Privacy Policy

Last updated: March 18, 2026

At XRates API, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. This policy is compliant with the General Data Protection Regulation (GDPR) and other applicable privacy regulations.

1. Data We Collect

We collect the following types of information:

Personal Information

  • Account Information: When you register, we collect your name and email address
  • Payment Information: When you subscribe to a paid plan, payment data is processed by our payment provider (Paddle) and we do not store your full credit card details
  • Contact Information: When you contact us through our contact form, we collect your name, email, and message content

Automatically Collected Data

  • API Usage Data: We log API requests including timestamps, endpoints accessed, IP addresses, and response codes for service monitoring and rate limiting
  • Device and Browser Information: We may collect information about the device and browser you use to access our website, including browser type, operating system, and screen resolution
  • Cookies: We use cookies and similar tracking technologies as described in our Cookie Policy

2. How We Use Your Data

We use the collected information for the following purposes:

  • Service Delivery: To provide, maintain, and improve the XRates API service
  • Account Management: To manage your account, process payments, and handle subscriptions
  • Communication: To respond to your inquiries, send service-related notifications, and provide customer support
  • Security: To detect, prevent, and address fraud, abuse, and security issues
  • Analytics: To understand how our Service is used and to improve user experience
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes

We process your data based on the following legal bases under GDPR: contract performance (providing the Service), legitimate interest (improving and securing the Service), consent (marketing communications), and legal obligation.

3. Data Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • Payment Processing: We share necessary payment information with Paddle, our payment processor, to facilitate transactions
  • Analytics Providers: We may share anonymized usage data with analytics providers (such as Google Analytics) to help us understand service usage patterns
  • Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request
  • Business Transfers: In the event of a merger, acquisition, or asset sale, your personal information may be transferred as part of the business assets

4. Cookies

We use cookies and similar tracking technologies to enhance your experience on our website. Cookies are small data files stored on your device that help us remember your preferences and understand how you interact with our Service.

For detailed information about the cookies we use and how to manage them, please refer to our Cookie Policy.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:

  • Account Data: Retained for the duration of your account and for 30 days after deletion request
  • API Usage Logs: Retained for up to 90 days for service monitoring and debugging purposes
  • Payment Records: Retained for up to 7 years as required by accounting and tax regulations
  • Contact Form Submissions: Retained for up to 12 months after the inquiry is resolved

After the retention period, data is securely deleted or anonymized. We may retain anonymized, aggregated data indefinitely for statistical and analytical purposes.

6. Your Rights

Under the GDPR and applicable privacy laws, you have the following rights regarding your personal data:

  • Right of Access: You have the right to request a copy of the personal data we hold about you
  • Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data
  • Right to Erasure: You have the right to request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing: You have the right to request that we limit the processing of your personal data
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format
  • Right to Object: You have the right to object to processing of your personal data based on legitimate interests
  • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time

To exercise any of these rights, please contact us using the information provided below. We will respond to your request within 30 days as required by GDPR.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS/SSL
  • Secure storage of API keys using hashing algorithms
  • Regular security audits and vulnerability assessments
  • Access controls limiting employee access to personal data

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

8. Contact Information

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your personal data, please contact us through the contact form on our website.

If you are not satisfied with our response, you have the right to lodge a complaint with a data protection supervisory authority in your country of residence.