ig iGregulator
~/privacy

Privacy Policy

Last updated: 2026-04-28

This policy describes how iGregulator (the "Service") collects, uses, and protects personal data. We follow the EU General Data Protection Regulation (GDPR) and Spanish data-protection law (LOPDGDD).

1. Who we are

iGregulator is operated by Anatolii Ohorodnyk, registered as autónomo (self-employed) in Spain. For data-protection purposes, you can reach us at [email protected].

2. What data we collect

We collect the minimum necessary to operate the Service:

  • Account data — email, hashed password, timestamps of account creation and last login.
  • Billing data — when subscriptions activate, payment metadata is held by Stripe; we receive a customer ID and subscription state. We do not see card numbers.
  • API usage logs — endpoint name, timestamp, hashed IP, response status, response time, plan tier, request source (HTTP vs. MCP gateway). The IP is hashed with a per-deployment salt so logs are not directly attributable.
  • Webhook + watchlist configuration — endpoint URLs you submit, signing secrets, watchlist operator slugs.
  • Webhook delivery records — request body, response code, timestamp, retry state. Retained 30 days for replay support.
  • Cookies + analytics — see §6.

3. How we use it

  • Service delivery — authenticating API calls, enforcing rate limits, billing, sending operational email.
  • Security — detecting abuse, investigating compromise, blocking malicious traffic.
  • Analytics — aggregate usage statistics for product decisions; we do not sell or share usage data with third parties for marketing.
  • Compliance — meeting our own legal obligations (tax records, anti-fraud).

4. Legal bases (GDPR Art. 6)

  • Contract — to provide the Service you've subscribed to (account, API access, billing).
  • Legitimate interests — abuse detection, security, basic product analytics.
  • Legal obligation — financial record-keeping under Spanish law.
  • Consent — non-essential cookies, marketing communications (where applicable).

5. Third parties / sub-processors

We share personal data only with the following sub-processors, each under a Data Processing Addendum:

  • Cloudflare, Inc. — DDoS protection, CDN, DNS for igregulator.io and subdomains.
  • Stripe, Inc. — payment processing (when subscriptions activate). Stripe is the data controller for card data; we receive a customer ID only.
  • Resend (Resend.com) — transactional email (account verification, password reset).
  • Google LLC (Google Analytics 4) — anonymous traffic analytics, Consent Mode v2 enabled. Only fires after explicit opt-in via the consent banner.
  • GitHub Container Registry (Microsoft) — software image hosting; no customer data.

6. Cookies

We use a minimum of strictly necessary cookies (auth session, CSRF tokens). Optional analytics cookies (Google Analytics) fire only after opt-in via the consent banner. You can revoke consent at any time by clearing site data or using the cookie banner re-prompt.

7. International transfers

Some sub-processors (Cloudflare, Stripe, Google) are based in the United States. Transfers occur under Standard Contractual Clauses (SCCs) or equivalent EU-approved mechanisms. iGregulator's primary infrastructure is hosted in the EU.

8. Retention

  • Account data — kept while your account is active. After cancellation, retained up to 7 years for tax / accounting compliance under Spanish law (LGT art. 66, Codigo de Comercio art. 30).
  • API request logs — 12 months, then aggregated into monthly counters (no per-request rows kept).
  • Webhook delivery records — 30 days.
  • Webhook events (replay queue) — 30 days.
  • Backups — encrypted snapshots retained up to 90 days for disaster recovery.

9. Your rights (GDPR Art. 15-22)

As a data subject you have the right to:

  • Access a copy of your personal data;
  • Rectify inaccurate data;
  • Erase your account and associated data, subject to retention obligations above;
  • Port your data in a machine-readable format;
  • Restrict or object to processing based on legitimate interests;
  • Withdraw consent for any processing based on consent;
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD, aepd.es) or your local supervisory authority.

To exercise any of these rights, email [email protected]. We respond within 30 days.

10. Children

The Service is not directed at and not intended for individuals under 18. We do not knowingly collect personal data from children. If we become aware we have collected data from a minor, we delete it promptly.

11. Security

Personal data is encrypted in transit (TLS 1.3) and at rest. Account passwords are hashed with bcrypt; API keys are hashed with SHA-256. We follow the principle of least privilege internally; only the founder has production data access today. Security incidents affecting personal data are reported to the AEPD within 72 hours where required by GDPR Art. 33.

12. Changes to this policy

Material changes are announced via the changelog and to active subscribers by email at least 30 days before taking effect.