Iteration Layer
Products
Use Cases
Resources
Pricing
Login Get Started

Privacy Policy

Last updated: April 13, 2026

Who We Are

Fabian Schucht, trading as Iteration Layer, Calle General Vives 1, 6E, 35006 Las Palmas de Gran Canaria, Spain (NIF Z1096165J) is the data controller. For data protection inquiries, contact [email protected].

Under Article 37 of the GDPR, a Data Protection Officer is not required for our operations as we do not carry out large-scale systematic monitoring of individuals or large-scale processing of special categories of data. The data controller is directly responsible for data protection compliance and can be reached at the address above.

Data We Collect

We collect the following categories of personal data, each for a specific purpose explained in the sections below.

Account data

Email address and optional profile image. If you sign in via Google or GitHub, we also receive your provider user ID so we can link your account. We do not store passwords — authentication uses secure magic links sent to your email.

Organization data

Organization name, URL slug, optional logo, and the roles of each member (owner, admin, or member). When you invite someone, we store their email address and the invitation status until they accept or the invitation expires.

API key data

For each API key you create, we store a name, a short prefix for identification, a cryptographic hash of the key (never the key itself), and a timestamp of when it was last used.

Billing and subscription data

Subscription plan, billing period, credit balance, and payment processor identifiers (customer ID and subscription ID). We use Stripe, Inc. as our payment processor — we never see or store full card numbers.

Usage data

For every API call, we log which endpoint was called, the HTTP status code, credits consumed, and a timestamp. These logs are linked to your organization and API key, not to individual users.

Content data

Documents and images you submit for processing through our APIs. This content is processed transiently in memory and returned to you — we do not store it after the request completes. Your content is never used to train, fine-tune, or improve any AI models, whether ours or those of our sub-processors. Google Vertex AI, which we use for inference, processes your data under terms that explicitly prohibit using customer data for model training.

Technical data

Standard server logs that include IP address, browser type, operating system, and referral URL. These are used exclusively for security monitoring (detecting brute-force attacks, unauthorized access attempts) and are not linked to your account. Server logs are deleted after 90 days.

Analytics data

We use a self-hosted OpenPanel instance on our own infrastructure to collect anonymous, aggregated website usage statistics (page views, referrers, device types). Analytics are collected server-side — no client-side tracking scripts are loaded, no cookies are set, and no personal data is collected. All analytics data stays on our own servers. No IP addresses, user agents, session identifiers, or any other data that could identify an individual are stored in the analytics system. Data is aggregated into counters at the time of collection (e.g., total page views per path per day), making re-identification technically impossible because the underlying individual-level data never exists.

Authentication

We offer two ways to sign in: magic links sent to your email (valid for 15 minutes, single-use) and OAuth via Google or GitHub. When you use OAuth, the provider shares your email and a unique identifier with us so we can create or link your account. We store your OAuth provider user ID but do not retain your OAuth access or refresh tokens beyond the initial sign-in exchange.

Legal Basis for Processing

  • Contract performance (Art. 6(1)(b)) — account management, API delivery, billing
  • Legitimate interests (Art. 6(1)(f)) — we rely on this basis for three specific purposes, each with a documented balancing test:
    • Service improvement — data processed: aggregated API call counts, error rates by endpoint, response times. No individual-level behaviour is tracked. Necessity: we cannot identify reliability issues without this data. Impact on data subjects: minimal, because data is aggregated before analysis and cannot be traced to individuals.
    • Security monitoring — data processed: IP addresses, request rates, authentication success/failure events. Stored in server logs for 90 days. Necessity: required to detect brute-force attacks, credential stuffing, and unauthorized access. Impact on data subjects: proportionate, because logs are retained for a limited period, are not shared externally, and are not used for any other purpose.
    • Fraud prevention — data processed: billing event patterns, chargeback records, payment anomalies. Necessity: fraud cannot be detected after the fact without contemporaneous records. Impact on data subjects: proportionate, because this data is already collected for billing under contract performance and the additional fraud-detection use adds no new data collection.

    You have the right to object to any processing based on legitimate interests under Article 21 of the GDPR. Contact [email protected] with your objection, and we will cease the contested processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

  • Legal obligation (Art. 6(1)(c)) — tax reporting, lawful government requests
  • Consent (Art. 6(1)(a)) — marketing communications; withdrawable at any time

Purpose of Processing

  • Provide and improve our API services, account management, and support
  • Process payments and manage subscriptions
  • Monitor usage for performance, reliability, and security
  • Detect and prevent fraud and technical issues
  • Communicate service updates and security alerts
  • Comply with applicable laws and regulations

AI Model Training and Automated Decision-Making

We do not use your personal data or submitted content to train, fine-tune, or improve AI models. Content submitted through our APIs is processed for inference only and is not retained after the response is delivered. Our sub-processor Google Vertex AI operates under data processing terms that prohibit using customer data for model training.

