RESTDriven Privacy Policy

Last updated: 26-06-2026

RESTDriven requires certain data to provide our services to you. This policy explains what personal data we collect, why we collect it, and your rights in relation to it. It should be read alongside our Terms of Service.

Data Controller

The data controller responsible for your personal data is:

Fraser Watson
Email: admin@restdriven.com

You can contact us about this policy or your data at admin@restdriven.com.

Data we collect

Demo app

  • GitHub user ID — we store a one-way hash of your GitHub user ID, exclusively for the purposes of enforcing the free trial limits. We retain this hash permanently, including after you stop using the demo app or delete your account.
  • Firebase JWT — we use this exclusively for the purpose of authenticating requests; we do not store it.
  • Email address — this is stored on Google Firebase when you log in to our services. This is automatically stored by Firebase and will only be used if we need to contact you regarding RESTDriven — for example, terms of service or privacy policy updates.

RapidAPI

  • User information — RapidAPI provides us the basic information of all users subscribed to our API. We will not use this data for any purpose other than contacting you regarding RESTDriven.
  • Detailed logs — detailed logs that may include the full requests made by you (including IP address) are made available to us by RapidAPI for 7 days. We will only use this for the purposes of statistics and/or the investigation of service issues or abuse.

Requests received by backend server

This section covers what data is collected on the backend server through your use of the services.

  • Request data — this includes request path (excluding query parameters), IP address, request size, response code, referrer, request method (GET, POST, etc.), and user agent. We will store this data for at most 90 days before deletion. We may keep aggregate, anonymised data for the purposes of improving the services, statistics, or investigating abuse.
  • Query strings (occasionally) — we normally strip query parameters from request logs (see above), but we reserve the right to temporarily log query strings in full to investigate problems with the service or abuse. Such logs are stored for up to 90 days.
  • Error logs — when a request fails or behaves unexpectedly, we may store an error log. These usually contain only technical details such as error messages and stack traces. Where necessary to diagnose a problem, they may also include additional information from the request — such as the URL and its query string, specific headers, or the request body — but only what is needed to investigate the issue. Error logs are stored for up to 90 days.

Legal basis for processing

We process your personal data under the UK GDPR on the following bases:

  • Legitimate interests — We may store your information for the purposes of statistics and investigating service issues or abuse.
  • Providing the services — We process data you provide for the purposes of providing our services.
  • Legal obligation — where we are required to retain or disclose data by law.

Third parties and international transfers

We share personal data with the following providers, who process it on our behalf:

  • Google Firebase — authentication and storage of account data (including your email address). Data may be processed in the United States; this transfer is covered by Google's certification under the UK Extension to the EU-U.S. Data Privacy Framework.
  • GitHub — sign-in via GitHub SSO. They provide a unique user ID as well as email address and account name. Data may be processed in the United States; this transfer is covered under the UK Extension to the EU-U.S. Data Privacy Framework.
  • RapidAPI — marketplace access to the API. Please check RapidAPI's privacy policy before using it to access our API.
  • Hetzner — hosting provider we use for hosting our services. Servers and/or backups will be stored in Germany or Finland.
  • Oracle Cloud — secondary provider in the event of an outage (servers in UK location).
  • Cloudflare — domain provider and CDN. As a CDN it processes request traffic, including IP addresses, in the United States; this transfer is covered under the UK Extension to the EU-U.S. Data Privacy Framework.

Data retention

We retain personal data only for as long as necessary for the purposes described in this policy. The periods below summarise our retention; see the sections above and our Terms of Service for detail.

  • GitHub user ID hash — retained permanently, to enforce the free-trial limit (kept even after you stop using the demo app or delete your account).
  • Email address and account data — retained for as long as you have a Firebase account with us, and removed when you delete your account. (The free-trial hash above is retained separately.)
  • RapidAPI subscriber information — retained while you are subscribed to our API through RapidAPI, and used only to contact you regarding RESTDriven.
  • Backend request logs — up to 90 days.
  • Backend error logs — up to 90 days.
  • RapidAPI detailed request logs — 7 days (this period is set by RapidAPI).
  • Aggregate, anonymised data — may be retained indefinitely, as it no longer identifies you.

We may retain data beyond these periods where we are required to do so by law.

Your rights

Under the UK GDPR you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request erasure of your data (excluding your GitHub UID which we use for enforcing the free trial limits);
  • object to, or request restriction of, our processing;
  • lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk.

You may exercise these rights by contacting us at admin@restdriven.com.

Cookies and local storage

We use only strictly necessary cookies and browser storage — those required to provide the services you request. We do not use cookies for advertising or cross-site tracking, and under UK PECR strictly necessary cookies do not require consent, so we do not display a cookie consent banner.

  • Authentication (Firebase) — when you sign in to the demo app, Firebase Authentication stores tokens in your browser to keep you signed in. These are used solely for authentication.
  • Security and delivery (Cloudflare) — Cloudflare sets strictly necessary cookies for security, bot management, and content delivery. These are generated by Cloudflare, are not used to track you, and do not correspond to any user ID. See Cloudflare's cookie documentation for the full list and durations.

Contact

Any questions about this policy can be sent to admin@restdriven.com.