Privacy Policy

1. Who We Are

This Privacy Policy describes how Onivo AB, a Swedish limited company (“Operator”, “we”, “us”, or “our”), collects, uses, and protects information in connection with the Refetch.cloud API service (“Service”). The Operator is the data controller for the personal data described in this policy.

Contact: [email protected]

2. What Data We Collect

We collect and process the following categories of Customer data:

• Account Data: Email address provided at registration, API key(s) generated for the account, and account preferences.
• Usage Data: Aggregate request counts and usage volumes per API key. We do not log individual URLs requested, request contents, or response contents.
• Payment Data: Payment transactions are processed by Stripe. We do not store credit card numbers, bank account details, or other payment instrument data. Stripe may share with us a transaction reference, amount, currency, and billing country for our records. Stripe’s handling of payment data is governed by Stripe’s own privacy policy.
• Communications: If you contact us by email, we retain the correspondence for the purpose of responding to your inquiry.

3. What Data We Do Not Collect

We do not collect, store, log, or process the content of web pages fetched through the Service. Fetched content is transmitted to the Customer in real time and is not retained by us beyond the duration of the API request.

We do not log individual URLs requested by Customers. We do not track Customer behaviour across third-party websites. We do not use cookies or tracking technologies in the API service.

4. How We Use Your Data

We use the data described in Section 2 for the following purposes:

• To operate the Service: authenticating API requests, tracking credit balances, and enforcing rate limits.
• To process payments and maintain billing records.
• To communicate with you regarding your account, service updates, or responses to your inquiries.
• To enforce our Terms of Service, including detecting and responding to abuse.
• To comply with applicable legal obligations, including responding to valid legal orders from Swedish authorities.

5. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

• Performance of a contract: Processing Account Data and Usage Data is necessary to provide the Service under our Terms of Service (Article 6(1)(b) GDPR).
• Legitimate interest: Processing Usage Data for abuse detection and service integrity is based on our legitimate interest in maintaining a functional and safe service (Article 6(1)(f) GDPR).
• Legal obligation: Retaining billing records as required by the Swedish Accounting Act (Article 6(1)(c) GDPR).

6. Data Retention

• Account Data is retained for as long as your account remains active. Upon account deletion, Account Data is deleted within thirty (30) days.
• Usage Data (aggregate volumes) is retained for the lifetime of the account and for twelve (12) months after account deletion for billing reconciliation purposes.
• Payment records are retained for seven (7) years as required by the Swedish Accounting Act (Bokforingslagen, 1999:1078).
• Communications are retained for as long as necessary to resolve the inquiry, and no longer than twenty-four (24) months.

7. Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

• Stripe: Payment processing. Stripe acts as an independent data controller for payment data.
• Infrastructure providers: Our hosting and cloud infrastructure providers process data on our behalf as data processors, subject to data processing agreements.
• Legal requirements: We may disclose data when required by a valid legal order from a Swedish court or authority, or when necessary to comply with applicable law.

8. Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA) by our infrastructure and payment providers. Where such transfers occur, they are protected by appropriate safeguards, including EU Standard Contractual Clauses or adequacy decisions by the European Commission.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: You may request a copy of your personal data.
• Right to rectification: You may request correction of inaccurate data.
• Right to erasure: You may request deletion of your data, subject to our legal retention obligations.
• Right to restrict processing: You may request that we limit how we use your data.
• Right to data portability: You may request your data in a structured, machine-readable format.
• Right to object: You may object to processing based on our legitimate interests.

To exercise any of these rights, contact us at [email protected]. We will respond within thirty (30) days.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.

10. Fetched Content and Third-Party Data

The Service retrieves publicly accessible web content at the Customer’s direction. This content may contain personal data belonging to third parties. The Operator does not access, review, store, or process this content. The Customer is solely responsible for any personal data processing that results from their use of the Service, including determining the lawful basis for such processing under GDPR.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Updated versions will be posted at this URL with an updated “Last Updated” date. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

For questions about this Privacy Policy or our data practices: