EvenAPI

Last updated: 2026-07-01

Privacy policy

Operated by EvenWorks. We are the data controller for the personal data we collect through EvenAPI. This policy explains what we collect, why, who else sees it, and what you can ask us to do.

1. Controller and DPO

EvenWorks is the controller. Our Data Protection Officer is reachable at dpo@evenworks.xyz and replies within five business days. We are registered in Germany.

2. What we collect

Account: name, email, optional company name, optional team name. Authentication: hashed password (Argon2id) or OAuth profile from your chosen provider. Service: configuration of your endpoints, request logs, response metadata, support correspondence.

3. Lawful basis

Contract: to deliver the service. Legitimate interests: to keep the service secure and prevent abuse. Consent: optional features like marketing emails. Legal obligation: tax, accounting, and law enforcement requests where required.

4. Who else sees it

Engineers at EvenWorks on a least-privilege basis, with audit logs. Subprocessors: Resend for transactional email (US, with EU SCCs), Paytiko for payment processing, Spaceship for domain registration only. We do not use AWS, Google Cloud, Cloudflare, or any third-party CDN, DDoS protection, or hyperscaler cloud.

5. Where it lives

All data is stored on infrastructure we operate in Falkenstein, Germany. AES-256 at rest, TLS 1.3 in transit. We do not transfer data outside the EU/UK without your consent.

6. How long we keep it

Account and service data: until you request deletion, with a 30-day grace period before hard delete from primary and backups. Anonymized audit log entries are kept indefinitely for fraud prevention. Financial records: seven years as required by tax law.

7. Your rights

You can ask us for access, rectification, erasure, restriction, portability, and objection. You can also lodge a complaint with the relevant German data protection authority. Most rights are exercisable from your account settings; the rest go through dpo@evenworks.xyz.

8. Security

AES-256 at rest, TLS 1.3 in transit, Argon2id for credentials, RS256 JWT with JWKS rotation, per-endpoint API keys, hard plan-based rate limits, ownership checks on every request, audit logging. See the Security page for the full picture.

9. Automated decisions

We do not make automated decisions that produce legal or similarly significant effects about you.

10. Children

EvenAPI is not directed at children under 16. We do not knowingly collect data from children.

11. Cookies

We use a single first-party session cookie for authentication. No advertising cookies, no third-party tracking cookies.

12. Changes

Material changes are communicated by email and a banner in the dashboard at least 30 days before they take effect.

13. Contact

dpo@evenworks.xyz. We aim to reply within five business days.