Legal
API Privacy Policy
Effective Date: 15th May 2026
This policy explains how Mwmbl Foundation, a private company limited by guarantee registered in the United Kingdom (“Mwmbl”, “we”, “us”), collects, processes, and protects personal data in connection with your use of the Mwmbl Search API. It applies to API users and supplements the general Data Privacy Policy which covers use of the Mwmbl website. We process personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller
Mwmbl Foundation is the data controller for personal data processed in connection with the API. Contact: info@mwmbl.org.
Information We Collect
When you register for and use the API, we may process the following categories of personal data:
Account data
- —Name, email address, and username provided at registration.
API usage data
- —API key identifiers (not the key value itself after initial creation).
- —Request timestamps and monthly request counts, used to enforce quotas and rate limits.
- —IP addresses associated with API requests, held transiently in memory and not written to persistent storage.
- —Search queries submitted via the API are not logged or retained.
Billing data
For paid plans, payment is processed by Polar.sh acting as our payment processor. Mwmbl does not receive or store payment card details. We receive and retain the Polar customer identifier, subscription status, current plan, and billing period dates in order to manage your account.
Lawful Basis for Processing
| Purpose | Lawful basis |
|---|---|
| Providing API access and enforcing quotas | Contract — Article 6(1)(b) UK GDPR |
| Managing billing and subscriptions | Contract — Article 6(1)(b) UK GDPR |
| Security, fraud prevention, and abuse detection | Legitimate interests — Article 6(1)(f) UK GDPR |
| Compliance with legal obligations | Legal obligation — Article 6(1)(c) UK GDPR |
| Responding to account or support enquiries | Legitimate interests — Article 6(1)(f) UK GDPR |
Data Sharing
Mwmbl does not sell or commercially exploit your personal data. We share data only in the following circumstances:
- —Polar.sh: As our payment processor, Polar.sh receives the data necessary to create and manage your subscription. Polar.sh's own privacy policy governs their use of that data.
- —Infrastructure subprocessors: hosting, error tracking, email delivery, and backups, each acting as a data processor under contract with Mwmbl.
- —Legal authorities: where required to comply with applicable UK law or a lawful request.
Data Retention
| Data | Retention period |
|---|---|
| Account data | Duration of account, plus 12 months after closure |
| Monthly usage counters | Automatically expire after 35 days |
| Billing records | 7 years (statutory accounting obligation) |
| Support correspondence | 2 years after resolution |
Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- —Right to Access (Article 15): Request a copy of the data we hold about you.
- —Right to Rectification (Article 16): Request correction of inaccurate data.
- —Right to Erasure (Article 17): Request deletion of your data, subject to legal retention obligations.
- —Right to Restriction of Processing (Article 18): Request that we limit how we use your data.
- —Right to Data Portability (Article 20): Request a structured, machine-readable copy of your data.
- —Right to Object (Article 21): Object to processing based on legitimate interests.
To exercise any of these rights, contact info@mwmbl.org. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
Data Security
Mwmbl implements appropriate technical and organisational measures to protect personal data, including:
- —Encryption of data in transit (TLS) and at rest.
- —Access controls limiting data access to authorised personnel only.
- —Use of transient in-memory storage for rate-limit and quota counters to minimise persistent data exposure.
- —In the event of a personal data breach, we will notify affected individuals and the ICO as required under UK GDPR Articles 33–34.
International Transfers
Personal data processed in connection with the API is not transferred outside the United Kingdom or European Economic Area, except to the extent that any subprocessor infrastructure operates in jurisdictions covered by a UK adequacy decision or appropriate safeguards.
Changes to This Policy
We may update this policy as the service evolves. Significant changes will be communicated by email or via your account dashboard prior to taking effect.
Contact
For privacy-related enquiries, contact info@mwmbl.org.