Privacy Policy

Last Updated: April 4th, 2025

Caddey (the "Service") is a software-as-a-service platform operated by JQP Holding B.V., a company based in the Netherlands. We are committed to protecting your privacy. This Privacy Policy explains what personal data we collect from users of Caddey, how we use and share it, and your rights regarding that data. It applies to all users of Caddey worldwide, including individual consumers and business users.

By using Caddey, you agree to the collection and use of information as described in this Policy, in accordance with applicable data protection laws. We encourage you to read this Privacy Policy carefully, alongside Caddey's Terms and Conditions, to understand our practices.

Personal Data We Collect

We collect various types of personal information when you use our Service:

Account Information: When you register for Caddey, we collect information such as your name, email address, and login credentials. If you create a business account, we may also collect your company or organization name and contact details.
Billing Information: If you purchase a paid plan, we collect billing details such as your billing address and, if applicable, company VAT or tax IDs for invoicing. Payment card information (credit or debit card numbers, expiration date, etc.) is not stored on our servers – it is sent directly to our payment processor, Stripe, which handles your payment data securely.
Usage Data: We automatically collect information about how you access and use Caddey. This includes your IP address, browser type, device information, pages or features you use, date and time of access, and other usage statistics. We also collect log data on actions within the platform (e.g. file uploads or API tool usage) to monitor performance and troubleshoot issues.
Cookies and Tracking: Like most websites, we use cookies and similar tracking technologies to provide and improve our Service. Cookies are small text files stored on your device that help the site function or gather analytical data. You can control cookies through your browser settings; however, disabling cookies may affect certain functionality of Caddey.
Content You Provide: When you use Caddey, you may upload OpenAPI specification files or other data. These files may contain information you choose to include. We store and process this content to provide the Service to you. If any personal data is included in the content you upload, it will be handled as described in this Policy.

How We Use Your Data

We use the collected personal data for the following purposes:

Providing the Service: To operate Caddey and provide you with the features and services you request. For example, we use your information to create and manage your account, host your uploaded API specifications, and generate AI tools as requested.
Payment Processing: To process subscription fees or other payments for Caddey’s services. Payments are handled via Stripe, which uses your payment information to complete transactions on our behalf. We only receive confirmation of payment and basic details (like the last four digits of your card or payment status) needed for record-keeping.
Communication: To communicate with you about your account and the Service. This includes sending administrative emails (e.g. confirmations, updates, security or support messages) and responding to your inquiries. If you have opted in to marketing communications, we may send newsletters or product updates; you can opt out at any time.
Improvement and Analytics: To understand how users interact with Caddey and to improve our platform. We analyze usage data (often in aggregated form) to troubleshoot issues, develop new features, and enhance user experience.
Security and Fraud Prevention: To monitor, prevent, and detect fraud, abuse, or other suspicious activities. We may use personal data (like IP addresses or activity logs) to keep the Service secure, protect against illegal activity, and enforce our Terms and Conditions.
Legal Compliance: To comply with applicable laws, regulations, and legal processes. For example, we may use and retain certain information for tax reporting, accounting, or to fulfill legal obligations.

Third-Party Service Providers

We share your data with a few trusted third-party service providers who help us run Caddey. These providers process data only for the purposes of providing their services to us, under strict confidentiality and security obligations. Our key service providers are:

Stripe (Payments): We use Stripe to process credit/debit card payments. When you enter payment information, it is transmitted directly to Stripe. Stripe handles and stores your payment details in accordance with their security standards and privacy policy. Caddey does not store your sensitive payment card data.
Microsoft Azure (Hosting): Caddey is hosted on Microsoft Azure cloud infrastructure. This means the personal data and files you store in Caddey are saved on Azure’s servers. Microsoft Azure acts as our data processor for hosting and storing data.
Cloudflare (Security and CDN): We use Cloudflare for content delivery and security. Cloudflare helps deliver Caddey’s content quickly to users around the world and provides security services such as DDoS protection and a web application firewall. Personal data (like IP addresses and requests) may pass through Cloudflare’s systems for these purposes.

We ensure that all these service providers are bound by appropriate data protection obligations. They only receive the information necessary to perform their functions and are not permitted to use your data for any other purposes.

