> Privacy Policy
Last updated: 3 April 2026
1. Controller Identity
UtilsForAgents (“we”, “us”, “the Service”) is operated by:
[Your Legal Entity Name]
[Street Address]
[City, Postal Code, Country]
Email: privacy@utilsforagents.com
Where we process data on behalf of our API users (the “Customer”), the Customer is the data controller and we act as a data processor. See our Data Processing Agreement for details.
2. What Data We Process
UtilsForAgents is a stateless API service. We do not create user accounts, require login, or set cookies. The data we encounter falls into these categories:
| Data Category | Examples | Legal Basis (GDPR Art.) | Retention |
|---|---|---|---|
| API request payloads | JSON diffs, HTML, images, URLs | Art. 6(1)(b) — contract performance | Ephemeral — not stored after response |
| Image EXIF data | GPS coordinates, camera model, timestamps | Art. 6(1)(b) — contract performance | Ephemeral — processed in-memory only |
| Scraped image metadata | EXIF, XMP, ICC, IPTC data removed by /scrub-metadata | Art. 6(1)(b) — contract performance | Discarded immediately upon scrubbing |
| Server access logs | IP address, timestamp, request path, user-agent, status code | Art. 6(1)(f) — legitimate interest (security, abuse prevention) | 14 days |
| Error logs | Stack traces, request metadata (no payloads) | Art. 6(1)(f) — legitimate interest | 30 days |
3. Image Processing & Personal Data
Images uploaded to our endpoints may contain personal data embedded in EXIF metadata, including:
- GPS coordinates — precise location where the photograph was taken
- Date/time stamps — when the photograph was taken
- Device identifiers — camera make, model, serial number, lens info
- Software information — editing software used
- Creator/copyright fields — photographer name if embedded by device
How we handle this:
/v1/image/exif-summary— Reads EXIF data in-memory and returns a structured summary. The original image is never stored. Processing occurs entirely in an isolated Cloudflare Worker instance./v1/image/scrub-metadata— Strips all metadata (EXIF, XMP, ICC, IPTC) from the image and returns the cleaned binary. The original is never stored. This endpoint assists GDPR compliance by removing personal data from images before further distribution.
We never store, log, or persist image binary data or extracted EXIF content. All processing is ephemeral: data exists only for the duration of the HTTP request/response cycle in an isolated V8 isolate, then is garbage-collected.
4. URL Fetching & Third-Party Content
Endpoints that fetch remote URLs (/v1/html/fetch-markdown, /v1/text/fetch-content, /v1/url/metadata) make outbound HTTP requests on behalf of the caller. We:
- Do not cache or store fetched content beyond the request lifecycle
- Apply SSRF protections blocking requests to private networks, localhost, and cloud metadata endpoints
- Send a descriptive User-Agent header identifying the service
- Follow standard HTTP redirects (up to the platform limit)
The caller (data controller) is responsible for ensuring they have the right to fetch and process the target URL’s content.
5. No Cookies, No Tracking
UtilsForAgents does not:
- Set any cookies (first-party or third-party)
- Use browser fingerprinting or tracking pixels
- Embed third-party analytics, ads, or social widgets
- Perform cross-device tracking
- Use local storage or session storage
6. Sub-Processors
| Sub-Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Cloudflare, Inc. | Edge compute (Workers), CDN, DDoS protection | Global (data processed at nearest edge node) | Cloudflare DPA, EU SCCs, ISO 27001, SOC 2 Type II |
We will notify customers of any new sub-processor additions by updating this page and the DPA at least 30 days before engagement.
7. International Data Transfers
Cloudflare Workers execute at the edge location nearest to the caller. If the caller is in the EU/EEA, processing typically occurs within EU/EEA data centres. For transfers outside the EU/EEA, the following safeguards apply:
- EU Standard Contractual Clauses (SCCs) per Commission Decision 2021/914
- Cloudflare’s approved Binding Corporate Rules (BCR) for processor transfers
- Supplementary technical measures: all data encrypted in transit (TLS 1.2+), ephemeral processing with no persistent storage
8. Data Subject Rights
Under GDPR, you have the right to:
- Access (Art. 15) — request a copy of your personal data we hold
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — request deletion (“right to be forgotten”)
- Restriction (Art. 18) — restrict processing in certain circumstances
- Data Portability (Art. 20) — receive data in a machine-readable format
- Object (Art. 21) — object to processing based on legitimate interests
- Lodge a complaint with your local Data Protection Authority
Because UtilsForAgents is stateless and does not store request payloads, most data subject rights relating to API payloads are satisfied by design — we have no personal data to return, correct, or delete. For access log data, contact privacy@utilsforagents.com.
9. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| API request/response payloads | 0 — never stored | Garbage collected after request completes |
| Image binary data | 0 — never stored | Garbage collected after request completes |
| Server access logs | 14 days | Automatic rotation |
| Error/exception logs | 30 days | Automatic rotation |
10. Security Measures
- All API traffic encrypted via TLS 1.2+ (HTTPS enforced)
- Cloudflare Workers V8 isolate sandboxing — each request runs in an isolated context
- No persistent storage, databases, or file systems
- SSRF protection blocking internal network access
- Request size limits (5 MB upload, 2 MB remote fetch)
- Abuse-rate limiting at the edge (Cloudflare)
- No third-party JavaScript, no client-side tracking
11. Children’s Privacy
UtilsForAgents is a programmatic API service intended for developers and AI agents. We do not knowingly collect personal data from children under 16. If you believe a child has submitted personal data through our API, contact privacy@utilsforagents.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be noted with an updated “Last updated” date. Continued use of the Service after changes constitutes acceptance.
13. Contact
For privacy-related enquiries, data subject requests, or complaints:
privacy@utilsforagents.com
Data Protection Officer (if appointed):
[DPO Name] — dpo@utilsforagents.com