Privacy Policy
Our commitment: We collect only the data we need to run BelugAPI. We do not sell your personal data to third parties. You can exercise your rights at any time by emailing contact@lannetech.com.
1. Data Controller
The data controller responsible for processing your personal data is:
Enzo Lanne — LanneTech
Legal form: Auto-Entrepreneur (Sole Trader) — France
Trade name: LanneTech / BelugAPI
Email: contact@lannetech.com
Website: https://belugapi.com
As a business established in France, we are subject to Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act (Loi Informatique et Libertés).
2. Data We Collect
Account & Registration Data
- Email address (required to create an account)
- Password (stored in hashed form — we never store plaintext passwords)
- Account name or display name (optional)
Billing & Payment Data
- Transaction records (amount, date, payment reference)
- Full payment card data is never stored on our servers — it is handled directly by our payment processor
Usage & API Data
- API request logs (model used, token counts, timestamps, response codes)
- IP address and user-agent for security and abuse prevention
- We do not permanently store the content of your API prompts or completions beyond the time needed for delivery
Communications
- Emails you send us and our replies
- Support ticket content
Technical & Analytical Data
- Browser type, operating system, referrer URL
- Pages visited and time spent (via privacy-respecting analytics)
- Error logs
3. How We Use Your Data
We use your personal data for the following purposes:
- Service delivery: Authenticating you, routing API requests, processing credits;
- Billing: Processing payments and maintaining transaction records;
- Security: Detecting abuse, fraud, and unauthorised access;
- Support: Responding to your queries and resolving issues;
- Legal compliance: Meeting our obligations under French and EU law;
- Service improvement: Analysing aggregated, anonymised usage patterns to improve performance and features.
We do not use your data for advertising profiling or sell it to third parties.
4. Legal Basis for Processing
We process your personal data on the following legal bases under GDPR Article 6:
- Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for;
- Legal obligation (Art. 6(1)(c)): Accounting records, tax obligations, and fraud prevention;
- Legitimate interests (Art. 6(1)(f)): Security monitoring, abuse prevention, and platform analytics — where these interests are not overridden by your rights;
- Consent (Art. 6(1)(a)): For optional analytics cookies and marketing communications, where applicable.
5. Data Sharing & Sub-Processors
We may share your data with the following categories of recipients:
Hosting & Infrastructure
Hostinger — our web hosting provider. Servers may be located in the EU or EEA. Hostinger processes data under its own privacy policy and appropriate data processing agreements.
Payment Processing
Payment processing is handled by our payment provider. Card data never passes through our servers.
AI Model Providers
When you send an API request, your prompt data is forwarded to the relevant AI model provider (e.g. OpenAI, Google). Each provider has its own privacy policy and data practices. We recommend reviewing them for models you use.
Legal Authorities
We may disclose data to competent authorities if required to do so by applicable law, court order, or regulatory request.
We do not sell, rent, or trade your personal data to any third party for commercial purposes.
6. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes described in this policy:
- Account data: Retained while your account is active, and for up to 3 years after account deletion for legal and audit purposes;
- Billing records: Retained for 10 years in accordance with French accounting law (Code de commerce);
- API request logs: Retained for up to 90 days for security and debugging;
- Support communications: Retained for 3 years from the last interaction.
When data is no longer needed, it is securely deleted or anonymised.
7. Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:
- HTTPS/TLS encryption for all data in transit;
- Bcrypt hashing for passwords;
- API key hashing and scoping;
- Access controls limiting data access to authorised personnel only;
- Regular security reviews.
No system is perfectly secure. In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority (CNIL) within 72 hours, and affected users without undue delay, as required by GDPR Article 33/34.
8. International Data Transfers
When your API prompts are forwarded to AI model providers, your data may be transferred to countries outside the EU/EEA (e.g. the United States). Such transfers are conducted under appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable, in accordance with GDPR Chapter V.
Our hosting infrastructure via Hostinger may process data within the EU/EEA. We take steps to ensure that any international transfers comply with applicable data protection law.
9. Your GDPR Rights
As a data subject under GDPR, you have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or direct marketing.
Right to Restriction
Request that we restrict processing in certain circumstances.
To exercise any of these rights, contact us at contact@lannetech.com. We will respond within 30 days. We may need to verify your identity before processing your request.
Right to complain: You have the right to lodge a complaint with the French data protection authority, the CNIL (Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr, or with the supervisory authority in your country of residence.
10. Children's Privacy
BelugAPI is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. Contact us at contact@lannetech.com if you have concerns.
11. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by updating the "Last updated" date and, where appropriate, by email notification. We encourage you to review this page periodically.
12. Contact & Data Protection
For any privacy-related questions, requests, or concerns, contact us at:
Data Controller — LanneTech
Contact person: Enzo Lanne
Email: contact@lannetech.com
Response time: Within 30 days of receipt
As an Auto-Entrepreneur, we are not required to appoint a formal Data Protection Officer (DPO). For DPO-equivalent enquiries, please use the contact above.