Privacy Policy
Gibs API Privacy Policy — Gibbr AB.
Gibs API — Privacy Policy Effective date: February 10, 2026 Last updated: February 10, 2026
This Privacy Policy describes how Gibbr AB ("we", "us") collects, uses, and protects information when you use the Gibs API ("Service").
1. Data Controller
Gibbr AB is the data controller for personal data processed in connection with the Service, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
Contact: support@gibs.dev
2. What We Collect
2.1 Account Data
When you register, we collect:
- Email address
- Company name (optional)
- Billing information (processed by Stripe; we do not store payment details)
2.2 Usage Data
When you use the Service, we automatically collect:
- API request timestamps
- Query metadata (endpoint called, response time, status code)
- IP address
- API key identifier
2.3 Query Content
Your API queries are processed to generate responses. Query content may be temporarily cached for performance optimization (max 24 hours).
2.4 What We Do NOT Collect
- We do not collect personal data from your end users
- We do not use tracking cookies or third-party analytics on the API
- We do not process special categories of personal data (Article 9 GDPR)
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide the Service | Performance of contract (Art. 6(1)(b)) |
| Billing and invoicing | Performance of contract (Art. 6(1)(b)) |
| Rate limiting and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Service monitoring and improvement | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. Data Sharing
We do not sell, rent, or share your personal data with third parties except:
- Stripe: Payment processing. See Stripe's Privacy Policy.
- Infrastructure providers: Hosting services that process data on our behalf under data processing agreements.
- Legal requirements: If required by Swedish or EU law, court order, or regulatory authority.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 12 months |
| Usage logs | 90 days |
| Query cache | 24 hours |
| Billing records | 7 years (Swedish accounting law) |
Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
6. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.2+)
- API key authentication
- Rate limiting
- Access controls on infrastructure
7. International Transfers
Your data is processed within the EU/EEA. If any sub-processor transfers data outside the EEA, appropriate safeguards (Standard Contractual Clauses) are in place.
8. Your Rights
Under GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se
To exercise your rights, contact support@gibs.dev. We will respond within 30 days.
9. Changes to This Policy
We may update this Privacy Policy. Material changes will be communicated via email. The "Last updated" date at the top reflects the most recent revision.
10. Contact
Gibbr AB Email: support@gibs.dev Supervisory authority: Integritetsskyddsmyndigheten (IMY), imy.se
This Privacy Policy was last updated on February 10, 2026.