fetchlayer.dev Sign in Legal
Privacy Policy
Last updated: May 28, 2026
1. Who We Are
"FetchLayer", "we", "us", and "our" refer to HootCodes LTD and the FetchLayer product, service, website, and API it operates. "You" and "your" refer to the person or entity using the service.
FetchLayer is operated by HootCodes LTD, Sofia Center, Aleksandar Stamboliyski Blvd 55, 4, Sofia 1000, Bulgaria.
For privacy questions or data rights requests, contact privacy@hoot.codes. For general support, contact support@hoot.codes.
Data Protection Officer: HootCodes LTD does not currently appoint a formal Data Protection Officer, as it does not meet the mandatory DPO appointment thresholds under GDPR Article 37. For all data protection matters, contact privacy@hoot.codes.
2. Scope of This Policy
This Privacy Policy explains how we collect, use, store, and disclose personal data when you use FetchLayer, including the website, account system, API, billing, support channels, and related tools.
For account administration, security, billing, and core service operations, we act as a data controller. When you use the service to fetch or analyze public third-party content, you are responsible for determining whether your own use of that data has an appropriate legal basis and complies with applicable law.
3. Data We Collect
Account and identity data
- email address;
- name or display name, if provided;
- authentication metadata such as sign-in events, session identifiers, and verification tokens.
Billing and commercial data
- subscription or plan information;
- billing status, invoices, transaction references, and payment-related metadata from our payment provider;
- customer support messages relating to billing or contracts.
Technical and usage data
- IP address, device/browser metadata, timestamps, and request logs;
- API key metadata and usage metrics such as endpoint, request time, and status code;
- security and fraud-prevention events.
Service input and output
- request parameters you submit to the API (such as search queries, subreddit names, and URLs) are processed strictly in-memory to fulfill your request and are never written to disk, logs, or any persistent store;
- public third-party content returned in response to your requests passes through our systems transiently to deliver your API response and is not stored, cached, or retained after delivery;
- for billing and abuse-prevention purposes, we record only: user ID, API key ID, endpoint name, HTTP status code, response latency, and timestamp — we do not log your query parameters, request body, or response content;
- support attachments or troubleshooting information you choose to send us.
4. Where the Data Comes From
- directly from you when you create an account, contact us, or call the API;
- automatically from your browser, device, or session when you use the service;
- from service providers involved in authentication, payment processing, email delivery, and infrastructure;
- from public third-party sources when you instruct the service to fetch content.
5. Why We Process Personal Data
- to create and secure accounts;
- to deliver API responses, dashboards, and related features;
- to measure usage, apply quotas, detect abuse, and enforce rate limits;
- to process payments, invoices, and plan changes;
- to provide customer support and respond to legal or privacy requests;
- to maintain service security, reliability, and incident response;
- to comply with legal obligations and defend our rights.
6. Legal Bases
Where the GDPR applies, we typically rely on the following legal bases:
- Contract: to provide the services you request, manage your account, and process paid access.
- Legitimate interests: to secure the service, prevent fraud and abuse, improve reliability, and manage business operations.
- Legal obligation: to comply with tax, accounting, law-enforcement, or regulatory requirements.
- Consent: where we specifically ask for consent, such as for non-essential communications or technologies, if any.
7. Scraping-Related Privacy Points
Public web content can still contain personal data. If you use FetchLayer to search, monitor, export, or analyze public content about individuals, you are responsible for deciding whether that use is permitted under applicable law and whether you have an appropriate legal basis.
You must not use FetchLayer to create unlawful dossiers, perform unlawful surveillance, or make prohibited decisions about people in areas such as employment, housing, credit, insurance, health, education, or similar regulated contexts.
Your role as a data controller
When you use FetchLayer to collect or process personal data about third parties (e.g., Reddit usernames, post authors, or any identifiable information within content), you become a data controller for that processing under applicable data protection laws. You are independently responsible for having a legal basis, providing appropriate notices, honoring data subject rights, and complying with all applicable data protection obligations.
Data broker considerations
Depending on your jurisdiction and use case, if you use FetchLayer to systematically collect and resell personal information, you may be classified as a data broker under laws such as the California Delete Act (SB 362), Vermont's data broker law, or similar legislation. It is your responsibility to determine whether data broker registration or other regulatory requirements apply to your business.
