Iteration Layer
Menu
Features

Ingest

Turn files, pages, and images into workflow-ready data.

Document Extraction Schema-based structured extraction with confidence scores. Document to Markdown Convert PDFs, images, and documents into clean Markdown. Website Extraction Extract structured data from public websites.

Generate

Create images, documents, and sheets from approved data.

Image Transformation Transform, clean up, and adapt images through an API. Image Generation Generate images from prompts and workflow context. Document Generation Create PDFs and documents from workflow data. Sheet Generation Generate spreadsheets and structured exports.

Build

Connect the APIs to developer and automation workflows.

SDKs Use official TypeScript, Python, and Go SDKs. n8n Wire Iteration Layer into visual automation flows. MCP Expose workflow tools to AI agents through MCP. Skills Install ready-made skills for agent tools.
Use Cases

Built For

Agencies

Ship repeatable client workflows with one EU-ready processing surface.

Automation Builders

Connect document, image, and generated-output steps in practical automations.

n8n Agencies

Build n8n workflows with fewer custom HTTP nodes and vendor handoffs.

AI Agents MCP Users Developers Operations Teams SaaS Companies AI Agencies

Recipes

All Recipes Browse implementation patterns for common workflows. Finance Recipes Invoices, approvals, spreadsheets, and reporting. Legal Recipes Contracts, review packets, and audit-heavy workflows. Extraction Recipes Structured extraction examples across document types.
Docs
Getting Started Create an account, generate an API key, and make your first request. Extract Invoice Data Start from the most common structured document extraction recipe. Preprocess Documents for LLMs Convert documents to clean Markdown before classification or routing. Convert Website to Markdown for RAG Extract clean title, summary, markdown sections, and source metadata from a public documentation page for RAG ingestion. Remove Product Backgrounds Use the product-photo recipe most storefront workflows need first. Smart Crop Product Image AI-powered subject-aware crop that centers on the product regardless of its position in the frame. Generate OG Image Generate a branded Open Graph image with a generative wave background, logo, and tagline. Generate PDF Invoice Generate a professional PDF invoice with company branding, line items, and totals. TypeScript SDK Install the official npm package for Node.js and TypeScript. Python SDK Install the official PyPI package for Python workflows. Go SDK Use the official Go client from GitHub. n8n Guide Connect the verified n8n node to production automation workflows. n8n Node Install the official Iteration Layer community node from npm. MCP Server Expose Iteration Layer tools to AI agents and coding assistants. Agent Skills Install ready-made skills for Claude Code and agent workflows.
Overview APIs Workflows SDKs Agent Tools Agent Frameworks Chat UIs API Reference Billing Trust & Compliance
Resources

Blog

EU AI Sovereignty Belongs in the Workflow Layer

Sovereign AI is not only a model question. EU agencies need controlled document workflows from intake to generated output.

Discover & Learn

Partner Program Build compliant client workflows with Iteration Layer. Changelog Follow product updates and new workflow capabilities. Security Review public security posture and controls. About Learn who is building Iteration Layer.

Benchmarks & Datasets

OCR Benchmark Review OCR evaluation results now. Dataset explorer support can slot in here next.
Pricing
Login Get Started

Privacy Policy

Last updated: April 13, 2026

This privacy policy applies to the Iteration Layer API platform, operated by Fabian Schucht trading as Iteration Layer.

Who We Are

Fabian Schucht, trading as Iteration Layer, Calle General Vives 1, 6E, 35006 Las Palmas de Gran Canaria, Spain (NIF Z1096165J) is the data controller. For data protection inquiries, contact support@iterationlayer.com.

Under Article 37 of the GDPR, a Data Protection Officer is not required for our operations as we do not carry out large-scale systematic monitoring of individuals or large-scale processing of special categories of data. The data controller is directly responsible for data protection compliance and can be reached at the address above.

Data We Collect

We collect the following categories of personal data, each for a specific purpose explained in the sections below.

Account data

Email address, optional profile image, and optional email preference settings. If you sign in via Google or GitHub, we also receive your provider user ID so we can link your account. We do not store passwords — authentication uses secure magic links sent to your email.

Organization data

Organization name, URL slug, optional logo, and the roles of each member (owner, admin, or member). When you invite someone, we store their email address and the invitation status until they accept or the invitation expires.

API key data

For each API key you create, we store a name, a short prefix for identification, a cryptographic hash of the key (never the key itself), and a timestamp of when it was last used.

