Last updated: January 20, 2026 1. Controller Legendum Ltd Registered office: 1 Approach Road, London, SW20 8BA, United Kingdom Email: kevin@legendum.co.uk Company No: 03168144 (Data protection governed primarily by UK GDPR; EU GDPR applies extraterritorially to EU/EEA data subjects where relevant. No Data Protection Officer required – low-risk processing.) 2. Personal Data Processed - Email address (collected at signup/account creation). - Pseudonymized internal account identifiers (no direct names or other identifiers linked). - Anonymized IP addresses (truncated/masked so re-identification is not reasonably possible; not treated as personal data). No other personal data is collected or stored. 3. Purposes of Processing - Deliver your API token (initial issuance or reset). - Send notifications when your quota is low and requires topping up (to support service continuity and usage). These are essential transactional/service communications, not marketing. 4. Lawful Basis Legitimate interests – Article 6(1)(f) UK GDPR / EU GDPR. Legitimate interests pursued: - Providing the API service by securely delivering access tokens. - Maintaining service functionality and user experience by alerting users to low quotas (preventing unexpected interruptions, supporting fair usage and business sustainability). Necessity: Email is a standard, low-impact, expected method for these communications. No less intrusive alternative achieves the same reliably. Balancing: Users reasonably expect these emails when providing their email for an API service. Impact is minimal (infrequent, non-promotional, no profiling). Interests of users do not override ours in this context. You can object to quota notifications (see rights below), though this may affect service awareness. (Internal Legitimate Interests Assessment documented and available on request.) 5. Recipients - No sharing with third parties except: - Email delivery processors (Google Cloud EMEA Limited, Dublin, Ireland) - No other recipients. 6. International Transfers Limited. Processing occurs on servers in Germany (EEA). Transfers from the UK to the EEA benefit from adequacy recognition under UK GDPR – no additional safeguards (e.g., IDTA or SCCs) required. 7. Retention Period - Email address stored as long as your account is active. - Deleted upon account deletion or after 18 months of inactivity (unless you re-engage). - Pseudonymized/anonymized data follows same retention. 8. Your Rights (Articles 15–22 UK GDPR / EU GDPR) You have the right to: - Access: Confirm if we hold your email and request a copy. - Rectify: Update your email if incorrect. - Erase: Request deletion of your email/account ("right to be forgotten"). - Restrict processing: In limited cases. - Object: To processing based on legitimate interests (e.g., opt out of quota notifications via email to kevin@legendum.co.uk; we will stop unless compelling grounds apply). - Data portability: Receive your email in structured format. All requests are free and handled within 1 month. Contact us at kevin@legendum.co.uk. 9. Right to Lodge a Complaint You may complain to: - The UK's Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint - Or your local supervisory authority in the EU/EEA if you're an EU/EEA resident: https://edpb.europa.eu/about-edpb/board/members_en 10. Security - Data encrypted in transit (TLS) and at rest. - Access strictly limited. - Pseudonymization and IP anonymization applied. - Breach notification plan in place (report to authority within 72 hours if high risk). 11. No Automated Decision-Making / Profiling None used. Providing your email is necessary to receive the API token and quota notifications. Without it, we cannot deliver these service elements. Contact us with questions at kevin@legendum.co.uk