Privacy Policy
This Privacy Policy explains how Random Profiles API (“Random Profiles”, “we”, “us”) handles personal data in connection with the service offered at https://random-profiles.com, including the REST API at /v1/*, the CLI (random-profiles on npm), and the MCP server (random-profiles-mcp on npm). We process personal data in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Dutch Uitvoeringswet Algemene verordening gegevensbescherming (“AVG”).
@faker-js/faker and Leonardo.ai) and do not correspond to real individuals or organisations. Any resemblance to a real person or company is coincidental. Synthetic data is not personal data within the meaning of Article 4(1) GDPR, because it does not identify or relate to an identifiable natural person.
This Privacy Policy concerns only the personal data of our users (developers who sign up for an API key and interact with our website and API).
1. Who is the controller
The controller responsible for your personal data is:
[LEGAL ENTITY NAME]
[STREET ADDRESS]
[POSTAL CODE] [CITY], the Netherlands
KvK (Chamber of Commerce) number: [KVK NUMBER]
VAT number: [VAT NUMBER]
Email: privacy@random-profiles.com
We have not appointed a Data Protection Officer (DPO) as we are not required to do so under Article 37 GDPR. Privacy questions should be directed to the email address above.
2. Data we collect
We collect and process the following categories of personal data of our users.
| Category | What it contains | When we collect it |
|---|---|---|
| Account identifier | Your email address (used as the primary identifier of your account) | When you request an API key or sign in via magic link |
| API key | A randomly generated token linked to your email | Issued when you request an API key |
| Session data | A session cookie (opaque token) set after you sign in via magic link, valid for one hour | When you sign in to the /account page |
| Magic-link tokens | Short-lived sign-in tokens, held in memory only, valid for 15 minutes | When you request a sign-in link |
| Usage logs | Per-request records containing: the API key, the endpoint path (e.g. /v1/profiles), the request type (profile / company / image), a unit count, and a timestamp |
On every authenticated API request |
| Billing reference | A Lemon Squeezy customer ID associating your key with your subscription tier | If you purchase a paid plan |
| Website analytics | Aggregated, privacy-respecting analytics (no cookies, no cross-site tracking) via Umami Cloud: page URL, referrer, country, browser/OS, screen size | When you visit our website |
What we do not collect: we do not log IP addresses or user-agent strings in our request logs; we do not store your payment card details (Lemon Squeezy handles payment data and we never see it); we do not track you across other websites; we do not sell or rent personal data to anyone.
3. Purposes and legal bases
We process personal data only for the purposes listed below and only when one of the legal bases in Article 6(1) GDPR applies.
| Purpose | Data involved | Legal basis |
|---|---|---|
| Provisioning and authenticating your API key | Email, API key, session data | Performance of a contract (Art. 6(1)(b) GDPR) |
| Sending the magic-link sign-in email and the API-key delivery email | Email, API key | Performance of a contract (Art. 6(1)(b) GDPR) |
| Enforcing daily rate limits and showing usage stats on /account | Usage logs, API key | Performance of a contract (Art. 6(1)(b) GDPR) |
| Processing payments and managing subscriptions | Email, billing reference | Performance of a contract (Art. 6(1)(b) GDPR) |
| Complying with tax, accounting and fraud-prevention obligations | Billing data | Legal obligation (Art. 6(1)(c) GDPR) |
| Aggregated website analytics to improve the service | Analytics data (non-identifying) | Legitimate interest (Art. 6(1)(f) GDPR) |
| Operational logging, security monitoring and preventing abuse | Usage logs | Legitimate interest (Art. 6(1)(f) GDPR) |
You can object to processing based on legitimate interests at any time (see Your rights below). Where we rely on the performance of a contract, not providing the data means we cannot provide the corresponding part of the service.
4. Sub-processors and international transfers
We use carefully selected sub-processors to operate the service. A current list is provided below. We have concluded data-processing agreements with each of them as required under Article 28 GDPR, and where a sub-processor is located outside the EEA, transfers take place under the European Commission’s Standard Contractual Clauses and, where applicable, supplementary measures.
