Privacy Policy

Last updated: April 21, 2026

1. Introduction

RDAP API ("we", "us") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable French law.

2. Data Controller

The data controller is FEELTECH, a French SARL with registered office at 110 rue de Fontenay, 94300 Vincennes, France, SIREN 443 191 754 (R.C.S. Créteil). Full identification is available in our legal notice.

Privacy contact: Nicolas Boutet-Mangon, Gérant, reachable at [email protected].

Business customers subject to GDPR Article 28 may rely on our Data Processing Agreement, which is incorporated by reference into the Service Terms upon subscription.

3. Data We Collect

Account data

Name and email address (provided during registration)
Hashed password (never stored in plain text)

Billing data

Payment information is processed and stored by Stripe. We only store your Stripe customer ID and the last four digits of your payment method.

Usage data

API request logs: query type, queried domain, response time, cache status, and timestamp.
Monthly aggregated request counts per user.

Technical data

Session cookies for authentication (detailed in §10).
We do not persist your IP address or user agent in our application database. They may appear transiently in web server access logs (rotated and discarded) for operational and security purposes, and are processed by Cloudflare (see §6) as part of inbound traffic handling.

4. How We Use Your Data

To provide and maintain the Service.
To enforce rate limits and usage quotas.
To process payments and manage subscriptions.
To send transactional emails (verification, password reset).
To detect and prevent abuse.

5. Legal Basis for Processing

We rely on the following legal bases under the GDPR:

Performance of a contract: to provide the API, manage your account, and process payments for paid plans.
Legitimate interest: to keep request logs for security, abuse prevention, and rate-limit enforcement.
Legal obligation: to keep accounting records as required by French law.
Consent: for any marketing email, which you can withdraw at any time.

6. Data Sharing and Subprocessors

We do not sell your personal data. We use the subprocessors listed below, each bound by a data processing agreement and appropriate security commitments:

Hetzner Online GmbH (Germany, EU): primary hosting infrastructure. All production data is stored in the European Union.
Cloudflare, Inc. (USA): authoritative DNS, TLS termination, reverse proxy / CDN, and DDoS protection. Processes IP addresses and request metadata for all inbound traffic.
Backblaze, Inc. (USA, US-West region): encrypted off-site backups of the application database (AES-256 at rest).
Stripe Payments Europe Ltd (Ireland, EU): payment processing and subscription billing.
Mailgun (Sinch) (USA): transactional email delivery (account verification, password reset, billing receipts).
Law enforcement or regulators: only if required by a legally binding request.

7. International Data Transfers

Our primary hosting and billing infrastructure is located inside the European Union. Transfers to subprocessors outside the EU (Cloudflare, Backblaze, Mailgun) are governed by the European Commission Standard Contractual Clauses (SCCs, 2021/914). We maintain an up-to-date list of subprocessors above and will notify registered users of any material change before it takes effect.

8. Data Retention

Account data is retained while your account is active.
API request logs are retained, linked to your user identifier, while your account is active. They are used for billing accuracy, rate-limit enforcement, and abuse investigation.
Upon account deletion, the link between API request logs and your identity is severed (pseudonymization under GDPR Article 4(5)); the resulting de-identified data may be retained for service analytics and security purposes.
Accounting records (invoices, payment history) are retained for 10 years, as required by French commercial law.
You may delete your account at any time from the Settings page in your dashboard. This cancels any active subscription, revokes your API tokens, and triggers the pseudonymization described above.

9. Data Protection Officer

We have not appointed a formal Data Protection Officer. Our processing activities do not meet the criteria of GDPR Article 37 (no large-scale monitoring of data subjects, no processing of special categories of data at scale). All privacy requests are handled by Nicolas Boutet-Mangon, Gérant of FEELTECH, at [email protected].

10. Cookies

We use essential cookies only. We do not use tracking or advertising cookies, and we do not embed third-party social widgets that drop cookies.

Name	Purpose	Duration
`rdap-api-session`	Authenticated session identifier.	2 hours
`XSRF-TOKEN`	CSRF protection on form submissions.	2 hours
`remember_web_*`	"Remember me" persistent login, set only when the user opts in at sign-in.	5 years

11. Your Rights

Under the GDPR and applicable law, you have the right to:

Access, correct, or delete your personal data.
Export your data in a portable format.
Restrict or object to processing.
Withdraw consent for data processing at any time.
Lodge a complaint with a supervisory authority. In France, this is the CNIL (cnil.fr).

To exercise any of these rights, contact us at [email protected]. We respond within one month, as required by GDPR Article 12(3).

12. Security

We use industry-standard measures to protect your data, including encrypted connections (HTTPS), hashed passwords, and secure session management. A detailed description of the technical and organisational measures implemented by FEELTECH is available in our Technical and Organisational Measures.

13. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes via email. Continued use of the Service after changes constitutes acceptance.

14. Contact

For privacy-related questions, contact us at [email protected].