Privacy Policy

Last updated: 2026-05-10 · Version v1.0.0

This Privacy Policy describes how the IP Geo API service available at iploc.eu (the "Service") processes personal data. It is intended to comply with Regulation (EU) 2016/679 (GDPR) and the Dutch Implementation Act (UAVG). The Service is offered by the Controller (defined below).

1. What data we process

To deliver an IP-geolocation and threat-detection API, we process the minimum data strictly necessary:

• Service-request data — the IP address that the Customer's application submits as a parameter to the API; the requesting Customer's IP address (used for authentication and abuse prevention); HTTP User-Agent; timestamp (UTC, millisecond precision); the requested URL path; the HTTP response code.
• Account data — for paid plans only: email address, organisation name, billing address, VAT number (if applicable), and the API keys issued to the account. No password is stored in clear text; we use industry-standard salted hashing.
• Billing data — invoice records and a tokenised reference returned by the payment processor. We do not store full credit-card numbers or SEPA mandates ourselves; that data resides with Mollie B.V. and Stripe Payments Europe Ltd. (see clause 5).
• Support correspondence — emails sent to support@iploc.eu or privacy@iploc.eu and their replies, retained for the duration described in clause 4.

2. Purposes of processing

We process the above data for the following purposes:

• Service delivery — returning a geolocation and threat-classification response to the Customer's application.
• Security and abuse prevention — rate-limiting, blocking malicious traffic, detecting credential stuffing and key sharing, investigating incidents.
• Billing and accounting — issuing invoices, collecting payment, recording VAT, complying with statutory record-keeping duties.
• Customer support — responding to inquiries, debugging issues, and providing the data-subject rights set out in clause 8.
• Compliance with legal obligations — responding to lawful requests by competent authorities and fulfilling tax, accounting, and consumer-protection duties.

3. Legal bases (GDPR Article 6)

• Performance of a contract (Art. 6(1)(b)) — processing the Customer's account data, request data and billing data is necessary to deliver the Service the Customer has subscribed to.
• Legitimate interest (Art. 6(1)(f)) — logging request-context metadata for security, abuse-prevention and capacity-planning, balanced against End User privacy. A weighing test is documented and is available on request via privacy@iploc.eu.
• Legal obligation (Art. 6(1)(c)) — retaining invoices and tax records for the statutory period under Dutch tax law; responding to lawful authority requests.
• Consent (Art. 6(1)(a)) — not relied upon as a primary basis, since the Service uses no analytics cookies, no tracking, and no marketing email beyond service-related communications.

4. Retention periods

• Request logs (the IP submitted in the API call, the Customer's IP, User-Agent, path, timestamp): thirty (30) days, after which they are deleted from primary storage and aggregated into anonymised metrics for capacity planning.
• Account data (email, organisation, API keys): retained for the lifetime of the account and for up to ninety (90) days after account termination, then permanently deleted.
• Billing records (invoices, tax data): seven (7) years, as required by Article 52 of the Dutch General State Taxes Act (Algemene wet inzake rijksbelastingen).
• Support correspondence: two (2) years from the last message in the thread.

5. Disclosure to third parties (sub-processors)

We use a small number of sub-processors, each bound by a Data Processing Agreement (DPA) compliant with GDPR Article 28:

• Vercel Inc. (United States) — hosting of the static website and API edge. EU → US transfers are covered by the EU Standard Contractual Clauses (SCC, 2021/914) and Vercel's DPA. Production data resides primarily in EU regions where supported by the deployment target.
• Cloudflare, Inc. (United States) — CDN, TLS termination, DDoS protection and Web Application Firewall (WAF). Covered by SCC + Cloudflare's DPA. The strictly-necessary edge cookie __cf_bm (bot-management) may be set on EU edge IPs under ePrivacy Article 5(3) second sentence.
• MaxMind, Inc. (United States) — licensor of certain underlying geolocation and threat-detection databases. MaxMind acts as a data licensor, not a processor of identifiable End User data; the Customer's request payload is not sent to MaxMind.
• Mollie B.V. (Netherlands) — payment processing for European payment methods (iDEAL, SEPA Direct Debit, Bancontact, credit cards) on Paid Plans. Acts as an independent controller for the payment transaction under PSD2.
• Stripe Payments Europe Ltd. (Ireland) — alternative payment processor for non-Euro and international card payments on Paid Plans. Independent controller for the payment transaction.

