GDPR Statement
Last updated 2026-05-12.
isburner is built and operated from Switzerland and processes personal data inside the European Union (Hetzner data centres in Germany). We treat the EU General Data Protection Regulation (GDPR) as the baseline standard for every account we serve, regardless of where it's located.
This page complements our Privacy Policy with the structured, article-by-article information GDPR requires.
1. Controller
The data controller for personal data processed via isburner is:
ClickOn GmbH (operator of isburner)
Zurich, Switzerland
[email protected]
We have not appointed a Data Protection Officer (we are below the GDPR Art. 37 threshold), but data-protection enquiries are handled directly by the founding team and answered within 30 days.
2. Categories of personal data and lawful basis
| Processing activity | Categories of data | Lawful basis (Art. 6) |
|---|---|---|
| Verifying email addresses you submit to the API | Email address (hashed), domain | (b) contract performance |
| Operating your account on the dashboard | Your email, display name, hashed credentials | (b) contract performance |
| Rate limiting and abuse detection | Request timestamps, API key ID, hashed IP | (f) legitimate interest in service integrity |
| Billing and tax compliance | Stripe customer ID, subscription state, country | (b) contract + (c) legal obligation |
| Improving detection accuracy (aggregated) | Anonymised verdict counters per domain | (f) legitimate interest |
3. Data subject rights
GDPR Articles 15–22 grant every data subject the following rights, which we honour for everyone — EU resident or not:
- Right of access (Art. 15) — get a copy of the data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate data.
- Right to erasure (Art. 17) — delete your account and the data attached to it.
- Right to restriction (Art. 18) — temporarily pause processing while a dispute is resolved.
- Right to portability (Art. 20) — receive your data in a machine-readable format (we provide JSON).
- Right to object (Art. 21) — object to processing carried out under legitimate-interest grounds.
- Rights related to automated decision-making (Art. 22) — we don't make legally significant decisions about you by automated means alone, so this rarely applies. The verdict our API produces is advice for *your* application; you decide what to do with it.
To exercise any of these rights, email [email protected]. We respond within one month and never charge a fee for the first request.
4. International transfers
Personal data stays inside the EU/EEA where possible. Where we use service providers in the United States (Cloudflare for DNS, Stripe for payments, Supabase's US-region failover), transfers happen under the European Commission's Standard Contractual Clauses (SCCs) 2021/914, supplemented by the provider's own additional safeguards (encryption in transit, key management, audited Data Processing Agreements).
5. Sub-processors
A full list of sub-processors is maintained in the Privacy Policy, §4. We notify customers by email at least 30 days before adding a new sub-processor so you have time to object.
6. Security
- TLS 1.2+ on all endpoints, HSTS preloaded.
- API keys stored as SHA-256 hashes only — the plaintext exists in our systems for the duration of the HTTP response that creates it, then never again.
- Access to production restricted to founding team, SSH-key only, MFA required.
- Daily encrypted Postgres backups, 14-day retention.
- Code changes go through pull request and CI before merge.
7. Data breach notification
In the event of a personal-data breach likely to result in risk to the rights and freedoms of natural persons, we will notify the lead supervisory authority within 72 hours (Art. 33) and affected users without undue delay (Art. 34).
8. Supervisory authorities
If you live in the EU, you have the right to complain to your local data protection authority. The European Data Protection Board maintains a directory at edpb.europa.eu.
For Swiss residents, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch.
9. Children
isburner is a B2B developer tool. We do not knowingly process personal data of children under 16.
10. Contact
Privacy and GDPR enquiries: [email protected].