Privacy Policy

1. Overview

This privacy policy explains how KonbiniAPI (“we,” “us,” “our”) collects, uses, stores, and protects your personal data when you use our website at konbiniapi.com and our social media data API service.

KonbiniAPI is operated from Spain. If you have any questions about this policy or how we handle your data, you can reach us at hello@konbiniapi.com.

This policy applies to all users of our website and API service. By using KonbiniAPI, you acknowledge that you have read and understood this policy.

2. Data We Collect

Account data

When you create an account, we collect your email address and a hashed version of your password. You may optionally provide your name. We never store passwords in plain text.

Payment data

All payment processing is handled by Stripe. We never see, store, or have access to your full card numbers. We do store your Stripe customer ID and records of transactions (plan, amount, date) for billing and accounting purposes.

API usage data

When you make requests to our API, we log the endpoint called, the timestamp, HTTP status code, response time, and the number of credits consumed. We also record the IP address the request originated from.

Website data

When you visit our website, we may collect standard web information such as pages visited, browser type and version, and the referring URL.

3. How We Use Your Data

We use the data we collect to:

• Provide, maintain, and improve the KonbiniAPI service
• Process payments and manage your subscription through Stripe
• Monitor API usage and enforce plan limits
• Detect abuse, prevent fraud, and address security threats
• Send transactional emails related to your account, billing, and service updates

We do not send marketing emails unless you have explicitly opted in. You can withdraw that consent at any time.

4. Lawful Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal grounds:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide you with an account, API access, and billing — i.e., to fulfill the service you signed up for.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, abuse detection, debugging, and service improvement. We balance these interests against your rights and only process what is necessary.
• Consent (Art. 6(1)(a)): Marketing communications, if any. You will only receive marketing emails if you opt in, and you can withdraw consent at any time.

5. Data About Third Parties

Our API accesses publicly available information from social media platforms such as Instagram and TikTok. This includes public profiles, posts, comments, and other content that any internet user can view without authentication.

Our legal basis for accessing this publicly available data is legitimate interest, as recognized by GDPR Recital 47. We also comply with the transparency obligations of GDPR Article 14 regarding data not obtained directly from the data subject.

We do not store or cache scraped data. All data is fetched in real-time from the source platform and returned directly to you in the API response. Once the response is delivered, we do not retain a copy.

If you use our API to collect personal data about individuals, you are responsible for your own GDPR compliance. This includes establishing a lawful basis for your processing, providing appropriate notices, and responding to data subject requests.

6. Third-Party Processors

We share your data with the following third-party service providers, who process it on our behalf:

• Stripe — Payment processing. Stripe Privacy Policy
• Google Cloud Platform — Hosting and infrastructure. Google Cloud Privacy Notice

We may introduce analytics tools in the future. If we do, we will update this policy accordingly and obtain any required consent before deploying them.

7. Data Retention

• Account data: Retained for as long as your account is active. If you delete your account, we will remove your personal data within 30 days.
• API usage logs: Retained for 90 days for debugging and abuse detection purposes, then anonymized or deleted.
• Payment records: Retained for a minimum of 5 years as required by Spanish tax law (Ley General Tributaria).
• Website analytics: Anonymized at collection. No personal data is retained.

8. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct any inaccurate or incomplete data.
• Right to erasure — ask us to delete your personal data (“right to be forgotten”).
• Right to restrict processing — ask us to temporarily stop processing your data in certain circumstances.
• Right to data portability — receive your data in a structured, commonly used, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at hello@konbiniapi.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.

9. Cookies

We use essential cookies only. These are strictly necessary for authentication and session management. They do not track you across websites and cannot be used to identify you personally outside of our service.

We do not use any tracking, advertising, or analytics cookies.

If we introduce analytics cookies in the future, we will obtain your explicit consent before setting them, in compliance with Spain's LSSI (Ley de Servicios de la Sociedad de la Información) and the ePrivacy Directive.

10. International Data Transfers

Our infrastructure runs on Google Cloud Platform in the United States. This means your data may be transferred to and processed in the United States, which is outside the European Economic Area.

These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, as well as Google's compliance certifications (including SOC 2 and ISO 27001). You can learn more about Google's data protection commitments at cloud.google.com/privacy.

11. Security

We take the security of your data seriously. Our measures include:

• HTTPS encryption for all data in transit
• Encrypted storage for data at rest
• API key authentication for all programmatic access
• Hashed passwords — we never store them in plain text

We follow industry-standard security practices, but no system is 100% secure. If you discover a security vulnerability, please report it to hello@konbiniapi.com and we will address it promptly.

12. Children

KonbiniAPI is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us at hello@konbiniapi.com and we will delete it promptly.

13. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you by email at least 14 days before the changes take effect.

If you continue to use KonbiniAPI after the notice period, you are considered to have accepted the updated policy. If you disagree with any changes, you may delete your account before the new policy takes effect.

14. Contact

For any questions, concerns, or requests related to this privacy policy or your personal data, contact us at:

hello@konbiniapi.com

If you are unsatisfied with our response, you have the right to lodge a complaint with the Spanish Data Protection Agency:

Agencia Española de Protección de Datos (AEPD)
www.aepd.es