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Fly.io, Inc. | Application hosting and SQLite storage | All account and usage data | United States (servers run from EU regions where possible) |
| Resend (Resend, Inc.) | Transactional email delivery (magic links, API keys) | Email address, API key contained in the email body | United States |
| Lemon Squeezy, LLC | Checkout, subscriptions, invoicing, EU VAT (merchant of record) | Email, billing reference, payment details collected directly by Lemon Squeezy | United States / Ireland |
| Umami Software, Inc. (Umami Cloud) | Privacy-respecting, cookieless website analytics | Non-identifying analytics events | United States |
For transfers to the United States we rely on the EU-US Data Privacy Framework where the recipient is certified, and otherwise on Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914.
5. How long we keep data
- Account (email + API key): kept for as long as the account is active. When you delete your account (see Section 7), the key and associated email are removed.
- Session cookies: expire after one hour; the corresponding server-side record is pruned automatically.
- Magic-link tokens: expire after 15 minutes and are held only in server memory.
- Usage logs: pruned automatically after 30 days.
- Billing records and invoices: retained for seven (7) years as required by Dutch tax law (Article 52 of the Algemene wet inzake rijksbelastingen).
- Website analytics: retained in aggregated form for no longer than 13 months.
6. Cookies and similar technologies
Our website uses the minimum set of cookies and client-side storage required to operate.
sessioncookie (strictly necessary): set on /account after you sign in via magic link. HTTP-only, Secure, SameSite=Lax, one-hour lifetime. No consent required under Article 11.7a Telecommunicatiewet because it is strictly necessary for the service you requested.rp_api_keyinsessionStorage(strictly necessary): stored by your browser on the /playground and /pricing pages for your convenience. Cleared when you close the browser tab.- Umami Cloud analytics (no cookies): Umami does not set cookies and does not track users across visits or sites. Because Umami measures only aggregated, non-identifying traffic and does not create a profile of the visitor, we consider it to fall within the narrow analytics exception to the consent requirement under the guidance of the Dutch Autoriteit Persoonsgegevens (“Normuitleg cookies”). If you disagree or wish to opt out, you can block the script
cloud.umami.is/script.jsin your browser or network, with no impact on the service.
7. Your rights
Under the GDPR and AVG you have the following rights with regard to your personal data. We will respond to any request within one month, free of charge (Article 12 GDPR).
- Right of access (Art. 15) — obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — have inaccurate data corrected.
- Right to erasure / to be forgotten (Art. 17) — request that we delete your account and associated personal data, subject to retention obligations for billing records.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON).
- Right to object (Art. 21) — in particular to any processing we base on legitimate interests, including analytics.
- Right not to be subject to automated decision-making (Art. 22). We do not engage in automated decision-making that produces legal or similarly significant effects.
- Right to withdraw consent (Art. 7(3)) — where we rely on consent, you may withdraw it at any time.
To exercise any of these rights, email privacy@random-profiles.com from the address linked to your account. We may ask you to confirm ownership of the account before acting on the request.
You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or with the supervisory authority of the EU Member State where you reside.
8. Security
We apply appropriate technical and organisational measures in line with Article 32 GDPR, including:
- HTTPS/TLS on all network traffic between you and the service.
- Encrypted persistent volumes for the database at our hosting provider.
- HTTP-only, Secure, SameSite=Lax session cookies.
- Rate limiting on account creation and other sensitive endpoints.
- Admin access protected by separately configured credentials.
- Least-privilege access to production systems.
If we become aware of a personal-data breach that poses a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours (Art. 33 GDPR) and, where required, notify the affected users without undue delay (Art. 34 GDPR).
9. Children
Random Profiles is a developer tool and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we hold data about a child, please contact us and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced via the email address associated with your account and posted on this page with an updated “Last updated” date. Non-material changes may be made without notice. The current version is always available at https://random-profiles.com/privacy.
11. Contact
For privacy-related questions or to exercise any of your rights, email privacy@random-profiles.com. For all other support matters, see our documentation.