Iteration Layer
Products
Blog
Docs
Recipes
All Recipes E-Commerce Education Finance & Accounting Healthcare Human Resources Legal Logistics & Shipping Manufacturing Marketing Publishing Real Estate Technology
Pricing
Login Get Started

Privacy Policy

Last updated: March 6, 2026

Who We Are

Fabian Schucht, trading as Iteration Layer, Calle General Vives 1, 6E, 35006 Las Palmas de Gran Canaria, Spain (NIF Z1096165J) is the data controller. For data protection inquiries, contact support@iterationlayer.com.

Data We Collect

We collect the following categories of personal data, each for a specific purpose explained in the sections below.

Account data

Email address and optional profile image. If you sign in via Google or GitHub, we also receive your provider user ID so we can link your account. We do not store passwords — authentication uses secure magic links sent to your email.

Organization data

Organization name, URL slug, optional logo, and the roles of each member (owner, admin, or member). When you invite someone, we store their email address and the invitation status until they accept or the invitation expires.

API key data

For each API key you create, we store a name, a short prefix for identification, a cryptographic hash of the key (never the key itself), and a timestamp of when it was last used.

Billing and subscription data

Subscription plan, billing period, credit balance, and payment processor identifiers (customer ID and subscription ID). We use Paddle.com as our payment processor — we never see or store full card numbers.

Usage data

For every API call, we log which endpoint was called, the HTTP status code, credits consumed, and a timestamp. These logs are linked to your organization and API key, not to individual users.

Content data

Documents and images you submit for processing through our APIs. This content is processed transiently in memory and returned to you — we do not store it after the request completes.

Technical data

Standard server logs that include IP address, browser type, operating system, and referral URL. These are used for security monitoring and are not linked to your account.

Analytics data

We use a self-hosted Plausible Analytics instance on our own infrastructure to collect anonymous, aggregated website usage statistics (page views, referrers, device types). Plausible does not use cookies, does not collect personal data, and does not track individual visitors across sessions.

Authentication

We offer two ways to sign in: magic links sent to your email (valid for 15 minutes, single-use) and OAuth via Google or GitHub. When you use OAuth, the provider shares your email and a unique identifier with us so we can create or link your account. We store your OAuth provider user ID but do not retain your OAuth access or refresh tokens beyond the initial sign-in exchange.

Legal Basis for Processing

  • Contract performance (Art. 6(1)(b)) — account management, API delivery, billing
  • Legitimate interests (Art. 6(1)(f)) — service improvement, security monitoring, fraud prevention
  • Legal obligation (Art. 6(1)(c)) — tax reporting, lawful government requests
  • Consent (Art. 6(1)(a)) — marketing communications; withdrawable at any time

Purpose of Processing

  • Provide and improve our API services, account management, and support
  • Process payments and manage subscriptions
  • Monitor usage for performance, reliability, and security
  • Detect and prevent fraud and technical issues
  • Communicate service updates and security alerts
  • Comply with applicable laws and regulations

Third-Party Services

We share data with a small number of third-party providers, all bound by data processing agreements. See the sub-processors section below for the full list. We do not sell your personal data or share it for third-party marketing.

If you choose to sign in via Google or GitHub, your authentication data is exchanged directly with those providers under their respective privacy policies. They act as independent controllers for that data, not as our sub-processors.

International Data Transfers

Our primary infrastructure is in the EU (Hetzner, Germany). Where transfers outside the EEA are necessary — for example, when content is processed through Google Vertex AI (data processed in the Netherlands) — we rely on the EU-US Data Privacy Framework, EU Standard Contractual Clauses (SCCs), or adequacy decisions. See our Data Processing Agreement for details.

Data Retention

We keep your data only as long as needed for its purpose. Here are the specific retention periods:

  • Account data — retained while your account is active, deleted within 90 days of account termination
  • Session tokens — valid for 14 days, automatically renewed if you remain active
  • Magic link tokens — expire after 15 minutes and are deleted after use
  • Email change tokens — valid for 7 days and deleted after use
  • Organization invitations — expire after their set period; expired invitations are retained for audit purposes
  • API usage logs — 30 days
  • Payment and subscription records — as required by tax law (typically 5-7 years)
  • Content submitted for processing — deleted immediately after the API response is delivered
  • Aggregated, anonymized analytics — retained indefinitely (non-identifiable)

Cookies and Tracking

We use only essential cookies for session authentication and CSRF protection. No tracking, advertising, or third-party analytics cookies are set. Consent is not required under the ePrivacy Directive for strictly necessary cookies.

Our website analytics are powered by a self-hosted Plausible instance running on our own infrastructure. Plausible is a privacy-focused tool that does not use cookies, does not collect personal data, and does not track visitors across sites or sessions. No data leaves our infrastructure for analytics purposes.

Security

We protect your data with TLS 1.2+ encryption in transit, encryption at rest, secure authentication via magic links and OAuth (no passwords stored), hashed API keys, least-privilege access controls, rate limiting on all API endpoints, regular vulnerability scanning, and incident response procedures. For details, see Schedule I of our Data Processing Agreement.

Your Rights

Under the GDPR you have the right to:

  • Access a copy of your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data (subject to legal retention requirements)
  • Restrict processing
  • Receive your data in a portable, machine-readable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD) or your local supervisory authority

Contact support@iterationlayer.com to exercise any of these rights. We will respond within 30 days.

Sub-processors

These are the third-party providers that process data on our behalf. For governance details, see our Data Processing Agreement .

Sub-processor Purpose Location Transfer mechanism
Hetzner Online GmbH Cloud infrastructure and DNS Germany (EU) N/A (EEA)
Paddle.com Market Ltd Payment processing United Kingdom UK adequacy decision
Google LLC (Vertex AI) AI model inference United States; data processed in Netherlands (EU) EU-US Data Privacy Framework
Lettermint B.V. Transactional email delivery Netherlands (EU) N/A (EEA)
OpenStatus SAS Uptime monitoring France (EU) N/A (EEA); SCCs for non-EEA monitoring regions

Website analytics are handled through a self-hosted Plausible instance on our own infrastructure — no third-party provider is involved.

Changes to This Policy

We may update this policy and will post changes here with an updated date. For material changes we will give at least 30 days' notice via email.

Contact

For any questions about this Privacy Policy or our data practices, contact us at support@iterationlayer.com.