Privacy Policy — Exchange Rate API

1. Introduction

Exchange Rate API ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website at exchange-rateapi.com ("Website"), our application programming interface ("API"), and related services (collectively, the "Service").

This policy is designed to comply with the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Information

Data	Purpose	Retention
Email address	Account creation, authentication, billing communications	Duration of account + 30 days
Full name	Account identification, billing	Duration of account + 30 days
Password (hashed)	Account authentication	Duration of account

2.2 API Usage Data

Data	Purpose	Retention
API request logs (endpoint, timestamp, response code)	Usage tracking, rate limiting, debugging	90 days
IP address	Security, abuse prevention, rate limiting	90 days
Request count per billing period	Plan enforcement, billing	12 months

2.3 Payment Information

Payment card details are collected and processed directly by our payment processor, Stripe. We do not store your full card number, CVV, or expiration date on our servers. We receive and store only a tokenized reference, the last four digits of your card, and your billing address for record-keeping purposes.

2.4 Communication Data

If you contact us via our contact form or email, we collect your name, email address, and the content of your message. This data is retained for the purpose of responding to your inquiry and for up to 12 months thereafter.

3. How We Use Your Data

We use your personal data for the following purposes:

Service provision: To create and manage your account, authenticate API requests, and enforce plan limits.
Billing: To process payments, generate invoices, and manage subscriptions.
Communication: To send transactional emails (account confirmation, password resets, billing receipts, plan change notifications). We do not send marketing emails unless you explicitly opt in.
Security: To detect and prevent fraud, abuse, and unauthorized access to the Service.
Improvement: To analyze aggregate usage patterns and improve the Service. We use anonymized, aggregated data for this purpose whenever possible.
Legal compliance: To comply with applicable legal obligations, resolve disputes, and enforce our Terms of Service.

4. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

Contract performance: Processing necessary to provide the Service you have registered for (Article 6(1)(b)).
Legitimate interest: Processing necessary for our legitimate interests, such as fraud prevention, service improvement, and security (Article 6(1)(f)).
Legal obligation: Processing necessary to comply with legal obligations, such as tax and accounting requirements (Article 6(1)(c)).
Consent: Where we rely on your consent (e.g., marketing communications), you may withdraw consent at any time (Article 6(1)(a)).

5. Third-Party Services

We use the following third-party services that may process your data:

Service	Purpose	Data Shared
Stripe	Payment processing	Email, name, payment card details, billing address
Cloudflare	CDN, DDoS protection, edge compute	IP address, request metadata
Resend	Transactional email delivery	Email address, name

Each of these third-party services operates under their own privacy policies. We encourage you to review their respective policies:

Stripe: stripe.com/privacy
Cloudflare: cloudflare.com/privacypolicy
Resend: resend.com/legal/privacy-policy

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

6. Cookies

We use a minimal cookie approach:

Session cookie: A single, strictly necessary session cookie is used to maintain your authenticated session when you are logged in to your account dashboard. This cookie is essential for the Service to function and does not require consent under GDPR.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies. We do not participate in cross-site tracking or retargeting.

We believe in minimal data collection. One session cookie is all we use -- no trackers, no analytics pixels, no ad networks.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

Account data: Retained for the duration of your account plus 30 days after deletion to allow for account recovery.
API usage logs: Retained for 90 days, then permanently deleted.
Billing records: Retained for 12 months as required for tax and accounting purposes.
Support correspondence: Retained for 12 months after resolution.

After the retention period expires, data is permanently deleted from our systems and backups within 30 days.

8. Your Rights

Under the GDPR and other applicable data protection laws, you have the following rights regarding your personal data:

Right of access: You may request a copy of the personal data we hold about you.
Right to rectification: You may request that we correct any inaccurate or incomplete personal data.
Right to erasure (right to be forgotten): You may request that we delete your personal data, subject to legal retention requirements.
Right to data portability: You may request an export of your personal data in a structured, machine-readable format (JSON).
Right to restrict processing: You may request that we restrict the processing of your personal data under certain circumstances.
Right to object: You may object to the processing of your personal data for certain purposes, including processing based on legitimate interest.
Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time.

To exercise any of these rights, please contact us at admin@exchange-rateapi.com with the subject line "Data Rights Request." We will respond to your request within 30 days.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

TLS 1.3 encryption for all data in transit.
Encryption at rest for stored personal data.
Passwords stored using industry-standard hashing algorithms (bcrypt).
Regular security audits and vulnerability assessments.
Principle of least privilege for internal access to personal data.

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

10. International Data Transfers

Our Service is hosted on Cloudflare's global edge network. Your data may be processed in various locations worldwide. Where personal data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also send a notification to the email address associated with your account.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your data is being processed, please contact us:

Email: admin@exchange-rateapi.com
Web: exchange-rateapi.com/contact

If you are located in the EU and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (DPA).