We do not engage in profiling or automated decision-making that produces legal effects or similarly significant effects on you, as described in Article 22 of the GDPR. Operational measures such as rate limiting and fraud detection are applied uniformly to protect service integrity and do not constitute profiling.

Third-Party Services

We share data with a small number of third-party providers, all bound by data processing agreements. See the sub-processors section below for the full list. We do not sell your personal data or share it for third-party marketing.

If you choose to sign in via Google or GitHub, your authentication data is exchanged directly with those providers under their respective privacy policies. They act as independent controllers for that data, not as our sub-processors.

International Data Transfers

Our primary infrastructure is in the EU (Hetzner, Germany). Where transfers outside the EEA are necessary — for example, when content is processed through Google Vertex AI (data processed in the Netherlands) — we rely on the EU-US Data Privacy Framework, EU Standard Contractual Clauses (SCCs), or adequacy decisions. If the EU-US Data Privacy Framework is invalidated, we will automatically fall back to SCCs already in place with each sub-processor (Stripe and Google both maintain executed SCCs). We will notify users of any change to transfer mechanisms via email and an update to this policy. See our Data Processing Agreement for details.

Data Retention

We keep your data only as long as needed for its purpose. Here are the specific retention periods:

  • Account data — retained while your account is active, deleted within 30 days of account termination
  • Session tokens — valid for 14 days, automatically renewed if you remain active
  • Magic link tokens — expire after 15 minutes and are deleted after use
  • Email change tokens — valid for 7 days and deleted after use
  • Organization invitations — expire after their set period; expired invitations are retained for audit purposes
  • Server logs (IP addresses, browser type) — 90 days, used exclusively for security monitoring
  • API usage logs — 90 days. This period is the minimum necessary to cover billing reconciliation cycles and payment dispute windows (card network chargebacks may be filed up to 120 days after a charge). Logs are used solely to verify credit consumption and resolve billing disputes. Early deletion would remove the evidence needed to protect both parties in a dispute, so it is not available during this period. Logs are automatically purged after 90 days.
  • Payment and subscription records — as required by tax law (typically 5-7 years)
  • Content submitted for processing — deleted immediately after the API response is delivered
  • Aggregated, anonymized analytics — retained indefinitely. Re-identification is technically impossible because no individual-level data is ever stored: our analytics system records only aggregate counters (e.g., page path received 142 views on a given day) with no IP addresses, user agents, session identifiers, or any other linkable attributes. Since this data does not constitute personal data under GDPR Article 4(1), the storage limitation principle does not apply. Contact us if you have questions.

Cookies and Tracking

We use only essential cookies for session authentication and CSRF protection. No tracking, advertising, or third-party analytics cookies are set. Consent is not required under the ePrivacy Directive for strictly necessary cookies.

Our website analytics are powered by a self-hosted OpenPanel instance running on our own infrastructure. Analytics are collected entirely server-side — no tracking scripts are loaded in your browser, no cookies are set for analytics, and no personal data is collected. No data leaves our infrastructure for analytics purposes.

Security

We protect your data with TLS 1.2+ encryption in transit, encryption at rest, secure authentication via magic links and OAuth (no passwords stored), hashed API keys, least-privilege access controls, rate limiting on all API endpoints, regular vulnerability scanning, intrusion detection with community threat intelligence (CrowdSec), and incident response procedures. In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 48 hours of becoming aware of the breach, as detailed in our Data Processing Agreement. For details on our security measures, see Schedule I of our Data Processing Agreement.

Your Rights

Under the GDPR you have the right to:

  • Access a copy of your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data (subject to legal retention requirements)
  • Restrict processing
  • Receive your data in a portable, machine-readable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD) or your local supervisory authority

Contact [email protected] to exercise any of these rights. We will respond within 30 days.

Sub-processors

These are the third-party providers that process data on our behalf. For governance details, see our Data Processing Agreement .

Sub-processor Purpose Location Transfer mechanism
Hetzner Online GmbH Cloud infrastructure and DNS Germany (EU) N/A (EEA)
Stripe, Inc. Payment processing United States EU-US Data Privacy Framework
Google LLC (Vertex AI) AI model inference United States; data processed in Netherlands (EU) EU-US Data Privacy Framework
Lettermint B.V. Transactional email delivery Netherlands (EU) N/A (EEA)
OpenStatus SAS Uptime monitoring France (EU) N/A (EEA); SCCs for non-EEA monitoring regions
CrowdSec SAS Intrusion detection and community threat intelligence France (EU) N/A (EEA)

Website analytics are handled through a self-hosted OpenPanel instance on our own infrastructure — no third-party provider is involved.

Changes to This Policy

We may update this policy and will post changes here with an updated date. For material changes we will give at least 30 days' notice via email.

Contact

For any questions about this Privacy Policy or our data practices, contact us at [email protected].