Privacy Policy
This Privacy Policy explains how Legal Eye Yazılım ve Bilişim Teknolojileri Danışmanlık Prodüksiyon Müzik Film Yapım Yayım Organizasyon Anonim Şirketi (trading as "LegalEye", "we") handles personal data when you visit AllAPI.io or use the Service. We are the data controller for information collected directly on this site and through your use of the API.
Data controller
Legal Eye Yazılım ve Bilişim Teknolojileri Danışmanlık Prodüksiyon Müzik Film Yapım Yayım Organizasyon Anonim Şirketi
Sultan Selim Mah. Yamaç Sk. No:6 İç Kapı No:3, Kağıthane / İstanbul, Türkiye
Email: info@allapi.io
1. What we collect
We only collect what we need to run the Service and comply with law:
- Account & contact data: the name and email you provide when you create an account or contact us.
- API-key metadata: the hashed key, its creation and last-use timestamps, quota counters. The plaintext key is not stored server-side after creation; you retain it.
- Request logs: for each API call, we record the timestamp, HTTP path, source IP (truncated to /24 IPv4 / /64 IPv6 within 30 days), response status, and credits consumed. We do not persist request bodies or response bodies beyond short-term operational caches (up to 24 hours) used for retry, rate-limiting, and abuse detection.
- Payment data: card number, billing address, and tax identifiers are collected and processed exclusively by Paddle.com Inc. as our Merchant of Record. We never receive full card numbers; we only see the invoice ID, plan, and status information Paddle returns to us.
- Cookies: we set only strictly-necessary session cookies for dashboard login (when you sign in). We do not deploy advertising, tracking, or fingerprinting cookies. Server-side analytics are aggregated and do not identify individuals.
2. Why we process it (legal bases)
- Performance of contract (GDPR Art. 6(1)(b) / KVKK Md. 5/2-c): providing the Service, authenticating requests, billing, and support.
- Legitimate interest (GDPR Art. 6(1)(f) / KVKK Md. 5/2-f): abuse prevention, fraud detection, service security, aggregated analytics.
- Legal obligation (GDPR Art. 6(1)(c) / KVKK Md. 5/2-ç): tax, accounting, and lawful government requests.
3. Who we share it with
We disclose personal data only to:
- Paddle.com Inc. — Merchant of Record for payment processing, invoicing, and tax handling. Paddle acts as an independent controller for the payment relationship; see Paddle Privacy Notice.
- Hosting provider — Hostkey B.V. (data centers in the EU) processes traffic on our behalf as a processor.
- Residential-proxy operator — an EU-based proxy provider used to route requests to third-party platforms; only per-request IP allocation is exchanged, no account data.
- Authorities — where compelled by a valid legal order.
We do not sell personal data. We do not share it for advertising.
4. International transfers
Where personal data is transferred outside Türkiye or the EEA (for example to Paddle's US entity), the transfer relies on the Standard Contractual Clauses and, where relevant, Paddle's Data Processing Addendum. A copy of the safeguards is available on request.
5. Retention
- Account data: retained for the life of the account and 12 months thereafter.
- Request logs: 90 days for operational purposes; source IPs truncated within 30 days.
- Invoices: 10 years, as required by Turkish tax law (Vergi Usul Kanunu).
6. Your rights
Under the GDPR (if you are in the EU/EEA/UK) and KVKK (if you are in Türkiye), you may:
- Access, correct, or request deletion of your personal data.
- Object to processing or request restriction.
- Ask for a portable export of your data.
- Withdraw consent, where consent is the legal basis (e.g. optional communications).
- Lodge a complaint with your local data-protection authority (in Türkiye: KVKK Kurumu; in the EU: your national DPA).
To exercise any of these rights, email info@allapi.io. We will respond within 30 days.
For payment-related data held by Paddle, contact help@paddle.com.
7. Security
Traffic to the site and the API is served over HTTPS. Passwords are stored as salted hashes; API keys are stored as hashes. Access to production systems is restricted to authorized staff. We monitor for suspicious activity and disclose material security incidents to affected users without undue delay, as required by law.
8. Children
The Service is intended for professional and organizational use. It is not directed at children under 16, and we do not knowingly collect personal data from them.
9. Changes to this Policy
Material changes will be announced by email to your account contact at least 14 days before they take effect. Continued use of the Service after that date constitutes acceptance of the revised Policy.
10. Contact
Data-protection matters: info@allapi.io.
Paddle payment data: help@paddle.com or paddle.net.