← Back to Home

Privacy Policy

GDPR-compliant data protection policy

1. Data Controller

The data controller responsible for data processing on this website is:

OpenAlice Labs

[Street Address]

[Postal Code] [City], Germany

Email: privacy@openalice.io

2. Data We Collect

We collect and process the following personal data:

  • Account data: name, email address, hashed password
  • API usage logs: endpoint called, timestamps, input/output token counts, response latency
  • Technical data: IP addresses, browser user agent (for security and abuse prevention)
  • Billing data: subscription plan, usage counters

3. Purpose of Data Processing

Your data is processed exclusively for:

  • Providing and maintaining our services
  • Authentication and account management
  • API quota management and billing
  • Security monitoring and abuse prevention
  • Service improvement and performance analytics

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Legal Basis

Data processing is based on the following legal grounds under GDPR:

  • Art. 6(1)(b) GDPR: performance of contract (providing the API service)
  • Art. 6(1)(f) GDPR: legitimate interests (security, fraud prevention)
  • Art. 6(1)(c) GDPR: legal obligations (tax and accounting records)

5. Data Storage and Security

All data is stored on Hetzner dedicated servers in Germany (EU). Data never leaves the European Union.

We implement industry-standard security measures including:

  • TLS encryption for all data in transit
  • Encrypted storage for sensitive data at rest
  • Bcrypt password hashing
  • Rate limiting and IP-based abuse detection
  • HSTS, CSP, X-Frame-Options, and XSS protection headers

6. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Upon account deletion:

  • Account data is deleted within 30 days
  • Usage logs are anonymized or deleted within 90 days
  • Billing records are retained for 10 years as required by German tax law (§ 147 AO)

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15 GDPR) — obtain a copy of your personal data
  • Right to rectification (Art. 16 GDPR) — correct inaccurate data
  • Right to erasure (Art. 17 GDPR) — request deletion of your data
  • Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format
  • Right to restrict processing (Art. 18 GDPR)
  • Right to object (Art. 21 GDPR) — object to processing based on legitimate interests

To exercise any of these rights, contact us at privacy@openalice.io. We will respond within 30 days.

8. Cookies

We use only technically necessary cookies for authentication and session management. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

9. Third-Party Services

We use the following third-party services for infrastructure:

  • Hetzner Online GmbH — server hosting (Nuremberg/Falkenstein, Germany)

No data is transferred to processors outside the EU/EEA.

10. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our company is:

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153
53117 Bonn, Germany
www.bfdi.bund.de

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify users of material changes via email or a notice on our website. Continued use of the service after changes constitutes acceptance of the updated policy.

Last updated: March 29, 2026