Legal

Privacy Policy

Effective date: June 22, 2026 · Last updated: June 22, 2026

This Privacy Policy explains how Kay David Kalex ("ModAPI", "we", "us") collects, uses, shares, and protects personal data when you use our website and the ModAPI content moderation service (the "Service"), and describes your rights under the EU/UK General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act as amended by the CPRA ("CCPA").

1. Who we are

ModAPI is operated by Kay David Kalex, a sole proprietor (Einzelunternehmen (Kleingewerbe nach deutschem Recht)) established in Germany, c/o Online-Impressum #4165, Europaring 90, 53757 St Augustin, who is the controller of personal data described in this policy where we act as a controller (see Section 2). You can reach us at [email protected]. As we are established in the EU, no representative under Article 27 GDPR is required; we have not appointed a Data Protection Officer, as we fall below the threshold in Article 37 GDPR and § 38 BDSG. Data-protection enquiries can be sent to [email protected].

2. Our roles: controller vs. processor

We act in two different capacities:

As a controller for personal data of our customers and website visitors — for example, account, billing, and usage data described in Section 3. This policy governs that processing.
As a processor (a "service provider" under the CCPA) for the content our customers submit to the moderation API on behalf of their own end users. For that content, our customer is the controller and our Data Processing Agreement governs the processing. End users with questions about that content should contact the relevant customer.

3. Data we collect

Category	Examples	Source
Account data	Email address, hashed password, account ID, email-verification status	You, at registration
Authentication data	Discord OAuth identifier and profile basics (if you sign in with Discord), multi-factor authentication state, session and CSRF tokens	You / Discord
Billing data	Plan, subscription status, transaction identifiers, last four digits and card brand (full card details are handled by our payment processors, not stored by us)	You / Stripe / PayPal
Usage & technical data	API keys (hashed), request counts and metadata, timestamps, route, latency, IP address, user agent, dashboard activity and logs	Automatically
Moderation content	Text, images, and metadata submitted to the API, plus cryptographic (SHA-256) hashes of that content and the moderation results	Customer / End User (we act as processor — see the DPA)
Support & communications	Messages you send us and our replies	You

4. How we use data

to create and administer your account and authenticate you;
to provide, maintain, and improve the Service and generate moderation Output;
to process payments, manage subscriptions, and prevent payment fraud;
to enforce rate limits, quotas, and our Terms of Service, and to detect abuse, security incidents, and fraud;
to provide support and respond to your requests;
to send service and transactional communications, and — where permitted — product updates you can opt out of;
to comply with legal obligations and to establish, exercise, or defend legal claims.

We do not use moderation content submitted through the API to train models that serve other customers, except in de-identified or aggregated form. We do not sell your personal data.

5. Legal bases for processing (GDPR)

Purpose	Legal basis (Art. 6 GDPR)
Providing the Service and managing your account	Performance of a contract (Art. 6(1)(b))
Billing and payment processing	Performance of a contract (Art. 6(1)(b))
Security, fraud prevention, abuse detection, and service improvement	Legitimate interests (Art. 6(1)(f))
Marketing communications and non-essential cookies	Consent (Art. 6(1)(a)), where required
Compliance with legal obligations (e.g. tax, accounting)	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have balanced those interests against your rights. You may object to that processing as described in Section 11.

We share personal data only as needed to run the Service:

Sub-processors and service providers who process data on our behalf under contract (see Section 7);
Payment processors (Stripe, PayPal) to take payment;
Authentication providers (Discord) if you choose to sign in with them;
Legal and safety recipients — authorities or advisors — where required by law, to enforce our Terms, or to protect rights, property, or safety;
Corporate transactions — an acquirer or successor in a merger, acquisition, or asset sale, subject to this policy.

We do not sell personal data, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA.

7. Sub-processors

The Service runs on our own self-managed infrastructure located in Germany; we do not use a third-party cloud hosting provider. We use the following sub-processors for specific functions. A current list is available on request via [email protected].

Provider	Purpose
Stripe	Payment processing
PayPal	Payment processing
Discord	Optional OAuth sign-in
Mailgun (Mailgun Technologies, Inc.)	Transactional and verification email delivery

8. International data transfers

We and our sub-processors may process data outside your country, including in countries that may not provide the same level of data protection. Where we transfer personal data out of the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards — principally the European Commission's Standard Contractual Clauses (and the UK Addendum / Swiss equivalents) — together with supplementary measures where needed. You may request a copy of the relevant safeguards via [email protected].

9. Data retention

We keep personal data only as long as necessary for the purposes set out above:

Account data — for the life of your account, then deleted or anonymized within a reasonable period after closure;
Billing records — for the period required by tax and accounting law (typically up to 10 years);
Usage logs — for a rolling period sufficient for security, troubleshooting, and abuse detection;
Moderation content — content and its cached hashes/results are retained per the customer's configuration and the DPA; the cache stores hashes and results, not raw content indefinitely, and is purged on the schedules described there.

10. Security

We implement technical and organizational measures appropriate to the risk, including encryption of data in transit, hashing of passwords and API keys, access controls, multi-factor authentication, and logging. No system is perfectly secure; we cannot guarantee absolute security but work to protect your data and to notify you and regulators of breaches as required by law.

11. Your rights under the GDPR

If you are in the EEA, UK, or Switzerland, you have the right to:

Access — obtain confirmation of and a copy of your personal data;
Rectification — correct inaccurate or incomplete data;
Erasure — request deletion ("right to be forgotten");
Restriction — limit how we process your data in certain cases;
Portability — receive your data in a structured, machine-readable format;
Object — object to processing based on legitimate interests or to direct marketing;
Withdraw consent — at any time, without affecting prior processing;
Lodge a complaint — with your local supervisory authority.

To exercise these rights, email [email protected]. We will respond within one month, as required by the GDPR. We will not discriminate against you for exercising your rights.

12. Your rights under U.S. state laws (CCPA/CPRA)

If you are a California resident (similar rights apply in other U.S. states), you have the right to:

Know / access the categories and specific pieces of personal information we have collected, the sources, purposes, and recipients;
Delete personal information we collected from you, subject to exceptions;
Correct inaccurate personal information;
Opt out of the "sale" or "sharing" of personal information — note that we do not sell or share personal information, so there is nothing to opt out of;
Limit the use of sensitive personal information — we use such information only as needed to provide the Service and do not use it for inferring characteristics;
Non-discrimination — we will not discriminate against you for exercising these rights.

Over the preceding 12 months we have collected the categories of personal information described in Section 3, for the business purposes in Section 4, and disclosed them to the categories of recipients in Sections 6 and 7. We have not sold or shared personal information. To exercise your rights, email [email protected]. You may use an authorized agent; we may verify your identity and the agent's authority before responding.

13. Cookies & similar technologies

We use strictly necessary cookies to keep you signed in and to protect against cross-site request forgery (session and CSRF tokens). These are essential to the Service and do not require consent. If we introduce analytics or non-essential cookies, we will request your consent where required and provide controls to manage them.

14. Children

The Service is not directed to children and is intended for users aged 16 and over. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact [email protected] and we will delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice by email or through the Service.

16. Contact

For privacy questions or to exercise your rights, contact [email protected] or our data protection contact at [email protected], or write to:

Kay David Kalex
c/o Online-Impressum #4165, Europaring 90, 53757 St Augustin