Privacy Policy

EuroAPI | Effective date: 2026-05-19 | Last updated: 2026-05-19

This Privacy Policy explains how EuroAPI ("we", "us", "our") collects, uses, stores, and protects personal data when you ("you", "Customer", "User") use our API services available at https://api.euroapi.app (the "Service"). We are committed to processing personal data lawfully, fairly, and transparently in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).

1. Controller

The data controller for the personal data processed in connection with the Service is:

Name: Glen Vandenbranden
Country: Belgium
Contact: vandenbrandenglen@gmail.com
For privacy questions: vandenbrandenglen@gmail.com

If we are required by law to appoint a Data Protection Officer (DPO), we will publish their contact details here.

2. Scope

This Privacy Policy applies to:

Visitors to https://euroapi.app (marketing website)
Customers using the API at https://api.euroapi.app directly or via third-party marketplaces such as RapidAPI
Audio content and metadata processed through the Service

When you access EuroAPI through RapidAPI, RapidAPI is a separate controller for your account, payment, and platform-level data. Their privacy policy applies to that processing. Please read https://rapidapi.com/privacy separately.

3. Personal data we collect and why

3.1 Audio content

What: Audio files you upload to be transcribed, translated, or analyzed. Audio may contain personal data (voice = biometric data; spoken content = potential personal data of speakers).
Why: To perform the service you requested (Article 6(1)(b) GDPR — contract performance).
Storage location: Hetzner Online GmbH, Falkenstein, Germany (EU).
Retention: Automatically deleted 24 hours after upload. Transcribed text results: deleted with the audio at the same time. No long-term storage.
Transfers outside EU: None.

3.2 API metadata

What: API key (hashed), timestamps, audio duration, request size, response size, HTTP status, processing time, IP address (logged for abuse prevention).
Why: To operate the Service, enforce quotas, prevent abuse, and bill correctly (Article 6(1)(b) GDPR — contract; Article 6(1)(f) — legitimate interest in security).
Retention: 30 days for IP-level logs; 12 months for aggregated billing/usage data; longer if required for tax law.

3.3 Account and contact data

What: Email address, contact name, billing information (if direct billing).
Why: To create your account, send service notifications, and bill you (Article 6(1)(b) GDPR).
Retention: As long as you have an account, plus 12 months after closure, plus 7 years for invoice records (Belgian tax law).

If you sign up through RapidAPI, RapidAPI holds your account/billing data — we receive only an opaque API key.

3.4 Marketing data

What: Email address if you sign up for product updates.
Why: With your consent (Article 6(1)(a) GDPR).
Retention: Until you unsubscribe. Every email contains an unsubscribe link.

3.5 Special categories of data

We do not intentionally collect special categories of data (health, religion, biometric data used for identification, etc.). However, the audio content you submit MAY contain such data. You are solely responsible for ensuring you have a lawful basis to process such content. See Section 8 (Your responsibilities).

4. How we use personal data

We use personal data only for the purposes described in Section 3. Specifically:

Service provision: running Whisper transcription, language detection, and translation on your audio.
Account management: authentication, quota enforcement, support.
Billing: through RapidAPI or direct via Stripe.
Security: detecting abuse, fraud, and DDoS.
Legal compliance: responding to lawful requests, tax obligations.
Service improvement: aggregated, anonymized usage analytics. We do not train any AI model on your audio or transcript content.

5. Sharing personal data

We share personal data only with:

Recipient	Purpose	Location	Safeguard
Hetzner Online GmbH	Hosting (server infrastructure)	Germany (EU)	DPA, EU-based
Cloudflare, Inc.	DNS, TLS, DDoS mitigation	EU edge nodes used; metadata only	DPA, Standard Contractual Clauses where applicable
RapidAPI (Nordic APIs Inc.)	Payment + marketplace (only if you signed up via them)	EU/US	Their separate DPA + SCCs
Stripe Payments Europe Ltd.	Payment processing (only for direct billing)	EU (Ireland)	DPA, EU-based
Government authorities	Only when legally compelled	Belgium / EU	Strict legal validity check

We do not sell personal data. We do not share data with advertisers.

6. International transfers

Audio content and processing data remain entirely within the European Union. Server: Germany. DNS: EU edges. No US-based processor handles audio content.

The only personal data that may transit outside the EU is anonymous traffic-routing metadata at Cloudflare edge servers and (where applicable) account-level data managed by RapidAPI on US-based systems. These transfers rely on EU Standard Contractual Clauses (SCCs) under Commission Decision (EU) 2021/914.

7. Your rights under GDPR

You have the following rights regarding your personal data:

Access (Article 15): receive a copy of the personal data we hold about you.
Rectification (Article 16): correct inaccurate or incomplete data.
Erasure (Article 17): "right to be forgotten" — delete your data, subject to legal retention rules.
Restriction (Article 18): limit how we process your data.
Portability (Article 20): receive your data in a machine-readable format.
Objection (Article 21): object to processing based on legitimate interest.
Withdraw consent (Article 7): where processing is based on consent, withdraw it at any time (does not affect prior lawful processing).
Lodge a complaint: with the Belgian Gegevensbeschermingsautoriteit (https://www.gegevensbeschermingsautoriteit.be) or any EU supervisory authority.

To exercise any right, email vandenbrandenglen@gmail.com. We respond within 30 days. We may ask for proof of identity to prevent fraud.

8. Your responsibilities

When you submit audio or any personal data through the Service:

You confirm you have a lawful basis (consent, contract, etc.) to process all personal data contained in that audio.
You confirm you have informed any data subjects (people speaking in the audio) about your use of EuroAPI where required by GDPR.
You will not use the Service to process special-category data (e.g. medical) without an appropriate legal basis under Article 9 GDPR.
You will not upload audio of minors without verified parental consent.
You will not use the Service to identify or surveil individuals against their will.

You are the controller of any personal data in your audio. We act as a processor on your behalf. For business customers, see our separate Data Processing Agreement.

Violations may result in suspension and may expose you to liability.

9. Security

We implement appropriate technical and organizational measures including:

In transit: TLS 1.3 with HTTP Strict Transport Security; HTTP/2 and HTTP/3.
At rest: audio stored on encrypted server volumes; deleted automatically after 24 hours.
Access control: API keys hashed; admin access limited to a single operator with 2FA; SSH key-only authentication.
Network: firewall restricting inbound traffic to ports 22/80/443; brute-force protection via fail2ban; automatic security patches.
Audit logs: all administrative actions logged with timestamps.

No security system is perfect. We cannot guarantee absolute security but we work continuously to improve it.

10. Data breaches

If a personal data breach is likely to result in a risk to data subjects, we will notify the Belgian Gegevensbeschermingsautoriteit within 72 hours and affected users without undue delay, in accordance with Articles 33 and 34 GDPR.

11. Children

The Service is not directed at children under 16. We do not knowingly process personal data of children. If you believe a child has provided us with personal data, contact us at vandenbrandenglen@gmail.com and we will delete it.

12. Cookies and tracking

The marketing website at https://euroapi.app uses no tracking cookies. No Google Analytics. No Facebook Pixel. No third-party advertising tags. The API service at https://api.euroapi.app uses no cookies.

13. Changes to this Privacy Policy

We may update this Privacy Policy. Material changes will be announced at least 30 days in advance via email (to active customers) and a notice on the Service. Continued use after the effective date constitutes acceptance.

14. Contact

For any privacy-related question or to exercise your rights:

Email: vandenbrandenglen@gmail.com
Belgian DPA: Gegevensbeschermingsautoriteit, Drukpersstraat 35, 1000 Brussels — https://www.gegevensbeschermingsautoriteit.be