Billing and subscription data

Subscription plan, billing period, credit balance, payment processor identifiers (customer ID, subscription ID, and charge IDs), and payment dispute records. We use Stripe, Inc. as our payment processor and for payment dispute management — we never see or store full card numbers or full bank account numbers.

Usage data

For every API call, we log which endpoint was called, the HTTP status code, credits consumed, and a timestamp. These logs are linked to your organization and API key, not to individual users.

Content data

Documents, images, spreadsheets, generated content payloads, and public website URLs you submit for processing through our APIs. This content is processed transiently and returned to you — we do not store it after the request completes. Website retrieval may involve fetching public page content from the target URL and, when fetch options are used, routing the retrieval through an authorized website retrieval provider. Your content is never used to train, fine-tune, or improve any AI models, whether ours or those of our sub-processors. Google Vertex AI, which we use for inference, processes your data under terms that explicitly prohibit using customer data for model training.

Technical data

Standard server logs that include IP address, browser type, operating system, and referral URL. These are used exclusively for security monitoring (detecting brute-force attacks, unauthorized access attempts) and are not linked to your account. Server logs are deleted after 90 days.

Analytics data

We use a self-hosted OpenPanel instance on our own infrastructure. Public website analytics are collected server-side as anonymous, aggregated usage statistics (page views, referrers, device types) without client-side tracking scripts or analytics cookies. For authenticated product usage and optional email delivery analytics, we may record account-linked events such as signup, login, API key creation, checkout actions, and optional marketing email delivery, including your account identifier, email address where needed to show the recipient, event type, and operational metadata. All analytics data stays on our own servers and is not shared with third-party analytics providers.

Authentication

We offer two ways to sign in: magic links sent to your email (valid for 15 minutes, single-use) and OAuth via Google or GitHub. When you use OAuth, the provider shares your email and a unique identifier with us so we can create or link your account. We store your OAuth provider user ID but do not retain your OAuth access or refresh tokens beyond the initial sign-in exchange.

Legal Basis for Processing

  • Contract performance (Art. 6(1)(b)) — account management, API delivery, billing
  • Legitimate interests (Art. 6(1)(f)) — we rely on this basis for three specific purposes, each with a documented balancing test:
    • Service improvement — data processed: API call counts, error rates by endpoint, response times, authenticated product events, and optional email delivery events. Necessity: we cannot identify reliability issues or understand whether opted-in communications are delivered without this data. Impact on data subjects: limited, because we keep event properties narrow, avoid submitted content, and use the data only for operating and improving the service.
    • Security monitoring — data processed: IP addresses, request rates, authentication success/failure events. Stored in server logs for 90 days. Necessity: required to detect brute-force attacks, credential stuffing, and unauthorized access. Impact on data subjects: proportionate, because logs are retained for a limited period, are not shared externally, and are not used for any other purpose.
    • Fraud prevention and payment dispute management — data processed: billing event patterns, chargeback records, payment anomalies, charge identifiers, and dispute status. Necessity: fraud and payment disputes cannot be handled reliably without contemporaneous records. Impact on data subjects: proportionate, because this data is already collected for billing under contract performance and the additional fraud-detection and dispute-management use adds no new customer content collection.

    You have the right to object to any processing based on legitimate interests under Article 21 of the GDPR. Contact support@iterationlayer.com with your objection, and we will cease the contested processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

  • Legal obligation (Art. 6(1)(c)) — tax reporting, lawful government requests
  • Consent (Art. 6(1)(a)) — optional onboarding guidance and product update emails; withdrawable at any time from account settings

Purpose of Processing

  • Provide and improve our API services, account management, and support
  • Process payments, manage subscriptions, and handle payment disputes
  • Monitor usage for performance, reliability, and security
  • Detect and prevent fraud and technical issues
  • Communicate account, billing, service, and security updates required to operate the service
  • Send optional onboarding guidance and product update digests only when you have opted in
  • Comply with applicable laws and regulations

AI Model Training and Automated Decision-Making

We do not use your submitted API content to train, fine-tune, or improve AI models. Content submitted through our APIs is processed for inference or retrieval only and is not retained after the response is delivered. Our sub-processor Google Vertex AI operates under data processing terms that prohibit using customer data for model training. Stripe may use AI-assisted tooling for payment dispute management under Stripe's own payment-processing terms, but we do not send submitted API content to Stripe for that purpose.

We do not engage in profiling or automated decision-making that produces legal effects or similarly significant effects on you, as described in Article 22 of the GDPR. Operational measures such as rate limiting and fraud detection are applied uniformly to protect service integrity and do not constitute profiling.

