Privacy

CityAPI exists to serve geographic facts. It does not need personal data from users browsing the site or hitting the API anonymously. It doesn't collect any.

What we log

• IP address and User-Agent header, on every request, for 30 days. Used for rate-limit enforcement and abuse investigation. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).
• Request path, status code, response time (operational metrics). Retained 30 days.

What we don't do

• No cookies. The website doesn't set any.
• No third-party analytics, no fingerprinting, no social-widget trackers.
• No cross-site tracking. No advertising.

Website analytics

We use a self-hosted, cookieless analytics tool to understand how visitors use our website. This tool does not use cookies, does not collect personal data, and does not track you across websites. All data is stored on servers we control.

We process this data under GDPR Article 6(1)(f) — legitimate interest in understanding website usage to improve our service. You can opt out at any time using the link in any page footer.

API keys (when enabled)

When API keys launch, requests made with a key will be associated with that key for rate-limit purposes. An email address is required to issue a key and is retained until the key is deleted.

Data processors

• Hetzner Online GmbH (hosting, Germany)
• Cloudflare, Inc. (CDN / DDoS protection; US, with EU data processing addendum)
• Self-hosted analytics (cookieless, no personal data collected, EU servers)

Your rights

Under the GDPR you may request access to, correction of, or deletion of your personal data. To do so, contact us at [email protected].

Changes

Material changes to this policy will be posted here with an updated date. Last updated: 2026-04-20.