Data Controller
MetaFetch SAS ("MetaFetch", "we", "us") is the data controller for personal data processed through our website and API services.
Contact: contact@metafetch.dev | DPO: privacy@metafetch.dev
Data We Collect
We collect the following categories of data:
- Account data: email address and password, or Google OAuth sign-in (via Supabase Auth)
- Billing data: processed by Stripe (payment method, subscription status — we do not store card numbers)
- API usage data: endpoint called, status code, latency, timestamp
- Technical data: IP address in server logs (Vercel), User-Agent on API requests
Purpose and Legal Basis
We process data based on the following legal grounds under GDPR:
- Contract performance: providing API access, billing, support (Art. 6(1)(b))
- Legitimate interest: fraud prevention, service security, usage analytics (Art. 6(1)(f))
- Legal obligation: tax and accounting records (Art. 6(1)(c))
- Consent: non-essential cookies (Art. 6(1)(a))
Sub-processors
We use the following trusted sub-processors:
- Supabase (database, authentication) — EU/US
- Stripe (payments) — PCI-DSS compliant
- Vercel (hosting) — global CDN
- Resend (transactional emails)
- Upstash (Redis caching and rate limiting)
Data Retention
Account data is retained while your account is active and for up to 3 years after deletion for legal compliance.
API usage logs are retained for 12 months.
Billing records are retained for 10 years as required by French tax law.
Your Rights
Under GDPR, you have the right to:
- Access, rectify, or erase your personal data
- Restrict or object to processing
- Data portability
- Withdraw consent at any time (cookies)
- Lodge a complaint with CNIL (cnil.fr)
Security
API keys are stored as SHA-256 hashes only — plaintext keys are shown once at creation.
All traffic is encrypted via HTTPS/TLS.
Contact
For privacy requests, email privacy@metafetch.dev. We respond within 30 days.