Privacy Policy

PullAPI ("we," "our," or "us") respects your privacy and is committed to protecting the personal data we process. This Privacy Policy explains how we collect, use, store, and protect information when you visit our website at pullapi.com or use our web scraping APIs distributed through the RapidAPI marketplace.

This policy applies to two categories of individuals: visitors to the pullapi.com website and API customers who access our services through RapidAPI. By using our website or services, you acknowledge that you have read and understood this Privacy Policy.

We use the information we collect for the following purposes:

• Service operation: Processing API requests, delivering scraped data, and maintaining service availability.
• Debugging and troubleshooting: Identifying and resolving errors, tracking request failures, and diagnosing performance issues using request IDs and logs.
• Usage analytics: Understanding which endpoints are most used, monitoring success rates, and measuring response times to improve service quality.
• Capacity planning: Forecasting infrastructure needs based on usage patterns and growth trends.
• Abuse detection: Identifying unusual request patterns that may indicate misuse, scraping of our own API, or violations of our Acceptable Use Policy.
• Service improvement: Developing new features, optimizing scraper performance, and improving overall reliability based on aggregated usage data.

We do not use collected data for advertising, profiling, or automated decision-making that produces legal effects.

PullAPI collects publicly available data from third-party websites in response to API requests made by our customers. This data may include business listings, property information, public profiles, reviews, pricing, and other publicly accessible information depending on the specific API endpoint used.

Scraped data is:

• Returned directly to the requesting customer in the API response
• Temporarily cached in Redis for 15 minutes to 1 hour (depending on data type) to reduce redundant requests and improve response times
• Automatically expired and deleted from cache after the TTL period
• Not stored permanently, aggregated, or analyzed by PullAPI beyond the cache period

For the purposes of data protection law, PullAPI acts as a data processor when scraping data on behalf of customers. The customer who initiates the API request is the data controller and is responsible for ensuring their use of any personal data contained in scraped results complies with applicable data protection laws, including obtaining any necessary legal basis for processing.

PullAPI does not independently use, sell, share, or analyze the data scraped on behalf of its customers. We do not build databases or profiles from scraped results.

We do not sell your personal data. We do not share personal data with third parties for their own marketing purposes.

We share data only with the following categories of service providers who assist in operating our service:

• Hetzner Online GmbH (Nuremberg, Germany) — Cloud hosting infrastructure where our servers, database, and cache are located in Helsinki, Finland.
• Cloudflare, Inc. (San Francisco, USA) — CDN, DDoS protection, and DNS services for pullapi.com.
• Google LLC (Mountain View, USA) — Website analytics via Google Analytics on pullapi.com.
• RapidAPI, Inc. (San Francisco, USA) — API marketplace through which customers access our services. RapidAPI handles all authentication and billing.

We may also disclose information if required by law, court order, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify affected users of any such transfer through our website.

We implement appropriate technical and organizational measures to protect the data we process:

• Encryption in transit: All communications with pullapi.com and api.pullapi.com are encrypted using TLS (HTTPS). Let's Encrypt certificates with automatic renewal.
• Access controls: Server access is restricted to authorized personnel via SSH key authentication. Database and cache access is limited to the application layer with no public exposure.
• No payment data: We do not store, process, or have access to any payment card information. All billing is handled by RapidAPI.
• Cache auto-expiration: All cached data in Redis is stored with a time-to-live (TTL) and is automatically purged after expiration. No manual intervention is required for data deletion.
• Database security: PostgreSQL request logs are stored on encrypted volumes with restricted access. Logs are purged on a rolling 90-day schedule.

While we take reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

We retain data only as long as necessary for the purposes described in this policy:

If you are a resident of the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request that we correct any inaccurate or incomplete personal data.
• Right to erasure: You may request that we delete your personal data where there is no compelling reason for its continued processing.
• Right to restriction: You may request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability: You may request a copy of your data in a structured, commonly used, and machine-readable format.
• Right to object: You may object to the processing of your personal data where we rely on legitimate interests as our legal basis.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.

To exercise any of these rights, please contact us at privacy@pullapi.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

Our legal basis for processing personal data depends on the context: performance of a contract (API service delivery), legitimate interests (debugging, security, service improvement), and consent (Google Analytics, which you can opt out of using browser settings or extensions).

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties with whom we share it.
• Right to delete: You may request that we delete any personal information we have collected about you, subject to certain exceptions.
• Right to opt-out of sale: We do not sell personal information. We have not sold personal information in the preceding 12 months.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your rights, contact us at privacy@pullapi.com. We will verify your identity and respond within 45 days as required by the CCPA.

PullAPI sets no first-party cookies on pullapi.com.

The only cookies on our website are set by Google Analytics, a third-party analytics service provided by Google LLC. These cookies (such as _ga and _ga_*) are used to distinguish unique visitors and track session information. They are analytics cookies only.

We do not use any advertising cookies, retargeting cookies, social media tracking cookies, or other third-party tracking technologies.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, or by configuring your browser to block third-party cookies.

Our primary infrastructure is hosted by Hetzner Online GmbH in Helsinki, Finland, within the European Union. Data processed by our servers, including API request logs and cached responses, is stored in the EU.

Some of our service providers (Cloudflare, Google, RapidAPI) are based in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards including:

• The EU-US Data Privacy Framework for certified US organizations
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission for transfers to countries with equivalent data protection standards

If you have questions about international data transfers, please contact us at privacy@pullapi.com.

PullAPI's services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe that a child under 16 has provided personal data to us, please contact us at privacy@pullapi.com and we will take steps to delete such information promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

For material changes that significantly affect how we process your personal data, we will provide prominent notice on our website prior to the changes taking effect. We encourage you to review this page periodically to stay informed about our privacy practices.

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your data protection rights, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.