Privacy Policy

Stratum APIs is the data controller for personal data collected through stratumapis.com, the dashboard, and the public APIs. You can reach our data protection contact at dpo@stratumapis.com.

We do not collect special-category data (health, race, religion, biometric). We do not run third-party advertising trackers. We do not sell personal data.

When you query our APIs, the responses contain data sourced from public registers (FCA, SRA, Companies House, healthcare councils, and similar bodies). Where those responses contain personal data of regulated individuals, you are the controller for your use of that data within your own product or workflow. Our role for that data is processor where we cache responses for performance, and controller for the operational metadata (timestamps, your usage counts, your audit log).

We use the following sub-processors. All operate to UK GDPR and EU GDPR standards.

• Amazon Web Services (Ireland or London region) for hosting, storage, and email notifications.
• Stripe Payments UK Ltd for payment processing.
• Clerk Inc. for authentication and user management.
• Cloudflare Inc. for content delivery and DNS.

Operational data (your account, usage counts, audit log, snapshots, feedback) is hosted in AWS eu-west-2 (London). Some sub-processors (Stripe, Clerk, Cloudflare) may process data outside the UK; we rely on UK International Data Transfer Agreements and the EU Standard Contractual Clauses with US extensions where applicable.

• Account and billing records: kept for the life of your account, plus 6 years for tax purposes.
• API key hashes: kept until you revoke the key.
• Usage counts: kept for 24 months for billing reconciliation.
• Audit log entries: 365 days (Growth and Pro tiers).
• Daily snapshots used by the change feed: 90 days.
• Operational logs in CloudWatch: 30 days.
• Generated PDF certificates: 365 days, then auto-deleted from storage.
• Feedback messages: 365 days, then auto-deleted.

Under UK GDPR you have the rights of access, rectification, erasure, restriction, portability, and objection in respect of personal data we hold about you. To exercise any of these, email dpo@stratumapis.com. We aim to respond within 30 days. You also have the right to complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint.

We use the minimum cookies required for the site and dashboard to function (session cookie issued by Clerk; cart/state cookies during Stripe checkout). We do not run advertising or analytics cookies. If we add an analytics provider in future, it will be a privacy-preserving one and we will update this policy with at least 30 days' notice.

We follow industry-standard practices: data in transit is encrypted with TLS, data at rest in AWS is encrypted with AWS-managed keys, secrets are stored in AWS Systems Manager Parameter Store, and access to production AWS resources is restricted to authorised personnel with multi-factor authentication. We never transmit or store API keys in plaintext after issuance; only the SHA-256 hash is retained.

The service is not directed at children under 16. We do not knowingly collect data from anyone under that age.

We may update this policy from time to time. Material changes will be notified by email to the address on your account at least 30 days before they take effect. The current version is always available at this URL.