Other than the above, we do not sell, rent, or otherwise share personal data with third parties. We will disclose data when compelled by a legally binding order from a competent authority, and we will challenge requests that appear overly broad or unlawful.

6. International transfers

We prefer EU-only data storage and processing wherever the Service architecture supports it. Where transfers outside the European Economic Area are unavoidable (notably to Vercel and Cloudflare US entities), the transfers are governed by the EU Standard Contractual Clauses (SCC, Commission Implementing Decision (EU) 2021/914) supplemented by appropriate technical measures (TLS-in-transit, encryption-at-rest, access-control logging). A Transfer Impact Assessment (TIA) is available on request via privacy@iploc.eu.

7. Security

We implement appropriate technical and organisational measures, including: TLS 1.3 for all transport; encryption-at-rest for primary databases and backups; least-privilege access control with audit logging; mandatory two-factor authentication on production systems; isolated production secrets (no plaintext credentials in code or logs); regular dependency vulnerability scanning; and an incident-response process aligned with the GDPR 72-hour notification window. Our infrastructure choices target ISO 27001-equivalent controls, although a full ISO 27001 certification is on the roadmap rather than current state. Personal-data breaches will be notified to the Autoriteit Persoonsgegevens within 72 hours where required, and to affected Customers without undue delay.

8. Data-subject rights

Any individual whose personal data we process has the following rights under the GDPR: access (Art. 15), rectification (Art. 16), erasure / "right to be forgotten" (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). Where processing is based on consent, that consent can be withdrawn at any time. You also have the right to lodge a complaint with a supervisory authority — in the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). Requests to exercise these rights can be sent to privacy@iploc.eu and will be answered within thirty (30) days. We may verify the requester's identity proportionate to the sensitivity of the data involved.

9. Cookies and tracking

iploc.eu uses no analytics cookies, no advertising cookies, no localStorage or sessionStorage tracking, and no cross-site identifiers. The only client-side state stored in the browser is the strictly-necessary edge-CDN cookie __cf_bm set by Cloudflare for bot-management, which is exempt from consent under ePrivacy Directive Article 5(3) second sentence (Recital 66 of Directive 2009/136/EC). Because no non-essential cookies are set, no cookie-consent banner is presented. If we ever add analytics, the policy and the banner will be updated together and you will be notified through clause 10.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in the Service, in our sub-processor list, or in applicable law. Material changes will be announced at least thirty (30) days in advance through a banner on iploc.eu and through email notification to active Customer accounts. The current version and effective date are shown at the top of this page; previous versions are retained internally and made available on request.

11. Controller and contact

The Controller of personal data processed through the Service is the provider of the Service, established in the Netherlands. Until the corporate entity is fully registered, contact for all privacy-related matters is:

• General privacy / data-subject-rights inbox: privacy@iploc.eu
• Service support: support@iploc.eu
• Postal correspondence: by appointment via the privacy inbox above.

A Data Protection Officer (DPO) is not statutorily required for the current scale of processing under GDPR Article 37; the privacy@iploc.eu address is monitored by the team member with the privacy responsibility on a permanent basis. Should the threshold be reached, a DPO will be appointed and this section updated.

12. Version history

This is version v1.0.0, dated 2026-05-10. The Dutch translation is published at /privacybeleid/. Where the English and Dutch versions diverge, the Dutch version prevails for Customers and Data Subjects based in the Netherlands; the English version prevails elsewhere.