Privacy Policy

Information you provide directly. Account profile details (name, email, password hash), API key labels, billing contacts, payment metadata processed by our payment providers, enterprise inquiry submissions, support messages, newsletter sign-ups, and any content you submit.

Technical and usage information. IP address, user agent, device identifiers (on mobile), request metadata (endpoints called, timestamps, status codes), error metrics, and security/audit logs used for abuse prevention and service reliability.

Cookies and similar technologies. Session and authentication cookies, and a limited set of analytics or preference cookies described in section 10.

Information from third parties. Identity data from sign-in providers you choose to use, and limited information from payment processors, fraud-prevention, and anti-abuse services.

We use personal data to:

• provide, operate, personalize, and improve the Services;
• authenticate users and manage account access;
• issue, validate, and monitor API credentials;
• process billing, subscriptions, and tax obligations;
• detect, investigate, and prevent abuse, fraud, and platform misuse;
• communicate service, transactional, and (with consent where required) marketing updates;
• comply with legal obligations, enforce our terms, and protect our rights and users.

We do not use the Services' content to train third-party foundation models. We may use aggregated, de-identified data to improve the Services.

Where UK or EU data protection law applies, we rely on the following lawful bases:

• Contract — to provide the Services you request and manage your account, API credentials, and billing.
• Legitimate interests — to secure the Services, prevent abuse and fraud, maintain reliability, enforce our terms, understand aggregate usage, and develop products; balanced against your rights and freedoms.
• Legal obligation — to comply with tax, accounting, anti-money-laundering, and other statutory requirements, and to respond to lawful requests.
• Consent — where required, for non-essential cookies, marketing communications, and certain optional features. You may withdraw consent at any time.

We keep personal data only as long as necessary for the purposes described in this policy, then delete or anonymize it. Typical retention windows:

• Account data — for the life of the account; deleted or anonymized within a reasonable period after account closure, subject to legal holds.
• API request logs and security/audit logs — typically up to 13 months, longer where needed for abuse or fraud investigation.
• Billing and tax records — retained for the period required by law (commonly 6–7 years in the UK).
• Support correspondence — typically up to 24 months after the last interaction.
• Marketing preferences and suppression lists — retained as long as needed to honor your choices.

We share personal data with service providers acting as our processors under contractual safeguards, including:

• cloud hosting, storage, and database providers;
• authentication and identity providers;
• payment processors and billing platforms;
• email, SMS, and push-notification delivery;
• analytics, error monitoring, logging, and fraud/abuse prevention;
• customer support tooling and, where applicable, professional advisors (lawyers, accountants, auditors).

We may disclose data when required by law, court order, or regulatory request; to protect the safety, rights, and security of users and Passportbase; or in connection with a merger, acquisition, financing, or sale of assets (with appropriate safeguards and notice where required).

We do not sell personal data and we do not share personal data for cross-context behavioral advertising.

Passportbase is based in the United Kingdom and may process personal data in the UK, the European Economic Area, and other jurisdictions where our service providers operate.

Where we transfer personal data out of the UK or EEA to a country that is not subject to an adequacy decision, we rely on appropriate safeguards, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the EU SCCs, together with supplementary measures where needed.

We implement administrative, technical, and organizational measures designed to protect personal data, including encryption in transit, access controls, role-based permissions, hashed credentials, audit logging, and monitoring. Full API key secrets are shown one time at creation and are stored only as hashes; we store limited metadata needed for verification, usage tracking, and lifecycle management.

No system is perfectly secure. If you believe your account has been compromised, contact [email protected].

Subject to applicable law, you may have rights to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent where we rely on it. Under UK and EU GDPR you also have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner's Office (ICO).

To exercise rights, email [email protected]. We may need to verify your identity before responding and will reply within the statutory timeframe (one month under UK GDPR, extendable by two months for complex requests).

Where you are an end user of a product built on our API, please contact that product's operator first, as they act as the controller for their end-user data.

The Services are available to users of all ages, but some features (such as billing and API access) are intended for adults. We do not knowingly collect personal data from children in a way that would require parental consent under applicable law without that consent having been obtained. If you believe we have collected personal data from a child contrary to this policy, contact [email protected] and we will take appropriate steps to delete it.

We use cookies and similar technologies to:

• Keep you signed in and maintain session state (strictly necessary);
• Remember preferences such as language or display settings;
• Measure usage in aggregate to understand performance and improve the Services (non-essential — consent-based where required);
• Detect abuse and fraud and protect platform integrity.

You can control cookies through your browser settings and, where presented, through our cookie banner. Rejecting non-essential cookies will not break core functionality but may limit certain features.

Our mobile apps may collect device identifiers, crash diagnostics, push-notification tokens, and (with your permission) optional signals such as location used to tailor content. You can manage permissions through your device settings. App-store providers may also collect data under their own policies.

We do not use solely automated decision-making that produces legal or similarly significant effects on individuals. Guidance surfaced by the Services is informational and must not be used by customers to make such decisions without appropriate human review and independent verification against official government sources.

We may update this Privacy Policy from time to time. Material changes will be reflected on this page with an updated effective date and, where appropriate, additional notice. Your continued use of the Services after changes take effect constitutes acceptance.

Vexon Group LTD, trading as Passportbase. Registered in England & Wales.

Privacy queries: [email protected]
Legal queries: [email protected]
Security: [email protected]

If you are not satisfied with our response, you may complain to the UK Information Commissioner's Office at ico.org.uk, or to your local supervisory authority in the EEA.