Caddey does not sell your personal information to third parties. However, we may disclose personal data in certain situations:

Legal Requirements: If we are compelled by law or legal process to disclose your data, we will do so. For example, we may provide information in response to a court order, subpoena, or a lawful request by public authorities. We may also disclose data when we believe in good faith that it's necessary to comply with a legal obligation, protect our rights or the safety of our users, investigate fraud or security issues, or respond to government requests.
Business Transfers: If Caddey or JQP Holding B.V. is involved in a merger, acquisition, bankruptcy, or sale of all or a portion of its assets, your personal data may be transferred to the new owner as part of that transaction. In such cases, we will ensure the successor honors the commitments we have made in this Privacy Policy or will notify you if they intend to use your data differently.
With Your Consent: We may share your information with third parties in other circumstances if you give us explicit consent to do so. For example, if you opt in to a feature or integration that requires sharing data with another service, we will do so only with your authorization.

Third-Party Data and Caddey as a Processor

Caddey enables you to connect to external APIs and upload data, which may include personal data about third parties (for example, information about your end-users or customers processed through an API). In such cases, you are the entity determining the purpose of that data (you are the "data controller"), and Caddey acts only as a "data processor" on your behalf. This means:

You are responsible for ensuring that you have the legal right to use and transfer that third-party personal data to our Service. This includes obtaining any necessary consents or providing any required notices to the individuals whose data you are processing via Caddey.
Caddey will process the data you upload or connect only to provide the services you have requested. We will follow your instructions and will not use third-party personal data for our own purposes. We do not monitor or access the content of your connected API data except as needed to operate and support the Service (for example, to troubleshoot technical issues) or as required by law.
As a processor, Caddey implements appropriate technical and organizational measures to protect any third-party personal data you process through our platform. We will not disclose it to others except as needed to provide the service (for instance, to our sub-processors like Azure or Cloudflare) or as required by law, mirroring the restrictions described elsewhere in this Privacy Policy.
If you are subject to GDPR or similar laws and require a formal Data Processing Agreement (DPA) with us for using Caddey as a processor of third-party data, please contact us. We are prepared to sign a DPA and assist you in meeting your compliance obligations.

If you are an individual in the European Economic Area (EEA) or United Kingdom, Caddey processes your personal data under the legal bases established by the General Data Protection Regulation (GDPR):

Performance of a Contract: Most of our data processing is to provide you with the Caddey service you requested. For example, we need to process your name and email to create your account and provide access, and your uploaded content to deliver the tool-generation functionality. This processing is necessary for the performance of our contract with you.
Legitimate Interests: We may process data as needed for our legitimate business interests, provided those interests are not overridden by your data protection rights. For instance, we have a legitimate interest in understanding how the Service is used (to improve it), in securing our platform, and in sending you service-related communications. When we rely on this basis, we ensure that we consider and balance any potential impact on you and your rights.
Consent: We will ask for your consent before using your personal data for certain purposes when required by law. For example, if we want to use your email for marketing communications in a jurisdiction that requires consent, we will obtain your consent (and you can withdraw it at any time).
Legal Obligation: In some cases, we need to process personal data to comply with our legal obligations. For example, we may retain transaction records for tax and accounting purposes or provide information to authorities if legally required.

International Data Transfers

Caddey is operated from the Netherlands, but we may process and store your data on servers located in other countries. Specifically, our use of Azure and Cloudflare means your personal data might be transferred to or accessed from jurisdictions outside of your own. For example, data may be transmitted to or through servers in the United States or other locations where our service providers maintain facilities.

Whenever we transfer personal data outside of the EEA (or other regions with data protection laws), we take steps to ensure appropriate safeguards are in place. These safeguards may include standard contractual clauses approved by the European Commission, transferring data to recipients in jurisdictions deemed adequate by the EU, or other lawful mechanisms. We will ensure that your data is treated securely and in accordance with this Privacy Policy, and no transfer will occur to an organization or a country unless there are adequate controls in place to protect your information.

If you are located outside of the EU/EEA, please note that by using Caddey or providing us with your information, you understand that your data will be transferred to and processed in the Netherlands and other countries as needed. We will protect all transferred data as described in this Policy.

Data Retention

We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. In general:

Account Data: Account information and profile data are kept for as long as you have an active account. If you delete your account or request deletion, we will erase or anonymize your personal data within a reasonable period, except to the extent we need to keep it for legitimate business or legal reasons.
Transaction Data: Billing and payment records are retained to complete the transaction and thereafter as required for financial reporting and compliance. For example, we may keep invoice information for a number of years as mandated by tax law.
Usage Data: Usage data (logs, analytics) is retained for a shorter period for internal analysis and to improve the Service. We generally retain such data only for as long as necessary, except when it may be needed for security purposes or to comply with legal obligations.
Communications: If you contact us (for example, via support email), we may retain those communications and our responses for as long as needed to address your inquiry and for our internal records.

