Privacy Policy

Your privacy is critical to us. Learn how we protect your data.

Last updated: April 30, 2026

Quick Navigation

→ Information We Collect→ How We Use Your Data→ Data Security→ Data Retention→ Your Rights→ Contact Us

At Reput.io, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Whitelist Intelligence API service. Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the service.

Information We Collect

We collect information that you provide directly to us and automatically through your use of our service.

Account Information

  • Email address: Required for account creation and authentication
  • Password: Stored using argon2id hashing with industry-standard encryption
  • Subscription plan: Free, Pro, Team, or Enterprise tier
  • MFA settings: If you enable two-factor authentication

API Usage Data

  • Indicators queried: IP addresses, domains, URLs, and hashes submitted for lookup (temporarily stored for rate limiting and analytics)
  • Request timestamps: Date and time of API calls
  • Usage metrics: Daily and monthly request counts for rate limiting
  • Response data: Lookup results, confidence scores, and risk context

Technical Information

  • IP addresses: Client IP for rate limiting and abuse prevention
  • User agent: Browser or API client information
  • Authentication credentials: API keys (stored as SHA-256 hashes) and JWT session tokens
  • Log data: Application and server logs for debugging and security monitoring

How We Use Your Data

We use the information we collect for the following purposes:

Service Delivery

  • • Process API lookup requests
  • • Enforce rate limits per subscription tier
  • • Provide confidence scoring and risk context
  • • Deliver authentication and authorization

Service Improvement

  • • Analyze usage patterns and trends
  • • Improve confidence scoring algorithms
  • • Optimize API performance
  • • Develop new features and capabilities

Security & Compliance

  • • Detect and prevent abuse
  • • Monitor for security threats
  • • Comply with legal obligations
  • • Enforce Terms of Service

Communication

  • • Send service notifications
  • • Respond to support requests
  • • Provide billing information
  • • Share product updates (opt-in)

Data Security

We implement comprehensive security measures to protect your information.

Infrastructure Security

  • • Hetzner Cloud infrastructure (ISO 27001 certified, EU-based)
  • • Data encrypted at rest (AES-256)
  • • Data encrypted in transit (TLS 1.3)
  • • Regular security audits and penetration testing

Access Controls

  • • JWT-based authentication with argon2id password hashing
  • • API key authentication
  • • Brute-force protection with account lockout
  • • Token blacklist for secure logout

Monitoring & Response

  • • 24/7 infrastructure monitoring
  • • Automated security alerts
  • • Incident response procedures
  • • Regular backup and disaster recovery

Data Isolation

  • • User data isolated per account
  • • No sharing between tenants
  • • Secure API key management
  • • Automatic session expiration

Data Retention

We retain your data only as long as necessary to provide our services.

Data TypeRetention PeriodPurpose
Account informationUntil account deletionAuthentication & service delivery
API usage metrics90 daysRate limiting & billing
Queried indicators1 hour (cached)Performance optimization
Application & server logs30 daysDebugging & security monitoring
Billing records7 yearsLegal compliance (tax law)

Your Privacy Rights

You have the following rights regarding your personal data under GDPR and other privacy laws.

Right to Access

Request a copy of all personal data we hold about you. Access your usage data through the dashboard.

Right to Rectification

Update incorrect or incomplete personal information through your account settings page.

Right to Deletion

Request deletion of your account and associated data. Use the "Delete Account" button in settings or contact us.

Right to Data Portability

Request your data in a machine-readable format (JSON) for transfer to another service.

Right to Object

Object to processing of your data for marketing purposes or based on legitimate interests.

Right to Restrict Processing

Request restriction of processing under certain circumstances while we verify or address concerns.

How to Exercise Your Rights

To exercise any of these rights, please:

  • • Visit your account Settings page for self-service options
  • • Email us at privacy@reput.io with your request
  • • Use the "Delete Account" endpoint via API: POST /delete-account

We will respond to your request within 30 days as required by GDPR.

Third-Party Processors

In line with Article 28 of the GDPR, we disclose all sub-processors that may process personal data on our behalf. Each processor operates under a Data Processing Agreement (DPA) and, where transfers outside the EEA occur, Standard Contractual Clauses (SCCs).

ProcessorPurposeData ProcessedLocation
Hetzner Online GmbH

ISO 27001 certified

Primary hosting and database infrastructure for the API.Account data, API usage records, queried indicators, server logs.Germany (EU)
Vercel Inc.

SOC 2 Type II, DPA + SCCs

Hosting for the marketing site and web dashboard.Request metadata, IP addresses, browser user-agent.Global edge (US-headquartered)
Cloudflare, Inc.

ISO 27001, SOC 2, DPA + SCCs

CDN, DDoS mitigation and Web Application Firewall in front of the API; Turnstile CAPTCHA on the contact form.IP addresses, request metadata, CAPTCHA challenge tokens.Global edge (US-headquartered)
Paddle.com Market Ltd.

Merchant of Record, PCI DSS

Subscription billing, payment processing and tax handling.Name, billing address, email, payment method (tokenised), invoices.United Kingdom / EU
Resend (Drop Inc.)

DPA + SCCs

Transactional emails (account verification, password reset, service notifications).Email address, message content, delivery metadata.United States
Backblaze, Inc.

SOC 2 Type II, DPA + SCCs

Offsite, encrypted storage of PostgreSQL backups (users, api_keys, user_usage tables).Encrypted backup archives. Data is encrypted before upload.United States

We review this list whenever processors change. Material updates trigger a new "Last updated" date at the top of this page.

International Data Transfers

Our primary infrastructure, including the API, database and application logs, is hosted by Hetzner in Germany (EU). Your account data and API traffic are processed within the European Economic Area.

A limited set of sub-processors — Cloudflare (edge CDN/WAF), Vercel (web hosting), Resend (transactional email) and Backblaze (encrypted backups) — may process data outside the EEA, primarily in the United States. For these transfers we rely on each provider's Data Processing Agreement and Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where appropriate by additional safeguards such as encryption in transit and at rest.

Backups stored with Backblaze are encrypted before upload, so the underlying personal data is not readable by the processor. This design is intended to meet the GDPR requirements for international transfers under Chapter V.

Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@reput.io.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page with an updated "Last Updated" date
  • Sending an email notification to your registered email address
  • Displaying a prominent notice on our dashboard

Your continued use of the service after changes constitutes acceptance of the updated Privacy Policy.

Contact Us

If you have questions about this Privacy Policy, please contact us:

Privacy Inquiries

General Support:

hello@reput.io

Data Protection Officer

For GDPR-related inquiries or to exercise your privacy rights under EU law:

dpo@reput.io

Ready to reduce false positives?

Start using our Whitelist Intelligence API today and focus your security team on real threats.

Try for FreeRead Documentation