Legal
Privacy Policy
Last updated: 8 July 2026
This Privacy Policy explains how API CACHE ("API CACHE", "we", "us" or "our") collects, uses and protects personal data when you visit apicache.co.uk, use our dashboard, or route traffic through our caching platform (together, the "Service"). We process personal data in accordance with UK data protection law, including the UK GDPR and the Data Protection Act 2018.
01The two roles we play
It matters who controls the data, so we are explicit about it:
- As a controller — for your account details, billing information, support conversations and website analytics, we decide how and why the data is processed. This policy governs that processing.
- As a processor — for the content of API requests and responses that pass through or are stored in your cache ("Cached Content"), you are the controller and we process it only on your instructions, expressed through your configuration of the Service and our terms. If Cached Content contains personal data, that is data you control; our processing of it is governed by our data processing terms rather than this policy.
02Personal data we collect as a controller
- Account data — name, work email address, organisation name, authentication identifiers (passkey public keys, hashed credentials).
- Billing data — plan, VAT status, invoicing details and payment method tokens. Full card numbers are handled by our payment provider and never touch our systems.
- Usage and device data — dashboard activity, API token metadata (creation, scope, last used), IP addresses, browser type, and aggregate metering records (call counts, size bands, latency) needed to operate and bill the Service.
- Communications — support requests, emails and feedback you send us.
We do not intentionally collect special category data and ask that you do not include it in support communications.
03What we do not do with Cached Content
- We do not parse, mine, profile or build products from the content of cached response bodies. Operational analytics are computed from metadata only (sizes, timings, status codes, hit/miss results).
- Cached Content is encrypted at rest with AES-256-GCM under per-tenant keys and is structurally isolated per customer.
- Authorization, Cookie and Set-Cookie headers are stripped before storage and are never written to cache or logs.
- Cached Content is stored in your selected region (the UK by default) and is deleted when it expires, when you purge it, or on account closure as described in our Terms.
04Why we process your data (lawful bases)
- Contract — creating and administering your account, providing the Service, metering and billing.
- Legitimate interests — securing the platform, preventing abuse and fraud, improving the Service, and sending service-relevant communications to business users. We balance these interests against your rights.
- Legal obligation — tax, accounting and responding to lawful requests from authorities.
- Consent — optional marketing emails and non-essential cookies, where used. You can withdraw consent at any time.
05Cookies and analytics
The public website uses strictly necessary cookies and privacy-preserving, aggregate analytics. The dashboard uses cookies required for authentication and session security. We do not use third-party advertising cookies or sell data to advertisers.
06Who we share data with
- Sub-processors — infrastructure, payment and email providers who process data on our documented instructions under written contracts, listed at apicache.co.uk (updated with notice for material changes).
- Professional advisers and authorities — where necessary to comply with law or protect our rights.
- Business transfers— if API CACHE is involved in a merger, acquisition or asset sale, subject to this policy's protections.
We never sell personal data.
07International transfers
Our platform and Cached Content storage are UK-based by default. Where a sub-processor involves a transfer of controller data outside the UK, we rely on adequacy regulations or the UK International Data Transfer Agreement / Addendum, with supplementary measures where appropriate.
08Security
We apply the same standards to your account data as to the platform itself: TLS 1.3 in transit, encryption at rest, least-privilege access, scoped and revocable credentials, audit logging and tested backup and recovery procedures. If a personal data breach occurs that is likely to result in a risk to you, we will notify you and the Information Commissioner's Office as required by law.
09Retention
- Account data — for the life of the account and up to 12 months after closure, except where longer retention is required by law.
- Billing records — 6 years, to meet UK tax and accounting obligations.
- Metering and audit logs — up to 24 months, then aggregated or deleted.
- Cached Content — until TTL expiry, purge, or account closure (see section 03).
10Your rights
Under UK data protection law you have rights of access, rectification, erasure, restriction, portability and objection, and the right not to be subject to solely automated decisions with legal effect (we make none). To exercise any right, email privacy@apicache.co.uk; we respond within one month. You also have the right to complain to the Information Commissioner's Office (ico.org.uk), though we would welcome the chance to resolve any concern first.
11Changes to this policy
We will post any changes on this page and, for material changes, notify account holders by email at least 14 days before they take effect. The "last updated" date above always reflects the current version.
12Contact
Privacy questions and rights requests: privacy@apicache.co.uk. Security reports: security@apicache.co.uk.