Third-Party Services

We share data with a small number of third-party providers, all bound by data processing agreements. See the sub-processors section below for the full list. We do not sell your personal data or share it for third-party marketing.

If you choose to sign in via Google or GitHub, your authentication data is exchanged directly with those providers under their respective privacy policies. They act as independent controllers for that data, not as our sub-processors.

International Data Transfers

Our primary infrastructure is in the EU (Hetzner, Germany). Where transfers outside the EEA are necessary — for example, payment processing, AI inference, or monitoring regions — we rely on the EU-US Data Privacy Framework, EU Standard Contractual Clauses (SCCs), or adequacy decisions. If the EU-US Data Privacy Framework is invalidated, we will fall back to SCCs where available and notify users of material changes to transfer mechanisms via email and an update to this policy. See our Data Processing Agreement for details.

Data Retention

We keep your data only as long as needed for its purpose. Here are the specific retention periods:

  • Account data — retained while your account is active, deleted within 30 days of account termination
  • Session tokens — valid for 14 days, automatically renewed if you remain active
  • Magic link tokens — expire after 15 minutes and are deleted after use
  • Email change tokens — valid for 7 days and deleted after use
  • Organization invitations — expire after their set period; expired invitations are retained for audit purposes
  • Server logs (IP addresses, browser type) — 90 days, used exclusively for security monitoring
  • API usage logs — 90 days. This period is the minimum necessary to cover billing reconciliation cycles and payment dispute windows (card network chargebacks may be filed up to 120 days after a charge). Logs are used solely to verify credit consumption and resolve billing disputes. Early deletion would remove the evidence needed to protect both parties in a dispute, so it is not available during this period. Logs are automatically purged after 90 days.
  • Payment and subscription records — as required by tax law (typically 5-7 years)
  • Content submitted for processing — deleted immediately after the API response is delivered
  • Analytics data — public website analytics are aggregated and anonymized. Authenticated product and optional email delivery analytics may contain account-linked event metadata and are retained for 90 days or less where personal data is stored. Contact us if you have questions.

Cookies and Tracking

We use only essential cookies for session authentication and CSRF protection. No tracking, advertising, or third-party analytics cookies are set. Consent is not required under the ePrivacy Directive for strictly necessary cookies.

Our analytics are powered by a self-hosted OpenPanel instance running on our own infrastructure. Public website analytics are collected entirely server-side — no tracking scripts are loaded in your browser and no cookies are set for analytics. Authenticated product and email delivery analytics are account-linked operational events used to run and improve the service. No data leaves our infrastructure for analytics purposes.

Security

We protect your data with TLS 1.2+ encryption in transit, encryption at rest, secure authentication via magic links and OAuth (no passwords stored), hashed API keys, least-privilege access controls, rate limiting on all API endpoints, regular vulnerability scanning, intrusion detection with community threat intelligence (CrowdSec), and incident response procedures. In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 48 hours of becoming aware of the breach, as detailed in our Data Processing Agreement. For details on our security measures, see Schedule I of our Data Processing Agreement.

Your Rights

Under the GDPR you have the right to:

  • Access a copy of your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data (subject to legal retention requirements)
  • Restrict processing
  • Receive your data in a portable, machine-readable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD) or your local supervisory authority

Contact support@iterationlayer.com to exercise any of these rights. We will respond within 30 days.

Sub-processors

These are the third-party providers that process data on our behalf. For governance details, see our Data Processing Agreement .

Sub-processor Purpose Location Transfer mechanism
Hetzner Online GmbH Cloud infrastructure and DNS Germany (EU) N/A (EEA)
Stripe, Inc. Payment processing and payment dispute management United States EU-US Data Privacy Framework
Google LLC (Vertex AI) AI model inference United States; data processed in EU multi-region EU-US Data Privacy Framework
Lettermint B.V. Transactional email delivery, optional product update delivery, unsubscribe handling, and suppression list management Netherlands (EU) N/A (EEA)
OpenStatus SAS Uptime monitoring France (EU) N/A (EEA); SCCs for non-EEA monitoring regions

Website analytics are handled through a self-hosted OpenPanel instance on our own infrastructure — no third-party provider is involved.

Changes to This Policy

We may update this policy and will post changes here with an updated date. For material changes we will give at least 30 days' notice via email.

Contact

For any questions about this Privacy Policy or our data practices, contact us at support@iterationlayer.com.