  • You have objected to processing pending verification of legitimate grounds

10.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller where technically feasible.

10.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

10.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

10.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, place of work, or place of the alleged infringement.

German Supervisory Authority:
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153
53117 Bonn, Germany
Phone: +49 (0)228 997799-0
Email: poststelle@bfdi.bund.de
Website: www.bfdi.bund.de

10.9 How to Exercise Your Rights

To exercise any of these rights, please contact us using the contact information in Section 1. We will respond to your request without undue delay and within one month of receipt. This period may be extended by two additional months where necessary, taking into account the complexity of the request.

We may request proof of identity to verify your request and protect your personal data from unauthorized access.

11. CCPA Privacy Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal data we have collected about you
  • Right to Delete: Request deletion of your personal data
  • Right to Opt-Out: We do not sell personal data, so no opt-out is necessary
  • Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights

To exercise these rights, please contact us using the information in Section 1. We will respond within 45 days of receiving your request.

12. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit using TLS/SSL protocols
  • Encryption of sensitive data at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and updates
  • Minimization of data collection (privacy by design)

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

13. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age.

If we become aware that we have collected personal data from a child under age 16 without parental consent, we will take steps to delete that information as quickly as possible.

If you believe that a child under 16 has provided us with personal data, please contact us immediately using the contact information in Section 1.

14. Automated Decision-Making and Profiling

We do NOT engage in automated decision-making, including profiling, that produces legal effects or similarly significantly affects you as defined under Art. 22 GDPR.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons.

When we make material changes to this Privacy Policy, we will:

  • Update the "Last Update" date at the top of this policy
  • Notify you via email if you have an account with us (for significant changes)
  • Where required by law, obtain your consent for material changes

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Continued use of our services after changes constitute acceptance of the updated policy.

16. Contact Information and Data Protection Inquiries

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Email: info@ipapi.is
Address: Berlin, Germany

For data protection inquiries or to exercise your GDPR rights, you can also reach us at the contact information provided in Section 1 (Data Controller).

Response Time: We will respond to your inquiry within one month. For complex requests, this period may be extended by up to two additional months, and we will inform you of such extension.