Privacy Policy
What we collect, what we don't, and how we handle your data.
Version 1.0 — Effective April 2, 2026
Data Controller
K01 ehf. (kt. 500223-0650, Hlyngerði 5, 108 Reykjavík, Iceland) is the data controller for the personal data described in this policy. For privacy matters, contact [email protected].
We don't deal in health data. K01 generates 100% synthetic patient records. We do not intentionally collect or store real patient data. If real data is submitted to the API accidentally, we will purge it promptly (see our Terms of Service). This policy covers your account and usage data only.
What We Collect
| Data | Purpose | Legal basis |
|---|---|---|
| Email, name, organization | Account management, invoicing. Email and name are required. Organization is optional. | Contract performance (GDPR Art. 6(1)(b)) |
| API request logs (endpoint, timestamp, parameters, response code, latency) | Enforce rate limits, troubleshoot errors, detect abuse. We do not log the content of generated FHIR records. | Legitimate interest (GDPR Art. 6(1)(f)) |
| IP address, browser, device | Security, abuse prevention | Legitimate interest (GDPR Art. 6(1)(f)) |
What We Don't Collect
The synthetic records generated through our API are not stored in our databases after delivery. Transient system logs may capture request metadata temporarily and are purged within 90 days.
Payment Data
All payments are handled by Paddle.com, our merchant of record. Paddle acts as an independent data controller for your billing data and processes your name, email, and payment details for invoicing and tax compliance under their own privacy policy. We never see or store your credit card details or payment credentials.
Cookies
We use a single cookie for authentication sessions. We do not use tracking cookies, advertising pixels, or third-party analytics.
Third Parties
We work with a limited number of service providers:
- Paddle (Paddle.com Market Ltd, Ireland). Independent data controller for payment processing and invoicing. See Paddle's privacy policy
- Cloudflare (Cloudflare, Inc., US). Data processor for website hosting, CDN, and DDoS protection. Cloudflare processes IP addresses and HTTP request metadata as traffic passes through its network
We do not sell your data to anyone. We do not share your data with advertisers. We do not use usage data for marketing profiling.
International Transfers
K01 ehf. is based in Iceland (EEA member) and stores account data on servers located in Iceland. However, some of our service providers may process data outside the EEA:
- Cloudflare routes traffic through a global network that includes US servers. Your IP address may be processed outside the EEA. Cloudflare maintains Standard Contractual Clauses (SCCs) for these transfers
Where data is transferred outside the EEA, we ensure appropriate safeguards are in place under GDPR Article 46, including Standard Contractual Clauses.
Data Retention
Account data (name, email, organization) is retained while your account is active. If you close your account or request deletion, we will remove your account profile data within 30 days.
API request logs (endpoint, timestamp, parameters, response code, account ID, IP address) are personal data. These are retained for up to 90 days after creation for abuse detection and billing verification, then deleted or irreversibly anonymized. On account deletion, logs are anonymized (account ID and IP removed) within 30 days; the anonymized remainder may be retained for the full 90-day window.
Service-wide aggregate statistics (total API calls per month across all users, with no individual identifiers) may be retained indefinitely.
Data Breach Notification
In the event of a personal data breach, we will notify Persónuvernd (the Icelandic Data Protection Authority) within 72 hours as required by GDPR Article 33. If the breach is likely to result in high risk to your rights and freedoms, we will also notify you directly without undue delay.
Your Rights
If you are in the EU/EEA, UK, or Switzerland, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data
- Export your data in a portable format (we provide account data and API usage history in JSON or CSV format)
- Restrict processing of your data
Right to object: Where we process your data based on legitimate interests (usage metrics, technical data), you have the right to object at any time. On receiving an objection, we will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, such as active abuse detection or billing enforcement. To exercise this right, contact [email protected].
We will respond to all data subject requests within one month of receipt. For complex requests, this may be extended by up to two additional months, and we will notify you within the first month if an extension is needed.
To exercise any of these rights, contact [email protected].
Data Processing Agreements
Where K01 processes personal data on your behalf (e.g., your employees' account data), GDPR Article 28 requires a Data Processing Agreement (DPA). Our standard DPA is available to all customers regardless of subscription tier. Contact [email protected] to request a copy for counter-signature.
Supervisory Authority
You have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is:
Persónuvernd (Data Protection Authority of Iceland)
Rauðarárstígur 10, 105 Reykjavík, Iceland
www.personuvernd.is · [email protected]
Changes
We may update this policy from time to time. Material changes will be communicated via email at least 30 days before they take effect. The version number and effective date at the top of this page always reflect the latest version.
Questions about your data? Contact us at [email protected].