Last updated: 2026-07-01
Privacy policy
Operated by EvenWorks. We are the data controller for the personal data we collect through EvenAPI. This policy explains what we collect, why, who else sees it, and what you can ask us to do.
1. Controller and DPO
EvenWorks is the controller. Our Data Protection Officer is reachable at dpo@evenworks.xyz and replies within five business days. We are registered in Germany.
2. What we collect
Account: name, email, optional company name, optional team name. Authentication: hashed password (Argon2id) or OAuth profile from your chosen provider. Service: configuration of your endpoints, request logs, response metadata, support correspondence.
3. Lawful basis
Contract: to deliver the service. Legitimate interests: to keep the service secure and prevent abuse. Consent: optional features like marketing emails. Legal obligation: tax, accounting, and law enforcement requests where required.
4. Who else sees it
Engineers at EvenWorks on a least-privilege basis, with audit logs. Subprocessors: Resend for transactional email (US, with EU SCCs), Paytiko for payment processing, Spaceship for domain registration only. We do not use AWS, Google Cloud, Cloudflare, or any third-party CDN, DDoS protection, or hyperscaler cloud.
5. Where it lives
All data is stored on infrastructure we operate in Falkenstein, Germany. AES-256 at rest, TLS 1.3 in transit. We do not transfer data outside the EU/UK without your consent.
6. How long we keep it
Account and service data: until you request deletion, with a 30-day grace period before hard delete from primary and backups. Anonymized audit log entries are kept indefinitely for fraud prevention. Financial records: seven years as required by tax law.
7. Your rights
You can ask us for access, rectification, erasure, restriction, portability, and objection. You can also lodge a complaint with the relevant German data protection authority. Most rights are exercisable from your account settings; the rest go through dpo@evenworks.xyz.
8. Security
AES-256 at rest, TLS 1.3 in transit, Argon2id for credentials, RS256 JWT with JWKS rotation, per-endpoint API keys, hard plan-based rate limits, ownership checks on every request, audit logging. See the Security page for the full picture.
9. Automated decisions
We do not make automated decisions that produce legal or similarly significant effects about you.
10. Children
EvenAPI is not directed at children under 16. We do not knowingly collect data from children.
11. Cookies
We use a single first-party session cookie for authentication. No advertising cookies, no third-party tracking cookies.
12. Changes
Material changes are communicated by email and a banner in the dashboard at least 30 days before they take effect.
13. Contact
dpo@evenworks.xyz. We aim to reply within five business days.