Back

Privacy Policy for Human Design API


Effective Date: November 28, 2024
Last Updated: April 24, 2026

At Human Design API (a service provided by App de Bock), we take your privacy and the privacy of your clients seriously. This policy explains how we collect, use, and protect your personal information in compliance with the General Data Protection Regulation (GDPR).

1. Identity of the Data Controller

For the purposes of account management and billing, the Data Controller is:

    - Legal Entity: App de Bock
    - Address: Holsteynstraat 7ZW, 2021 HJ Haarlem, Netherlands
    - Contact: info@appdebock.nl

2. Information We Collect and Why

We process different types of data depending on how you interact with our services:

A. Customer Account & Billing Data
When you create an account or purchase an API package, we collect your name, email address, and payment details.

    - Purpose: To manage your account, provide technical support, and process payments.
    - Billing Records: We are legally required to keep financial records for tax purposes.

B. API Birth Data (Our Role as Data Processor)
When your application sends birth data (date, time, and location) to our API, we act as a Data Processor.

    - Processing: This data is processed strictly in-memory to generate a Human Design Profile.
    - Storage: We do not store this data on any disk or database. It is deleted immediately after the API response is sent.
    - Legal Basis: This processing is governed by the Data Processing Agreement (DPA) found in Section 9 of our Terms of Service.

C. Usage & Billing Data
When you use the API, we collect data necessary to operate the credit and billing system.

    - Usage Records: Each API call is logged with the endpoint called, credits consumed, overage status, and timestamp.
    - Credit Balances: Your current credit allocation, rollover amounts, and billing period dates.
    - Credit History: A record of all credit events, including monthly resets, rollovers, manual adjustments, overage charges, and API key renewals.
    - Invoice Records: Local copies of Stripe invoices, including amounts, dates, and PDF links.
    - Subscription Data: Your plan type, billing interval, overage opt-in status, and cancellation status.
    - Webhook Events: Stripe event payloads received to keep your subscription and billing state synchronised.

    - Purpose: To operate the credit system, generate invoices, support billing disputes, and comply with Dutch tax law.
    - Legal Basis: Contractual necessity (processing your subscription) and legal obligation (Dutch tax law, fiscale bewaarplicht).

3. Data Retention

- Account Information: We retain your account data for as long as your account is active.
- Financial Records: We retain invoice and transaction data for 7 years, as required by Dutch tax law (fiscale bewaarplicht).
- API Data: Birth data is retained for 0 seconds after the API request is completed.
- Usage Records: API call logs are retained for 7 years to support billing audits and Dutch tax law compliance.
- Webhook Events: Stripe webhook event payloads are retained for 1 year for traceability and dispute resolution.
- Credit Balances & History: Credit allocation and transaction records are retained for the lifetime of your account.
- Subscription Data: Plan and billing configuration data is retained for the lifetime of your account.

4. Cookies & Tracking

We use a minimal number of cookies to ensure our website and API dashboard function correctly. Because these cookies are "strictly necessary" for the technical operation of the service, they do not require your prior consent.

These are cookies that are essential for you to browse the website and use its features, such as accessing secure areas of the site or processing payments. Without these cookies, the services you have asked for cannot be provided.

You can choose to disable cookies through your individual browser options. However, please note that if you disable strictly necessary cookies, you may not be able to log in to your account or purchase API packages.

5. Third-Party Service Providers (Sub-processors)

We do not sell your data. We only share data with essential service providers:

    - API Hosting & Cron: Railway.app. API processing and scheduled jobs run on servers located within the European Union (EU).
    - Database: Supabase. All user, billing, and usage data is stored on servers located within the European Union (EU).
    - Object Storage: Cloudflare R2. Used exclusively to store the ephemeris data file required for chart calculations (no personal data). Storage is located in Western Europe (EEA).
    - Payments: Stripe. Payment data is processed by Stripe. As Stripe is a US-based company, data transfers are protected by Standard Contractual Clauses (SCCs) to ensure an adequate level of data protection.

Google Cloud Platform (GCP) is no longer used as of April 2026.

6. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

    - Right of Access: You can request a copy of the data we hold about you.
    - Right to Rectification: You can ask us to correct inaccurate information.
    - Right to Erasure ("Right to be Forgotten"): You can request that we delete your account and personal data.
    - Right to Restriction & Objection: You can object to the processing of your data for legitimate interests.
    - Right to Data Portability: You can request your data in a machine-readable format.

To exercise these rights, please contact us at info@appdebock.nl.

7. Security

We implement appropriate technical and organizational measures to protect your data, including SSL/TLS encryption for all data in transit and a Privacy-by-Design architecture that ensures birth data never touches persistent storage.

8. Lodging a Complaint

If you believe that our processing of your personal data infringes on the GDPR, you have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is: Autoriteit Persoonsgegevens PO Box 93374, 2509 AJ DEN HAAG

https://autoriteitpersoonsgegevens.nl/

9. Updates to this Policy

We may update this Privacy Policy to reflect changes in our practices or for legal reasons.

    - Significant changes: We will notify you by email.
    - Minor changes: We will update the "Last Updated" date at the top of this page.