Privacy Policy

Stadar is a service of Mac Graver sp. z o.o., a Polish limited liability company with its registered office at ul. Montażowa 10, 43-300 Bielsko-Biała, Poland ("Stadar", "we", "us"). This policy explains what personal data we collect when you use the Stadar API or the stadar.net website, why we collect it, who we share it with, and what rights you have over it. Mac Graver sp. z o.o. is the data controller for the data described below, except where stated otherwise. We operate under the EU General Data Protection Regulation (Regulation (EU) 2016/679 — "GDPR") and, for personal data of UK residents, the UK GDPR.

1. What we collect

We collect only what we need to run the Service:

Account data: email address, a bcrypt hash of your password (never the password itself), email-verification status, and account creation/update timestamps. If you sign in with GitHub, we also store your GitHub user ID; we do not receive or store your GitHub password.
API keys: the keys themselves and metadata about their use — creation date, last used at, and the tier they're associated with.
Usage logs: for each API request, we store the endpoint hit, the response status, the byte size, a timestamp, and the requesting IP address. We use these for rate-limit enforcement, abuse detection, billing reconciliation, and performance debugging.
Billing data: handled by Polar Software Inc. ("Polar") as our Merchant of Record. We receive a customer ID, the plan you're on, your subscription status, and an obfuscated last-4 of any payment method. We do not receive or store your full card number, bank details, or billing address — those live with Polar.
Support correspondence: emails you send to [email protected] and our replies, retained while the account is active and for two years after.

2. Why we collect it (lawful basis)

Contract (Art. 6(1)(b) GDPR): to create your account, authenticate API calls, enforce your tier's quota, deliver the Service you've signed up for, and send transactional emails (welcome, key creation, quota nudges, payment failures).
Legitimate interest (Art. 6(1)(f)): to detect and prevent abuse, secure the Service, debug incidents, and improve reliability. We've assessed that these uses don't override your interests because they are essential to running a multi-tenant API and use the minimum data needed.
Legal obligation (Art. 6(1)(c)): where we're required to retain records by tax, accounting, or anti-fraud law.

We do not use your personal data for marketing without your consent, and we do not sell it. The API itself returns public esports data — it does not contain personal data about you.

3. Who we share it with

We share data only with the third parties needed to run the Service. Each one is bound by appropriate contractual safeguards.

Polar Software Inc. (United States): Merchant of Record. Polar is an independent controller for payment data — your card and billing-address details flow to them, not to us. See polar.sh/legal/privacy.
GitHub, Inc. (United States): if you choose GitHub OAuth, we receive your GitHub user ID and the primary email on your GitHub account. GitHub's own privacy policy governs what they pass to us.
Email delivery provider: the provider we use to send transactional email processes your address and the email body in transit. They act as our processor under a data-processing agreement.
Cloud hosting: our application, databases, and logs run on cloud infrastructure under processor agreements. Data is stored in encrypted form at rest.
Law enforcement or regulators: if we receive a valid, legally binding request, we'll comply with the minimum disclosure required and, where lawful, notify you.

4. International transfers

Mac Graver sp. z o.o. is established in Poland and processes personal data primarily within the European Economic Area. Some of our processors (Polar, GitHub, cloud and email providers) are based in the United States or other countries outside the EEA. When we transfer your data outside the EEA we rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) together with the receiver's own technical and organisational measures, to ensure your data receives an equivalent level of protection. For personal data of UK residents transferred to non-UK recipients, the UK International Data Transfer Addendum to the EU SCCs applies.

5. How long we keep it

Account data: for as long as your account is active. When you close it, we delete the row within 30 days, except where retention is required by law (e.g. tax records).
API usage logs: 90 days at request-line granularity, then aggregated to daily totals for billing and capacity planning. Aggregated totals are retained for as long as the account is active.
Billing data we hold: 5 years from the end of the fiscal year in which the invoice was issued, in line with the Polish Accounting Act and Tax Ordinance.
Support correspondence: 2 years after the last message.

6. Your rights

Under the UK and EU GDPR you have the right to:

access the personal data we hold about you;
have inaccurate data corrected;
have your data deleted (where we don't have a legal duty to keep it);
restrict or object to certain processing;
port your data to another provider in a structured, machine-readable format;
withdraw any consent you've given (without affecting prior processing); and
lodge a complaint with the Polish Data Protection Authority (Prezes Urzędu Ochrony Danych Osobowych — uodo.gov.pl), your local data-protection authority in your EU country of residence, or, if you are a UK resident, the UK Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email [email protected] with "Privacy request" in the subject line. We respond within 30 days. Most account data is also exportable or deletable directly from the customer portal.

7. Cookies

stadar.net uses one strictly-necessary cookie: an HttpOnly, SameSite session cookie set after you sign in, used to authenticate subsequent requests. Closing the browser or signing out ends the session. We don't use cookies for advertising, profiling, or cross-site tracking, and we don't set non-essential cookies — so no consent banner is required. The API itself doesn't use cookies; API keys are sent in the Authorization header.

8. Security

Passwords are hashed with bcrypt. Connections are encrypted in transit (TLS). API keys are stored hashed and shown to you in plaintext only once at creation. Production access to user data is restricted to a small number of staff under least-privilege controls and logged. We don't store payment-card data — Polar does. Despite reasonable care, no service is fully immune to breach; in the unlikely event of one that risks your rights or freedoms, we'll notify UODO and affected users within the GDPR's 72-hour window.

9. Children

Stadar is a developer API for businesses and adults. We don't knowingly collect personal data from anyone under 16. If you believe a child has registered an account, email [email protected] and we'll delete it.

10. Changes

Material changes to this policy are announced on the changelog and emailed to active customers at least 14 days before they take effect. The effective date at the top of this page always reflects the current version.

11. Contact

Mac Graver sp. z o.o., ul. Montażowa 10, 43-300 Bielsko-Biała, Poland. Email [email protected] — mark privacy or data-protection enquiries with "Privacy" in the subject line and they'll be routed accordingly.

Privacy Policy.