Privacy Policy

ipOptic (“we”, “us”, “our”) operates the ipOptic API and web properties. For questions about this policy, contact us at privacy@ipoptic.io.

We collect information in the following categories:

• Account data: email address and organisation name when you register for API access.
• Usage data: API request logs including the queried IP address, timestamp, endpoint, response code, and your API key identifier. Logs are retained for a maximum of 30 days.
• Payment data: billing details are processed by our payment processor (Stripe) and are not stored on our servers beyond a tokenised reference.
• Browser signals: when you use the ipOptic web tool (ipoptic.io), your browser transmits fingerprint signals and your public IP address. These are processed in-session and are not persisted to a database.
• Communication data: email correspondence and support tickets.

• To provide and improve the API and web tools.
• To authenticate API requests and enforce rate limits.
• To detect and prevent abuse, fraud, and security incidents.
• To send transactional communications (receipts, downtime notices).
• To comply with legal obligations.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

Where GDPR applies, we rely on the following legal bases:

• Contract performance — to deliver the service you have subscribed to.
• Legitimate interests — security monitoring, abuse prevention, and service improvement.
• Legal obligation — where processing is required by applicable law.
• Consent — for any non-essential communications where we have sought your explicit opt-in.

API request logs: 30 days. Account data: duration of the account plus 12 months after closure. Payment records: as required by applicable tax and financial regulations (typically 7 years). Browser-session data from the web tool: not retained beyond the session.

We engage sub-processors to support service delivery, including cloud infrastructure providers, payment processors, and email delivery providers. All sub-processors are bound by data-processing agreements consistent with GDPR requirements. A list of current sub-processors is available on request.

Our infrastructure is primarily located in the European Union and the United States. Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses or equivalent adequacy mechanisms. Contact us for transfer impact assessment documentation.

Depending on your jurisdiction, you may have rights to access, correct, erase, restrict, or port your personal data, and to object to certain processing. To exercise these rights, email privacy@ipoptic.io. We will respond within 30 days. EEA/UK residents have the right to lodge a complaint with their local supervisory authority.

The ipOptic marketing site uses essential cookies for session management and security (CSRF tokens). We do not deploy advertising or cross-site tracking cookies. If analytics are added in future, this policy will be updated and a cookie banner presented.

We will notify registered users of material changes by email at least 14 days before they take effect. Continued use of the service after the effective date constitutes acceptance of the revised policy.

Data controller: ipOptic. Email: privacy@ipoptic.io. For GDPR-specific enquiries and data-processing agreements, see also our GDPR Addendum.