Privacy Policy

Last updated: February 24, 2026

1. Introduction

ToolCenter ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our API service and website. This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

ToolCenter is the data controller for the personal data processed through our service. For any privacy-related inquiries, you can contact us at [email protected].

3. Data We Collect

We collect the following categories of personal data:

3.1 Account Information

Email address — required for account creation and communication.
Name — provided during registration.
Password — stored securely using bcrypt hashing (we never store plaintext passwords).

3.2 API Usage Data

API call counts — tracked for rate limiting and billing purposes.
Request metadata — URLs requested, parameters used (excluding content), timestamps.
IP addresses — logged for rate limiting, security, and abuse prevention.

3.3 Technical Data

Browser type and version (when visiting the website).
Operating system.
Referral source.

4. Data We Do NOT Collect

We want to be transparent about what we do not collect or store:

Screenshot/PDF content — generated files are temporarily cached based on your plan's cache duration and then permanently deleted. We do not inspect, analyse, or retain the content of your generated files.
Payment card details — all payment processing is handled securely by Stripe. We never see or store your full card number, CVV, or billing details.
Tracking profiles — we do not build advertising profiles or sell your data to third parties.

5. How We Use Your Data

We use your personal data for the following purposes:

To provide and maintain the Service.
To authenticate your API requests.
To track and enforce usage limits.
To send transactional emails (welcome emails, usage alerts, service updates).
To prevent fraud, abuse, and security threats.
To improve the Service through aggregated, anonymised analytics.

Legal basis (GDPR): We process your data based on (a) contractual necessity (to provide the Service), (b) legitimate interest (security, fraud prevention), and (c) your consent (where applicable).

6. Cookies

We use session cookies only to maintain your login state. These are essential cookies required for the Service to function. We do not use tracking cookies, advertising cookies, or third-party cookies for profiling.

If you enable Google Analytics (optional, not active by default), it may set analytical cookies. You can opt out by using a browser extension or disabling JavaScript for analytics scripts.

7. Data Retention

Data Type	Retention Period
Account data (email, name)	Until you delete your account
API usage logs	90 days
Screenshots/PDFs (cached)	Per plan (1h–72h), then deleted
Server access logs	90 days
Payment records	As required by law (via Stripe)

8. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

Right of Access — request a copy of the personal data we hold about you.
Right to Rectification — request correction of inaccurate personal data.
Right to Erasure — request deletion of your personal data ("right to be forgotten").
Right to Data Portability — request your data in a machine-readable format.
Right to Restrict Processing — request limitation of how we process your data.
Right to Object — object to processing based on legitimate interest.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

HTTPS encryption for all data in transit.
Bcrypt password hashing.
API key authentication with secure random generation.
Server-side access controls and firewalls.
Regular security updates and monitoring.

10. Third-Party Services

We use the following third-party services that may process your data:

Stripe — payment processing (Privacy Policy).
Hetzner Cloud — server infrastructure, EU-based (Privacy Policy).
Google Analytics (optional) — website analytics (Privacy Policy).

11. International Data Transfers

Our servers are located in the European Union (Germany). We do not transfer your personal data outside the EU/EEA unless required by a third-party processor with adequate safeguards (e.g., Standard Contractual Clauses).

12. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of significant changes via email. The "last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Email: [email protected]