Legal

Privacy Policy

How HailAPI collects, uses, and protects your personal data under GDPR.

Last updated: March 11, 2026

1. Who We Are

This Privacy Policy explains how Lumea di Georgiana Huides ("HailAPI", "we", "us", or "our") collects, uses, and protects your personal data when you use the HailAPI service available at hailapi.com.

Data ControllerLumea di Georgiana Huides, Via Ofanto 26L, 00071 Pomezia (RM), ItalyDitta individuale — P.IVA: IT18023211008

Contactsupport@hailapi.com

Supervisory AuthorityGarante per la protezione dei dati personaligaranteprivacy.it

2. What Data We Collect

2.1 Account Information

When you register, we collect your name, email address, and hashed password (or OAuth provider identifiers).

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

2.2 API Usage Data

When you use the detection API, we log: endpoint called, HTTP status code, processing time, image file size, number of detections, timestamp, cost per scan, and hashed API key. We do not log the content of your images.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — billing, monitoring, abuse prevention

2.3 Uploaded Images

Images submitted to the API are processed in real-time in server memory. Images are not stored, saved to disk, or retained after processing. The AI model analyzes vehicle surfaces for hail damage only — it does not perform facial recognition or biometric analysis.

If images incidentally contain personal data (license plates, reflections), that data is processed transiently and discarded immediately.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

2.4 Payment Data

Payments are processed by Paddle.com (Merchant of Record). We do not collect or store credit card numbers. Paddle shares with us: transaction IDs, billing country, and receipt information.

Legal basis: Performance of a contract and legal obligation (Art. 6(1)(b), (c) GDPR)

2.5 Cookies

We use strictly necessary cookies only for session management and CSRF protection. We do not use advertising, tracking, or analytics cookies.

2.6 Technical Data

Our hosting providers automatically collect standard server logs (IP address, browser type, OS, timestamps).

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

3. How We Use Your Data

Purpose	Legal Basis
Provide and operate the Service	Contract (Art. 6(1)(b))
Process payments	Contract (Art. 6(1)(b))
Monitor and improve performance	Legitimate interest (Art. 6(1)(f))
Prevent fraud and abuse	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations	Legal obligation (Art. 6(1)(c))
Service-critical communications	Contract (Art. 6(1)(b))

We do not use your data for automated decision-making or profiling that produces legal effects.

4. Third-Party Service Providers

Provider	Role	Location
Paddle.com	Payment processing (MoR)	USA / UK / EU
Vercel	Application hosting	USA (global edge)
Railway	AI model hosting	USA
Upstash	Redis rate limiting	EU / USA
Cloudflare	Image storage (R2)	EU / Global

International Data Transfers

Where data is transferred outside the EEA, we ensure safeguards via EU Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework. Contact support@hailapi.com for details.

5. Data Retention

Data Category	Retention
Account information	Active account + 30 days after deletion
API usage logs	24 months
Payment records	10 years (Italian tax law)
Uploaded images	Not retained
Session cookies	Session / 30 days
Server logs	12 months

6. Your Rights

Under the GDPR, you have the right to:

Access (Art. 15) — request a copy of your personal data
Rectification (Art. 16) — correct inaccurate data
Erasure (Art. 17) — request deletion ("right to be forgotten")
Restriction (Art. 18) — limit processing in certain cases
Data portability (Art. 20) — receive your data in machine-readable format
Object (Art. 21) — object to processing based on legitimate interest
Withdraw consent (Art. 7(3)) — where processing is based on consent

Contact support@hailapi.com to exercise your rights. We respond within 30 days. You may also lodge a complaint with the Garante per la protezione dei dati personali.

7. Data Security

We implement appropriate measures including: TLS 1.2+ encryption, API keys stored as SHA-256 hashes, rate limiting, input validation, and access controls. No system is 100% secure — we cannot guarantee absolute security.

8. Children's Privacy

The Service is not directed at individuals under 16. We do not knowingly collect data from children.

9. Changes

We may update this policy. Material changes will be notified by email at least 14 days in advance. The "Last updated" date reflects the most recent revision.

10. Contact

Lumea di Georgiana Huides
Via Ofanto 26L, 00071 Pomezia (RM), Italy
P.IVA: IT18023211008
Email: support@hailapi.com
Phone: +39 328 258 1946
PEC: georgiana.huides@pec.it
Web: hailapi.com