Privacy Policy

1. Introduction

Van Moose BV (“we,” “our,” or “us”) operates the Van Moose API platform at vanmoose.cc (“Services”). This Privacy Policy describes what data we collect, what we do not collect, and how we protect your information.

We are registered in the Netherlands (KvK: 97411698) and comply with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Stateless API Processing

Van Moose operates as a stateless API processor. When you send data to our APIs (email addresses, phone numbers, IP addresses, URLs, text, or other inputs), that data is:

• Processed in memory to generate a response
• Returned to you immediately
• Discarded after the response is sent

API request payloads are not persisted, not logged, not stored in any database, and not written to disk.

We do not use API request data for profiling, analytics, model training, or any purpose beyond generating the immediate response.

3. Data We Store

3.1 Account Data

When you create an account, we store:

• Email address and name (via Clerk authentication)
• Subscription tier and billing status (via Stripe)
• API key identifiers (SHA-256 hashed; we do not store raw API keys)

Payment details (credit card numbers, bank accounts) are processed by Stripe. We do not store payment credentials.

3.2 Usage Data

We store aggregated usage counts for billing and quota enforcement:

• API endpoint called (slug only, e.g. “emailverify”)
• Monthly request count per API per key
• Subscription tier at time of request

We do not store which specific inputs were sent, what responses were returned, or any request payload content.

3.3 Security Logs

For account-level security events (API key creation, subscription changes, dashboard logins), we log the IP address and action taken. These are account management events, not API request logs.

3.4 Rate Limiting

Rate limit counters are stored in Redis with automatic expiry (120 seconds). Keys are based on API key identifiers (UUIDs), not IP addresses. No personal data is stored in the rate limiting system.

4. Data We Do NOT Store

To be explicit, we do not store:

• Email addresses submitted to validation endpoints
• Phone numbers processed through validation endpoints
• IP addresses from API calls (only from account security events)
• Passwords or password hashes submitted to breach check endpoints
• Physical addresses sent to address verification
• Domain names or URLs submitted for lookup
• Uploaded images or documents
• Text content submitted for processing
• API request bodies or query parameters
• API response bodies
• User agent strings from API calls

5. How We Use Your Information

We use stored data to:

• Provide the Services: Authenticate requests, enforce quotas, and deliver API responses
• Billing: Calculate usage for subscription and overage billing
• Security: Detect abuse and protect against unauthorized access
• Legal Compliance: Comply with applicable laws and regulations

6. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds:

• Contract Performance: To provide the API services you have subscribed to
• Legitimate Interest: To ensure security and prevent abuse
• Legal Obligation: To comply with applicable laws and regulations

7. Subprocessors

We do not sell your personal information. We share data with the following service providers:

• Clerk: Authentication and identity management (US)
• Stripe: Payment processing and subscription billing (US)
• Vercel: Application hosting and serverless infrastructure (US/EU)
• Supabase: Database hosting (EU — eu-west-1)
• Upstash: Redis rate limiting (EU — eu-west-1)
• Have I Been Pwned: Breach check API via k-anonymity protocol (no personal data transmitted)

We may disclose information if required by law, court order, or to protect our rights and safety.

8. Data Security

We implement appropriate technical and organizational measures to protect your information:

• Encryption in Transit: All API traffic is encrypted via HTTPS/TLS
• Key Security: API keys are stored as SHA-256 hashes, not in plaintext
• Access Controls: Database and infrastructure access is restricted to authorized personnel
• Stateless Design: Request payloads are never persisted, minimizing data breach surface

9. Data Retention

We retain data for as long as necessary to provide the Services and comply with legal obligations:

• API Request Data: Not retained. Processed in memory and discarded immediately.
• Usage Counts: Retained for billing and analytics purposes while your account is active.
• Security Logs: Account security events retained for 90 days.
• Account Data: Retained while your account is active. Deleted upon account deletion request.
• Rate Limit Data: Automatically expires after 120 seconds.

10. Your Rights (GDPR)

Under GDPR, you have the following rights:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data
• Restriction: Limit how we process your data
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interests

Because our APIs process data statelessly, there is no stored API request data to access, export, or delete. Your rights apply to account data (email, name, usage counts) which we can provide or delete upon request.

To exercise these rights, contact us at info@vanmoose.cc.

11. International Data Transfers

Our primary database (Supabase) and rate limiting infrastructure (Upstash) are hosted in the EU (eu-west-1). Some subprocessors (Clerk, Stripe, Vercel) may process data in the United States. We ensure adequate protection through:

• EU-US Data Privacy Framework certification of our US subprocessors
• Standard Contractual Clauses where applicable
• Appropriate safeguards as required by GDPR

12. Cookies

The vanmoose.cc website uses minimal cookies for essential functionality (authentication session). We do not use tracking cookies for advertising purposes. API endpoints do not set cookies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Continued use of the Services after changes take effect constitutes acceptance of the updated policy.

14. Supervisory Authority

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe we have not handled your personal data in accordance with applicable law.