Compliance
Minimal data, clear terms.
GeoIPHub processes IP addresses, not people. Request logs live for your plan's retention window and are then deleted. Every sub-processor is published. That is the whole posture, written down, not implied.
Data minimization
The API analyzes IP addresses, not people. A lookup returns network-level facts (geolocation, ASN, detection flags, and scoring) aggregated from public sources like RIR registries, published provider APIs, and open threat feeds. We do not build profiles of individuals.
Retention you control by plan
Request logs (timestamp, queried IP, key used, response status) are retained for your plan's window (7 days on Free, 30 on Starter, 365 on Business, custom on Enterprise), then deleted automatically. Nothing is kept longer than the window you pay for.
GDPR-conscious by design
We collect the minimum account data needed to run the service, honor access, correction, deletion, and portability requests, and respond to privacy inquiries within 30 days. Where data crosses borders, we rely on Standard Contractual Clauses.
Transparent sub-processors
Every third party that touches customer data is listed in our privacy policy: hosting, database, CDN, email, and payments. No hidden processors, no data resale. Data-processing terms are available for Enterprise agreements; contact us.
The documents
The full sub-processor list, retention details, and your rights under GDPR and CCPA are in the privacy policy. For data-processing terms on Enterprise agreements, contact us.