8. Sharing and Processors
We may share personal data with service providers that help us operate FetchLayer, such as infrastructure providers, email delivery providers, authentication providers, and billing/payment processors. Based on the current implementation, these may include providers such as Postmark for transactional email and Polar for billing.
We may also disclose information when required by law, to enforce our agreements, to prevent harm, or in connection with a corporate transaction.
9. International Transfers
We are based in Bulgaria, but some service providers may process data in other countries. Where required, we seek to use appropriate transfer mechanisms and contractual safeguards.
10. Data Retention
- account and billing records are retained while your account is active and for a reasonable period afterward as needed for legal, accounting, and dispute purposes;
- short-lived sign-in verification records expire quickly and are deleted in the normal course of operation;
- security, logging, and usage records are retained for as long as reasonably necessary to operate, secure, and improve the service;
- we may retain some information longer where required by law or to establish, exercise, or defend legal claims.
Third-party content (Reddit data)
FetchLayer operates as a real-time pass-through service. We do not store, cache, index, or archive Reddit posts, comments, user profiles, or any other third-party content. Content is fetched from public sources at the time of your API request, structured, delivered to you, and not retained on our systems. We do not maintain a searchable database of scraped content. Accordingly, we cannot comply with deletion or access requests regarding third-party Reddit content because we do not hold it.
In-memory processing
User queries, request parameters, and MCP context tokens are processed strictly in-memory for the duration of each request. They are never written to disk, application logs, or persistent storage. Once a response has been delivered, no trace of your request payload remains on our systems.
11. Security
We use technical and organizational measures designed to protect personal data, including access controls, rate limiting, logging, and secure service providers. No system is perfectly secure, and we cannot guarantee absolute security.
12. Cookies and Similar Technologies
FetchLayer currently uses cookies and similar technologies primarily for strictly necessary purposes such as authentication, session continuity, CSRF protection, and account security.
- Strictly necessary cookies do not require opt-in consent in the same way as analytics or marketing cookies, but we still disclose them here for transparency.
- At the time of this policy, the core service is not presented as relying on advertising cookies or third-party marketing cookies.
- If we later add non-essential analytics, personalization, or marketing technologies, we may update this policy and add additional consent controls where required.
13. Your Rights
Depending on your location and applicable law, you may have rights to access, correct, delete, restrict, object to, or port your personal data, and to withdraw consent where processing is based on consent.
To exercise a privacy right, contact privacy@hoot.codes. We may need to verify your identity before fulfilling a request.
California residents (CCPA/CPRA)
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete, and the right to opt out of the sale or sharing of personal information.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. FetchLayer does not operate as a data broker. We do not maintain databases of personal information for sale or licensing to third parties.
To exercise your California privacy rights, contact privacy@hoot.codes.
Right to object (GDPR Article 21)
Where we process your personal data based on legitimate interests, you have the right to object at any time. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or where the processing is necessary for the establishment, exercise, or defense of legal claims.
14. Complaints
If you believe we have handled your personal data unlawfully, please contact us first. If you are in the EEA or UK, you may also have the right to lodge a complaint with a competent data protection authority.
For Bulgaria, the competent authority is:
Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Website: www.cpdp.bg
Email: kzld@cpdp.bg
15. Statutory or Contractual Requirement to Provide Data
Providing your email address and accepting our Terms of Service is a contractual requirement necessary to create an account and use the service. If you do not provide this information, we cannot provide you with an account or API access.
Billing information is required as a contractual necessity to process paid subscriptions or credit purchases. Technical data (such as IP address and request metadata) is collected automatically as part of service operation and cannot be opted out of while using the service.
16. Automated Decision-Making
FetchLayer may use automated systems to enforce rate limits, detect abuse patterns, and apply usage quotas. These systems operate based on usage metrics (request counts, frequency, error patterns) and do not produce legal or similarly significant effects on you beyond access management.
We do not use automated decision-making or profiling that produces legal effects or significantly affects you in areas such as creditworthiness, employment, or eligibility decisions. If this changes in the future, we will update this policy and provide appropriate safeguards as required by law.
17. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we may update the date above and, where appropriate, provide additional notice.