Skip to main content

Last updated: 2025-12-04

This Privacy Policy explains how LineupAPI (“we”, “us”) processes personal data when you use our website, dashboard, and API (together, the “Service”). It is intended to satisfy the transparency requirements of the EU GDPR and (where applicable) the UK GDPR.

1) Controller (Data Controller)

Tim Novak
c/o Online-Impressum.de #6120
Europaring 90
53757 Sankt Augustin

Privacy contact (data protection requests): support@lineupapi.com
Legal notice contact (Impressum): impressum@lineupapi.com
Phone: +49 163 0368338

2) What we collect

A) Website access (server logs)

When you visit our website, our infrastructure may process:

  • IP address
  • date/time of access
  • requested URL/page
  • referrer URL (if provided)
  • browser/device information (user agent)
  • status codes and error logs

B) Dashboard login and session cookies

When you log in to the dashboard, we use technically necessary cookies (or similar storage) to maintain your session and keep you signed in. These typically contain a session identifier/token (not your password).

Under German and EU cookie rules, consent is generally not required for storage/access that is strictly necessary to provide a service you explicitly request (such as staying logged in).

C) API usage data

When you call the API, we may process:

  • your API key (authentication credential)
  • request metadata (timestamp, endpoint, response status)
  • usage/accounting data (credits used, remaining credits, rate-limit events)
  • security/abuse signals (unusual traffic patterns, suspected misuse)

D) Billing and subscription status (Stripe)

If you purchase a plan, payments and subscription billing are handled by Stripe. We store and/or receive and process:

  • your Stripe customer email address
  • your Stripe customer ID
  • your Stripe customer name
  • your Stripe customer country
  • Stripe subscription identifiers (e.g., subscription ID)
  • billing state (active/canceled, plan tier, renewal date)
  • payment status and invoice references (we do not store full card numbers)

Stripe’s own privacy and data-processing terms apply to their processing.

E) Cloudflare Web Analytics (privacy-first analytics)

We use Cloudflare Web Analytics to understand aggregated usage and performance of our website. Cloudflare states its Web Analytics does not use cookies or localStorage for analytics and is designed to avoid identifying individuals for analytics reporting.

Cloudflare’s documentation also describes that the analytics beacon can load from: static.cloudflareinsights.com/beacon.min.js.

Note: Independently of analytics, using a website and API necessarily involves network and security processing (e.g., IP address and request metadata) to deliver the Service, prevent abuse, and ensure reliability.

3) Why we process data (purposes)

We process personal data to:

  • provide and operate the Service (website, dashboard, API)
  • authenticate logins and API requests
  • show your active plan/subscription and usage (credits)
  • prevent fraud, abuse, and security incidents
  • debug errors, maintain reliability, and improve performance
  • provide customer support
  • meet legal obligations (e.g., accounting/tax)

4) Legal bases (GDPR)

Depending on the context, we rely on:

  • Contract (Art. 6(1)(b) GDPR): providing the dashboard/API you signed up for; subscription status; credits usage.
  • Legitimate interests (Art. 6(1)(f) GDPR): security, abuse prevention, service stability, and operational logging/measurement (including aggregated website analytics).
  • Legal obligation (Art. 6(1)(c) GDPR): accounting/tax recordkeeping where applicable.

For technically necessary cookies that keep you logged in, consent is generally not required where strictly necessary to provide the requested service.

5) Cookies and similar technologies

We use:

  • Session/security cookies (necessary): to operate login sessions and protect accounts.
  • Analytics beacon (Cloudflare Web Analytics): for aggregated analytics and performance measurement. Cloudflare states this analytics product does not use cookies or localStorage for analytics reporting (see Section 2E).

You can control cookies in your browser settings. Blocking necessary cookies may prevent dashboard login.

6) Sharing and processors (service providers)

We do not sell personal data.

We may share data with trusted service providers that help run the Service, including:

  • Cloudflare (hosting/CDN/security/analytics infrastructure)
  • Stripe (payment processing and subscription billing)

Where required, these providers process data under data-processing terms and/or data processing agreements.

Advertising platforms: We may advertise our Service on third-party platforms (for example Reddit). This does not automatically mean those platforms receive data from your visit to our website. We only share website visitor data with advertising platforms if we explicitly integrate their tracking technologies (such as pixels/tags), in which case this Privacy Policy will be updated and (where required) appropriate consent mechanisms will be provided.

7) International transfers

Some providers may process data outside the EU/EEA and/or the UK. Where required, transfers are protected using recognized safeguards such as EU Standard Contractual Clauses (SCCs) and/or other legally permitted transfer mechanisms (depending on the provider and the processing context).

8) Retention (how long we keep data)

We retain data only as long as needed:

  • Website/server logs: typically 7–30 days, unless needed longer for security investigations.
  • API request/usage logs: typically 7–90 days for reliability, abuse prevention, and billing reconciliation.
  • Subscription/billing records: retained as required by applicable law and for legitimate accounting needs.
  • Support communications: retained as needed to resolve your issue and for a reasonable period afterwards.
  • Stripe account and billing identifiers: retained while your account exists and for a reasonable period after closure, unless longer retention is required by applicable law.

We may delete or anonymize data after retention periods.

9) Your rights (GDPR / UK GDPR)

If GDPR or UK GDPR applies, you can request:

  • access to your personal data
  • correction of inaccurate data
  • deletion (where applicable)
  • restriction of processing
  • data portability (where applicable)
  • objection to processing based on legitimate interests

To exercise rights, contact: support@lineupapi.com.

You also have the right to lodge a complaint with a supervisory authority.

  • EU (example for Bavaria, Germany): Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).
  • UK: Information Commissioner’s Office (ICO).

10) Security

We use reasonable technical and organizational measures to protect personal data. No method of transmission or storage is completely secure.

11) Children

The Service is not directed to children, and we do not knowingly collect personal data from children.

12) Changes

We may update this Privacy Policy from time to time. The latest version will be posted here with an updated “Last updated” date.