Privacy Policy

Last updated: February 2025

Apinator ("Service", "we", "us") is a free WebSocket infrastructure service operated by an individual based in Austria. We take your privacy seriously and process your data in accordance with the EU General Data Protection Regulation (GDPR) and Austrian data protection law (DSG).

1. Data Controller

The data controller responsible for processing your personal data is:

Shpetim Islami
Vienna, Austria
Email: hello@apinator.io

2. What Data We Collect

Account Data

When you create an account, we collect:

  • Email address
  • Name (if provided)
  • Organization name (if provided)
  • Hashed password (we never store plaintext passwords)

Usage Data

When you use the Service, we automatically collect:

  • Connection counts and message volumes (for billing/quota enforcement)
  • API request metadata (timestamps, endpoints accessed)
  • Channel subscription patterns (which channels your application uses)

Server Logs

Our servers automatically log:

  • IP addresses
  • Request timestamps
  • User agent strings
  • HTTP request paths and status codes

Server logs are retained for a maximum of 30 days and are used solely for debugging, security monitoring, and abuse prevention.

Cookies

We use strictly necessary cookies only:

  • rt_access — authentication token (httpOnly, secure, session)
  • rt_refresh — refresh token (httpOnly, secure, persistent)

We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

3. How We Use Your Data

We process your personal data for the following purposes:

  • Service operation — to authenticate you, manage your account, and provide the WebSocket infrastructure (legal basis: contract performance, Art. 6(1)(b) GDPR)
  • Usage tracking — to enforce usage quotas and display usage statistics in your dashboard (legal basis: contract performance, Art. 6(1)(b) GDPR)
  • Security and abuse prevention — to protect the Service and its users from abuse, fraud, and security threats (legal basis: legitimate interest, Art. 6(1)(f) GDPR)
  • Service communication — to send important service-related notifications such as security alerts or changes to the Service (legal basis: legitimate interest, Art. 6(1)(f) GDPR)

4. What We Do NOT Do

  • We do not sell your personal data to third parties
  • We do not use your data for advertising or profiling
  • We do not use analytics or tracking services
  • We do not share your data with data brokers
  • We do not read or store the content of messages transmitted through WebSocket channels — message data passes through our servers but is not persisted

5. Third-Party Services

Infrastructure Providers

Our servers are hosted by Hetzner Online GmbH (Germany). Hetzner processes data as a data processor on our behalf and is subject to GDPR. Their data processing is covered by a Data Processing Agreement (DPA).

6. Data Retention

  • Account data — retained for as long as your account exists. Deleted within 30 days of account deletion.
  • Usage records — retained for up to 12 months for quota tracking purposes.
  • Server logs — retained for a maximum of 30 days.
  • WebSocket message data — not stored. Messages are relayed in real time and not persisted.

7. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

  • Right of access (Art. 15) — request a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate personal data
  • Right to erasure (Art. 17) — request deletion of your personal data
  • Right to restriction (Art. 18) — restrict processing of your personal data
  • Right to data portability (Art. 20) — receive your data in a machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interests

To exercise any of these rights, please contact us at hello@apinator.io. We will respond within 30 days.

8. Data Transfers

Your data is stored on servers within the European Union (Germany). We do not transfer your personal data outside the EU/EEA. All assets are self-hosted — no external requests are made to third-party services when you visit our website.

9. Security

We implement reasonable technical and organizational measures to protect your data, including encrypted connections (TLS), hashed passwords, and access controls. However, as stated in our Terms of Service, no service can guarantee absolute security.

10. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "last updated" date at the top indicates the latest revision. Continued use of the Service constitutes acceptance of the updated policy.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde
Barichgasse 40–42, 1030 Vienna
www.dsb.gv.at

13. Contact

For any privacy-related questions or requests, please contact:
hello@apinator.io