Privacy Policy
This Privacy Policy describes how the Service collects, uses, retains, and shares personal data. It is drafted to satisfy the transparency obligations under Articles 13 and 14 of the EU General Data Protection Regulation ("GDPR") and the equivalent provisions of the United Kingdom Data Protection Act 2018 ("UK GDPR").
1. Data controller
The data controller for personal data processed about Customer account holders, billing contacts, and visitors to our public web pages is:
Deadlock API Ltd.
Registered office to be confirmed prior to commercial launch. Email [email protected] for the current registered address.
Where Customers transmit personal data of their own end users to us in the course of using the Service, the Customer is the controller and we act as processor under our Data Processing Addendum.
2. Data Protection Officer and EU representative
Our Data Protection Officer can be reached at [email protected]. For all other privacy correspondence, including requests under § 8, write to [email protected].
3. What data we collect
We collect the minimum data necessary to provide the Service:
| Category | Examples |
|---|---|
| Account data | Business email address, company name, VAT identifier where applicable. |
| Authentication artefacts | Argon2id hash of the API key and its prefix fingerprint. We never store the raw key. |
| Billing identifiers | Stripe customer ID, subscription ID, usage record IDs. |
| Subscription audit log | Timestamp, hashed customer identifier, match ID, granted scope, JWT subject claim, request IP address. |
| Operational telemetry | Structured trace and metric attributes attached to API and Worker spans. No event-payload bodies. |
A fuller breakdown of the categories we process on Customer instructions is set out in the DPA Annex I.
We do not process special categories of personal data within the meaning of Article 9 GDPR.
4. Children's data
The Service is a business-to-business product directed exclusively at operators, integrators, and analytics providers. It is not intended for use by, and we do not knowingly collect personal data from, children under the age of sixteen. If you believe a child has provided personal data to us in breach of this policy, contact [email protected] and we will delete the data without undue delay.
5. Legal basis for processing
We process personal data on the following legal bases:
- Contract performance (Article 6(1)(b) GDPR) — to authenticate you, deliver the Service, and invoice metered usage.
- Legal obligation (Article 6(1)(c) GDPR) — to retain records required by tax, accounting, and dispute resolution law.
- Legitimate interest (Article 6(1)(f) GDPR) — to detect abuse, prevent fraud, and maintain the security and integrity of the Service. You may object to processing on this basis as described in § 8.
6. How we use your data
We use your personal data exclusively to:
- authenticate API requests and issue scoped JWTs;
- report metered usage to Stripe and generate invoices;
- notify you of material changes to the Service or this policy;
- comply with applicable law and defend legal claims.
7. Sub-processors and international transfers
The current sub-processors are listed in our Sub-processor list, which is the authoritative source for purposes, regions, and transfer mechanisms. Our primary infrastructure is in the European Union and personal data is processed under the controlling region stated for each entry on that page; where data is transferred outside the European Economic Area we rely on the Standard Contractual Clauses adopted in EU Decision 2021/914 and, where applicable, the UK International Data Transfer Addendum.
8. Your rights
Under the GDPR you have the right to:
- access your personal data and obtain a copy (Article 15);
- request rectification of inaccurate data (Article 16);
- request erasure where one of the grounds in Article 17 applies;
- request restriction of processing (Article 18);
- receive your data in a structured, machine-readable format and have it transmitted to another controller (Article 20);
- object to processing carried out on the basis of legitimate interest (Article 21).
To exercise any of these rights, contact [email protected]. The dashboard at /dashboard/account provides self-service export and deletion as documented in our Compliance page.
You also have the right under Article 77 GDPR to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Data Protection Commission (Ireland) (dataprotection.ie). You may also complain to the supervisory authority of the EEA Member State of your habitual residence, place of work, or place of the alleged infringement.
9. Retention
| Category | Retention period |
|---|---|
| Account data | Duration of the contract, plus six (6) years from termination for Irish accounting and tax records. |
| Billing records | Six (6) years from invoice date (Section 886 Taxes Consolidation Act 1997 / Section 84 VAT Act 2010). |
| Subscription audit log | Six (6) years from the audited event for tax and dispute purposes, then purged automatically. |
| Match-event channel history (Centrifugo) | One hundred sixty-eight (168) hours from match start. |
| Operational telemetry (traces, metrics) | Thirty (30) day rolling window. |
These periods are reconciled with the retention windows set out in the Data Processing Addendum and the Compliance page. Where periods diverge, the figures in this Privacy Policy and the DPA control.
10. Security
We apply the technical and organisational measures described in the
Data Processing Addendum § "Security of processing" and
Annex II, including TLS 1.2+ in transit, AES-256 at rest, segregated
least-privilege database roles (api_user, worker_user), private-subnet
isolation of the production database, and an immutable audit log of every
personal-data access. Suspected security incidents should be reported to
[email protected].
11. Cookies
We set a single first-party session cookie issued by our identity provider (Clerk) to maintain authenticated sessions on the dashboard. This cookie is strictly necessary for the operation of the Service and is exempt from Article 5(3) of the ePrivacy Directive consent requirement. We do not use analytics cookies, advertising cookies, or third-party trackers on the public site or the dashboard.
12. Changes to this policy
We will notify registered Customers by email at least thirty (30) days before any material change to this policy. The current version is always published at /legal/privacy.
Last reviewed: 2026-05-03.