Pricing Guides Products API Reference ← alexambros.com

Privacy Policy

Version: 1.0 / Effective date: March 2026

1. Data Controller

The controller of your personal data is Alex Ambros, conducting unregistered business activity within the meaning of Art. 5 of the Act of 6 March 2018 — Entrepreneurs' Law, with registered address at: POLAND 41-902 Bytom 19/3 Łukasz Wallisa St. (hereinafter: Controller). Contact regarding all personal data protection matters is available at: contact@alexambros.com — this is a direct contact to the Controller, who personally oversees data processing within the Alexambros API system.

2. Nature of the Service and Privacy Approach

Alexambros API is a product directed exclusively at professional entities (B2B). The system architecture was designed according to the Privacy by Design principle — we collect and store only the personal data that is strictly necessary for the proper provision of the service. We do not profile users, sell data, or use it for marketing purposes. Importantly: Alexambros API does not process any financial data of Users. All information regarding payment cards, bank accounts and transactions is handled exclusively by the independent Payment Operator — Paddle — in accordance with its own Privacy Policy.

3. What Data We Collect and Why

3.1 Email address

Purpose of processing Legal basis
Identity verification and Account activation (sending a one-time activation token) Art. 6(1)(b) GDPR — necessity for the performance of a contract
Technical communication regarding the service (outages, Terms updates, important changes) Art. 6(1)(b) GDPR — necessity for the performance of a contract
Handling requests regarding personal data Art. 6(1)(c) GDPR — legal obligation

The email address is stored for the duration of the Agreement and for 180 days after Account deactivation (reactivation period). After this period it is permanently and irrevocably deleted.

3.2 Last connection IP address

The Alexambros API system records the IP address from which the last authorized API request was made. This is solely for the purpose of protecting Account security and preventing unauthorized access. The Controller acknowledges that IP addresses assigned by internet providers may be dynamic and change over time — this information serves a diagnostic, not identification purpose.

Purpose of processing Legal basis
Account security, identification of potential abuse and unauthorized access Art. 6(1)(f) GDPR — legitimate interest of the Controller

The last-used IP information is stored until the next request (overwritten) or until permanent Account deletion.

3.3 API system logs

To ensure infrastructure stability and detect technical errors, the system records technical HTTP request logs which may contain IP addresses and request metadata (endpoint, method, response code, timestamp). These logs are stored for 30 to 90 days, after which they are automatically and permanently deleted.

Purpose of processing Legal basis
Technical diagnostics, performance and infrastructure security monitoring Art. 6(1)(f) GDPR — legitimate interest of the Controller

4. What We Do NOT Collect

For full transparency, Alexambros API does not collect or process:

  • first and last name, phone number, or any other direct identifying data beyond an email address,
  • payment card data, bank account details, or transaction history (this is handled exclusively by Paddle),
  • device location data,
  • operating system, browser, or end-device information,
  • cookies (the service is accessible exclusively via API — it has no browser interface).

5. Data Processors (Sub-processors)

The Controller has entrusted personal data processing to only one category of external entities, with whom it has entered or undertakes to enter into data processing agreements in accordance with Art. 28 GDPR:

Entity Role Location Purpose
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany server infrastructure and email system provider Germany (EEA) Hosting of Alexambros API production servers, sending activation and system emails
Paddle.com Market Limited, Judd House, 18-29 Mora Street, London, EC1V 8BT, United Kingdom financial transaction operator, responsible for collecting payments, issuing invoices and tax settlements United Kingdom (outside EEA) Payment processing, issuing invoices and tax settlements

Hetzner Online GmbH, headquartered in Germany, is subject to European Union law, meaning personal data is not transferred outside the European Economic Area (EEA). The Controller does not use any external email service providers (SaaS) — the mail infrastructure is entirely self-managed by the Controller on servers hosted by Hetzner.

Paddle.com Market Limited, based in the United Kingdom, processes only the data necessary to complete financial transactions. Data transfers are carried out on the basis of Standard Contractual Clauses (SCC) in accordance with Article 46 of the GDPR.

6. Rights of Data Subjects

Although Alexambros API is a service addressed exclusively to B2B entities, to the extent that the User is a natural person running a business, he or she has full rights provided for by the GDPR:

  • Right of access — you may request confirmation of whether we process your personal data and obtain a copy of that data (Art. 15 GDPR).
  • Right to rectification — you may request correction or completion of inaccurate or outdated personal data (Art. 16 GDPR).
  • Right to erasure ("right to be forgotten") — you may request deletion of your data when it is no longer necessary for the purposes for which it was collected (Art. 17 GDPR). A request submitted during the term of the Agreement results in its termination.
  • Right to data portability — you may request transfer of your data in a machine-readable format (Art. 20 GDPR).
  • Right to restriction of processing — you may request restriction of processing in the cases specified in Art. 18 GDPR.
  • Right to object — you may object to processing based on the Controller's legitimate interest (e.g. to the processing of IP addresses for security purposes), in accordance with Art. 21 GDPR.
  • Right to lodge a complaint — if you believe we are processing your data unlawfully, you may lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

All requests regarding GDPR rights should be directed to: contact@alexambros.com. The Controller responds without undue delay, no later than 30 days from receipt of the request.

7. Data Security

The Controller applies appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. In particular:

  • API communication is encrypted using TLS 1.2/1.3 protocol,
  • database access is only possible from authorized IP addresses,
  • API Tokens are stored in hashed form — if a Token is lost, a new one must be generated.

8. Data Retention Summary

Data category Retention period
Email address (active Account) For the duration of the Agreement
Email address (after cancellation) 180 days from Account deactivation
Last IP address (active Account) Until next overwrite or Account deletion
API system logs 30–90 days from generation
All data (permanent deletion) After 180 days from Account deactivation

9. Changes to this Privacy Policy

The Controller reserves the right to update this Privacy Policy in the event of changes in applicable law, technologies used, or the scope of data processed. Users will be notified of any material change at least 14 days in advance via email.