After the applicable retention period, we will either delete your personal information or store it in a form that no longer identifies you (aggregated or anonymized data).

Data Security

We take the security of your personal data seriously. Caddey implements industry-standard security measures to protect your information from unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (HTTPS), firewalls and network security protections, and restricted access to personal data by our staff on a need-to-know basis. We also rely on the security features of our cloud providers (Azure and Cloudflare) to safeguard stored or transmitted data.

However, please note that no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. You should also take care in protecting your own account credentials and notify us immediately if you suspect any unauthorized access to your account.

Your Rights

You have rights regarding your personal data. Depending on your location and the applicable law, these may include:

Access and Portability: You can request a copy of the personal data we hold about you, and we will provide it to you in a structured, commonly used, machine-readable format.
Correction: You have the right to have inaccurate or incomplete personal data corrected or updated.
Deletion: You can ask us to delete your personal data. We will honor deletion requests where we no longer need the data for providing the Service or for legitimate business or legal purposes. (For example, we might retain certain data if required by law, but we will inform you if such an exception applies.)
Restriction of Processing: You have the right to request that we limit the processing of your data in certain circumstances (for instance, if you contest the accuracy of the data or object to our processing of it).
Object to Processing: You can object to certain processing, such as processing for direct marketing purposes or in cases where we are relying on legitimate interests. In such cases, we will stop processing your data unless we have a compelling legitimate ground to continue or are otherwise legally permitted to do so.
Withdraw Consent: If we rely on your consent to process any personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
Non-Discrimination: Caddey will not discriminate against you for exercising any of these rights. If you choose to exercise your privacy rights, we will continue to provide you with our services at the same level of quality and pricing.

These rights are subject to some conditions and exceptions under applicable law. To exercise any of your rights, please contact us (see the Contact Us section below). We may need to verify your identity before fulfilling certain requests, to ensure we do not disclose data to the wrong person. We will respond to your request within the timeframe required by law.

If you are in the EU/EEA or UK, you also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have infringed your privacy rights. For example, in the Netherlands you can contact the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).

California Privacy Rights

If you are a resident of California, you are entitled to certain rights and disclosures under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You can request that we disclose what personal information Caddey has collected about you, including the categories of personal information, the categories of sources of that information, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it. We have provided much of this information in this Privacy Policy.
Right to Access and Data Portability: You may request a copy of the specific pieces of personal information we have collected about you in the last 12 months. When you make an access request, we will provide your data in a portable and readily usable format, to the extent technically feasible, in accordance with CCPA requirements.
Right to Delete: You can request that we delete the personal information we have collected from you (and direct our service providers to do the same). As under GDPR, some information may be exempt from deletion requests under CCPA/CPRA – for example, if it is necessary for us or our providers to complete a transaction, detect security incidents, or comply with legal obligations.
Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
Right to Opt-Out of Sale/Sharing: CCPA gives you the right to opt out of the "sale" of your personal information or the sharing of your personal information for cross-context behavioral advertising. Caddey does not sell personal information, and we do not share your personal information with third parties for targeted advertising purposes. Therefore, this right is generally not applicable to data collected by Caddey.
Right to Non-Discrimination: We will not deny you service, charge you a different price, or provide a different level of service just because you exercise your privacy rights.

If you are a California resident and would like to exercise any of these rights, please contact us using the information in the Contact Us section. We may need to verify your identity and California residency before processing certain requests, as required by law.

Children’s Privacy

Caddey is not intended for use by children. We do not knowingly collect personal information from anyone under the age of 18. If you are under 18, please do not use Caddey or provide any personal data to us. If you are a parent or guardian and you discover that your child has created an account or provided personal data to Caddey without your consent, please contact us. If we become aware that we have collected personal data from a child without parental consent, we will take steps to remove that information from our servers and records.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will notify users by email or by placing a prominent notice on our website prior to the changes taking effect. The "Last updated" date at the top of this Policy will indicate when the latest changes were made. We encourage you to review this Privacy Policy periodically for any updates. Your continued use of Caddey after any changes to this Policy constitutes your acceptance of the updated terms.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

JQP Holding B.V. (Caddey)
The Netherlands
[email protected]

We will gladly assist you and address any issues to the best of our ability. Your privacy is important to us, and we welcome your feedback.