We process the minimum personal data needed to operate an API company. No tracking pixels, no ad networks, no third-party analytics.
ENTYLINK LTD is the data controller for account and billing data processed through entylink.com. You can reach us at hello@entylink.com for privacy requests and data-subject rights.
Account data: email address, hashed password, plan, and usage counters.
Billing data: the Lemon Squeezy customer and subscription identifiers, invoice history, and tax residency — we do not see or store card numbers.
Operational logs: API request metadata (timestamp, endpoint, company number queried, response code, response time, cache status). Request bodies and query strings beyond the company number are not stored.
Cookies & local storage: a single opaque session token used for dashboard auth. We do not set third-party tracking or analytics cookies.
Queries you make against Entylink return information about UK registered companies, their officers, and persons of significant control. Those records originate with Companies House and are public under the Open Government Licence v3.0. We cache and serve that public data for performance and reliability.
To provide the service (authentication, quota accounting, billing).
To manage free trials — we record the trial start date and plan to enforce the 7-day window and apply the correct billing conversion. Trial status is stored alongside your account record and deleted when your account is deleted.
To detect abuse, debug errors, and improve response times — operational logs are retained for 90 days.
To send service-critical email (quota warnings, billing receipts, trial expiry reminders, security notices). We do not send marketing email to accounts without an opt-in.
To comply with legal obligations (tax records, court orders).
We rely on Article 6(1)(b) UK GDPR (contract) for account and billing processing, Article 6(1)(f) (legitimate interests) for abuse detection and service improvement, and Article 6(1)(c) (legal obligation) for tax and regulatory retention.
Lemon Squeezy — payments, invoicing, tax.
Hostinger (EU) and our VPS provider — infrastructure hosting. Data resides in the UK/EU.
Companies House — the origin of the public company records surfaced by the API. We do not push any personal data about you to them.
Law enforcement or regulators when compelled by a valid request.
Account and billing data is stored in the UK/EU. Limited metadata may transit through US-based sub-processors (e.g. for fraud screening at Lemon Squeezy). Where such transfers occur we rely on the UK International Data Transfer Addendum or equivalent safeguards.
Account records: until you delete your account plus 30 days of backup aging.
Billing records: 7 years (statutory requirement).
API request logs: 90 days rolling.
Webhook endpoint URLs and signing secrets: while the webhook is active; deleted within 30 days of removal.
Under UK GDPR you have the right to access, correct, delete, restrict, or port your personal data, and to object to processing based on legitimate interests. Email hello@entylink.com with subject DSAR; we respond within 30 days. You also have the right to complain to the ICO at ico.org.uk.
API keys are stored only as SHA-256 hashes — we cannot recover a lost key, only revoke it. Passwords use bcrypt. Transport is TLS 1.2+. We run no public-facing test environments, and staging data is synthetic.
Entylink is a B2B service and not intended for anyone under 18. We do not knowingly process personal data of children.
Material changes to this policy will be announced by email at least 14 days before they take effect. The last-updated date above reflects the current version.