Privacy & Data Protection Policy
Last updated: 04 November 2025
​
This Privacy & Data Protection Policy (“Policy”) explains how Cityweft (“Cityweft”, “we”, “us”, or “our”) collects, uses, stores, and protects personal data when individuals or organizations (“Users”) access Cityweft’s API and related integrations (“Services”). Cityweft is committed to complying with applicable privacy, security, and data protection laws, including the EU General Data Protection Regulation (“GDPR”).
By using the Services, you agree to the practices described in this Policy.
​
1. Data Controller
Cityweft OÜ
Tallinn, Estonia
📧 contact@cityweft.com
Cityweft has not appointed a Data Protection Officer but can be contacted at the above email for all privacy-related inquiries.
​​
2. Scope of This Policy
This Policy applies exclusively to:
-
The Cityweft API
-
API integrations into third-party platforms
-
Any related backend systems or services used to deliver API functionality
This Policy does not apply to client websites, third-party platforms, or environments where Cityweft’s API is integrated. Those parties remain responsible for their own privacy practices.
​​
3. Data We Collect
Cityweft collects only the minimum data necessary to operate and secure the API. We do not store account profiles, login details, cookies, marketing pixels, or behavioral trackers.
We may collect the following categories of data:
​
a. API Usage Data
-
Project ID
-
Project metadata (e.g., file type, geographic region, usage event)
-
Timestamps and system events related to successful or failed requests
-
Authentication token status
We do not collect IP addresses or device identifiers.
​
b. Technical Diagnostics
-
Error logs
-
System performance metrics
-
Request volume associated with each API key
c. Support Communications
-
Emails received at contact@cityweft.com
-
Messages submitted via Wix contact forms
Support messages may include personal data voluntarily provided by the User (typically name and email). No file attachments containing personal data are expected or required.
d. Marketing Opt-In Data
-
Email address for marketing communications
-
Subscription status and preferences
Collected only when the User explicitly opts in through Wix.
e. Payment Information
Billing and payment details are processed entirely by Stripe.
Cityweft does not collect, process, or store:
-
credit card numbers
-
billing addresses
-
financial identifiers
​
Stripe acts as an independent data controller for payment data.
​
4. How We Use Personal Data
Cityweft processes personal data only for the following purposes and according to GDPR legal bases:
​
a. To operate and provide the API
-
Authenticate requests
-
Deliver requested data
-
Ensure service reliability and performance
Legal basis: Contract performance
b. To secure the platform and prevent abuse
-
Detect harmful or unauthorized API usage
-
Maintain system integrity
Legal basis: Legitimate interest
c. To improve the quality of the service
-
Diagnose errors and performance issues
-
Analyze usage patterns without personal identification
Legal basis: Legitimate interest
d. To respond to support requests
Legal basis: Contract performance
e. To send marketing communications (opt-in only)
-
Product updates
-
Announcements or newsletters
Legal basis: Consent
f. To comply with legal obligations
-
Tax records for Stripe transactions
-
Regulatory requirements
Legal basis: Legal obligation
5. No External Analytics or Tracking
Cityweft does not use:
-
Google Analytics
-
Amplitude
-
Mixpanel
-
Hotjar
-
Cookies, tracking pixels, or external telemetry tools
The API does not install or rely on any client-side tracking.
​
6. Data Retention
Cityweft retains data only for the minimum periods required:
​
-
API usage logs: 90 days
-
Usage analytics: 12 months
-
Support emails & Wix messages: 12 months
-
Export/download records: 12 months
-
Payment data: Handled entirely by Stripe
-
Account data: Not stored
-
After expiration, data is securely deleted or anonymized.
​
7. Data Sharing
Cityweft may share personal data only with:
a. Service Providers (Processors)
-
AWS (EU regions only) for hosting and storage
-
Wix for contact form submissions
-
Stripe for payment processing
All providers act under GDPR-compliant contractual agreements.
​
b. Legal and Regulatory Authorities
Only if required by law or valid legal process.
c. No International Transfers
Cityweft does not transfer personal data outside the EU/EEA.
8. Security
Cityweft implements industry-standard technical and organizational measures to protect data, including:
-
Encryption in transit (TLS)
-
Access controls and credential isolation
-
Monitoring and logging for abuse detection
-
Redundancy and secure backups
-
Limited access rights for operational personnel
-
Confidentiality obligations for employees and partners
9. Automated Decision-Making
Cityweft does not conduct automated decision-making that produces legal or significant effects.
However, we do implement:
-
Abuse detection mechanisms
(e.g., flags for abnormal request behavior)
These mechanisms do not involve personal profiling or IP tracking.
10. Users’ Rights (GDPR)
Users located in the EU/EEA have the following rights:
-
Access to personal data
-
Rectification of inaccuracies
-
Erasure (“right to be forgotten”)
-
Restriction of processing
-
Objection to processing based on legitimate interests
-
Data portability
-
Withdrawal of consent at any time
-
Lodging a complaint with the Estonian Data Protection Inspectorate
To exercise any rights, contact: contact@cityweft.com
11. Children’s Data
Cityweft’s Services are not intended for children under 16.
We do not knowingly collect children’s data.
12. Changes to This Policy
We may update this Policy when necessary to reflect changes to our Services or legal obligations. Material updates will be communicated in advance when required by law. The latest version will always be available through our official channels.
13. Contact
For questions or rights requests:
📧 contact@cityweft.com