Privacy Policy
Last updated: 30 April 2026
Legal Data Hunter ("we", "us") operates the website legaldatahunter.com, the REST API at /v1/*, and the MCP server at /mcp. This policy explains what personal data we collect, why we collect it, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR).
Data controller: GoodLegal SAS, France. Contact: zacharie@goodlegal.fr.
1. What we collect
Account data
- Email address (from GitHub or Google OAuth, or supplied at sign-up)
- Display name and avatar URL (from the OAuth provider, where available)
- OAuth provider identifier (so we can re-authenticate you on subsequent sign-ins)
- Plan (Free, Developer, Pro, Enterprise) and Stripe customer ID, if you subscribe to a paid plan
Connector / API client data
- OAuth dynamic-client-registration records (RFC 7591): client name, redirect URIs, supported grant types — submitted by clients like Claude.ai or ChatGPT when they connect
- API keys you create (stored hashed; we never see the plaintext after creation)
Request logs
- Endpoint path, HTTP status, timestamp, plan, user ID
- JSON-RPC method name (for MCP requests)
- We do not store the body of your queries beyond what is needed to surface them in your own usage dashboard
- We do not store the response payloads
Operational logs
- Server-side application logs may include user IDs, request IDs, and error stack traces. They are retained for 30 days.
2. How we use it
- Authentication and access control — to identify you across requests and apply your plan's rate limits.
- Rate limiting and abuse detection — per-minute, per-day, and per-period counters; abuse / bot detection.
- Billing — to compute usage against your plan and process subscription payments (via Stripe).
- Operations and debugging — to investigate errors and improve service reliability.
- Aggregate analytics — request counts by endpoint or country, never tied to individual users in public-facing reporting.
We do not use your queries or usage history to train any machine-learning model.
3. Where it is stored
- Primary database: Neon PostgreSQL, EU region.
- Application servers: Fly.io, Paris (CDG) region.
- All connections are TLS-encrypted; backups are encrypted at rest.
4. Third-party processors
We rely on the following sub-processors, each bound by their own contractual data-protection terms:
- Neon — managed PostgreSQL hosting (account & usage data).
- Fly.io — application hosting and request routing.
- Stripe — payment processing (only for paid-plan customers).
- GitHub and Google — OAuth identity providers (only for users who sign in with them).
We do not sell, rent, or share your personal data with any other third party.
5. Retention
- Account data: kept while your account exists; deleted on request.
- Request logs (api_usage table): 90 days, then aggregated and the per-row data deleted.
- Application server logs: 30 days.
- Stripe billing records: retained for the legal period required by French/EU accounting law (10 years).
6. Your rights (GDPR)
If you are in the European Economic Area, you have the right to:
- Access the personal data we hold about you
- Have it corrected if inaccurate
- Have it deleted ("right to be forgotten")
- Receive an export in a portable format
- Object to or restrict processing
- Lodge a complaint with the French data-protection authority (CNIL)
To exercise any of these rights, email zacharie@goodlegal.fr. We respond within 30 days.
7. Cookies and tracking
The web dashboard stores an authentication token in localStorage after sign-in; this is a first-party storage item used only to keep you signed in across page loads. We do not use third-party advertising or cross-site tracking cookies. The site uses Sleek for lightweight, privacy-respecting analytics on public pages; analytics events do not include any personal identifiers.
8. Children
The service is not directed at children under 16. We do not knowingly collect personal data from children.
9. Changes to this policy
If we materially change how we handle your data we will update this page and, for substantive changes, notify active users by email at least 14 days before the change takes effect.