REST Countries

Privacy Policy

Last updated: 08 June, 2026

In plain language. We collect what we need to authenticate, bill, and run the Service: your email, a hashed password, session and cookie data, and request metadata. We don't sell your data, share it with advertisers, or use it to train models. We're a Canadian company that follows the EU/UK GDPR in addition to Canadian privacy law. You can export, correct, or delete your data at any time. The full policy below covers the legal bases, who we share with, where data lives, and how to reach our privacy team.

1. Who we are

The data controller for personal data collected through the Service is ONC Inc. ("REST Countries," "we," "us"), a corporation incorporated under the laws of the Province of Ontario, Canada. You can reach our privacy team, including our designated Privacy Officer (the accountability role required under PIPEDA), through the support page.

Where required by Article 27 of the EU GDPR or the UK GDPR, we have appointed an EU/UK representative for data subjects in those regions. Their contact details are available on request via support.

2. What this policy covers

This Privacy Policy explains what personal data we collect when you visit the REST Countries website, sign up for an account, or call our APIs; why we collect it; how long we keep it; who we share it with; and what rights you have. It applies to the marketing site at restcountries.com, the customer dashboard, and the API endpoints. It does not cover third-party services we link to from inside our product (e.g. Stripe-hosted checkout pages). Those have their own policies, which we summarize where relevant.

3. What we collect

We collect four categories of personal data:

  • Account data: your email address, a salted bcrypt hash of your password, your full name (if provided), your selected timezone, and the timestamp of account creation.
  • Billing data: for paid plans, your billing address, the last four digits and brand of your payment card, the country of issuance, and the invoice history. We never see your full card number, CVC, or expiry. Those are sent directly to Stripe by your browser.
  • Session and cookie data: the public identifier for your session token, a browser-readable logged-in state flag, your persistent-session preference, a short-lived CSRF nonce for email-link forms, and cookie-banner state.
  • Request metadata: for every API call, we log the URL path and query string, the response status code, the response time in milliseconds, the response payload size, the API key identifier (a hash, not the key itself), and the originating IP address. We do not log the response body.

4. Why we collect it (legal basis)

Under the EU and UK GDPR, every collection of personal data must rest on a legal basis. Ours are:

  • Performance of a contract (Art. 6(1)(b) GDPR): for account data, billing data, session and cookie data, and request metadata that's necessary to authenticate your requests, maintain your dashboard session, count usage against your plan, and produce invoices.
  • Legitimate interest (Art. 6(1)(f) GDPR): for security investigation (e.g. blocking abusive IPs), short-term debugging, and aggregated analytics about how the Service is performing. We've assessed that these interests do not override your rights and freedoms; you can object at any time (see Section 11).
  • Legal obligation (Art. 6(1)(c) GDPR): for retaining tax-relevant records (e.g. invoices) for the period required by Canadian, EU, and UK tax law.
  • Consent (Art. 6(1)(a) GDPR): for any optional marketing or product-update emails. You can withdraw consent at any time without affecting prior processing.

For Canadian residents, the equivalent framework is implied or express consent for collection, use, and disclosure of personal information that a reasonable person would consider appropriate in the circumstances, under PIPEDA section 5(3).

5. How we use it

  • Authenticate dashboard sessions and API requests, and enforce per-plan rate limits.
  • Calculate usage and bill paid plans accurately.
  • Investigate abuse (e.g. credential stuffing, scraping, denial-of-service).
  • Debug issues that you or we encounter, with the smallest possible scope of access.
  • Send transactional emails (password resets, billing receipts, security notices, deprecation warnings, invoice failures).
  • Improve performance: by aggregating your own request metrics across regions and routes, never by reading your customers' content.

6. What we don't do

We don't sell your data, share it with advertisers, or use it to train third-party models. We don't track you across the web. We don't run any cross-site analytics. We don't profile you for advertising or perform automated decision-making with legal or similarly significant effects. If those things ever change, we'll seek your consent first. They will not be quietly added to this policy.

7. Where data lives (residency and transfers)

REST Countries is operated from Canada. Production data is hosted in AWS data centres in Canada (ca-central-1) and the European Union (eu-west-1); region selection is automatic based on the originating request region. Requests reach our origin through Cloudflare's global edge network, which terminates TLS and may briefly process request metadata (IP, headers, URL) in the point of presence closest to you before forwarding to the appropriate AWS region.

Some of our sub-processors (see Section 8) operate from the United States. Where personal data of EU, UK, or Swiss residents is transferred to a country without an adequacy decision, the transfer is governed by the Standard Contractual Clauses (Module Two, Controller-to-Processor, 2021 / UK Addendum where applicable). For Quebec residents, our cross-border transfers are accompanied by the privacy impact assessment required under An Act respecting the protection of personal information in the private sector (Quebec Law 25, s. 17).

8. Sub-processors

We rely on a small number of vendors to operate the Service. Each is bound by a written data-processing agreement that requires equivalent or stronger protections.

  • Amazon Web Services (AWS): infrastructure, request logs, encrypted backups. AWS data privacy.
  • Cloudflare: DNS, TLS termination, CDN, and DDoS protection. As our network edge, Cloudflare processes IP addresses, request headers, and URLs for every request to the Service before they reach our origin. Cloudflare operates a global edge network and may briefly process traffic in regions outside Canada and the EU. Cloudflare privacy.
  • Stripe: payment processing for paid plans (card details go directly from your browser to Stripe; we receive only a token plus the last four digits and brand). Stripe privacy.
  • Postmark: transactional email delivery (password resets, receipts, security notices). Postmark EU privacy.
  • Zenlogin: login-anomaly detection. When you sign in, we send your email address, IP address, user-agent, and an account identifier so Zenlogin can assess whether the sign-in looks unfamiliar and a security notice should be sent. This data is used only for that real-time security check and is not stored by Zenlogin. Zenlogin privacy.
  • Plausible Analytics: website analytics for the marketing site. No cookies, no local storage, no cross-site identifiers, no personal data stored. Plausible processes page URL, referrer, browser, and a daily-rotating hash derived from IP and user-agent to count unique visits. GDPR, CCPA, and PECR compliant; data hosted in the EU. Plausible privacy.

We give at least thirty (30) days' notice on the marketing site before adding or replacing a sub-processor. If you have a paid plan, you may object on reasonable grounds and, if we cannot accommodate the objection, terminate the affected portion of the Service.

9. Retention

  • Account data: kept for the lifetime of your account. On deletion, all personal data is purged from production within thirty (30) days. Encrypted backups age out within ninety (90) days of the underlying record being deleted.
  • Billing and invoice records: retained for the period required by Canadian, EU, and UK tax law (typically six to seven years) even after account closure, to satisfy our tax obligations.
  • Request metadata: kept for ninety (90) days for debugging and abuse prevention, then aggregated; per-request rows are deleted at that point.

10. Security

We protect personal data with appropriate technical and organizational measures, including:

  • TLS 1.2+ for all customer-facing traffic.
  • Encryption at rest for backups.
  • Role-based access control with audit logging on production systems.
  • One-way password hashing (bcrypt) and one-way API-key hashing.
  • Annual third-party penetration testing.
  • Mandatory privacy-and-security training for personnel with production access, at hire and annually.

If a personal-data breach affects you, we'll notify you and the appropriate supervisory authorities within the timelines required by law (without undue delay, and within seventy-two (72) hours under the GDPR / UK GDPR).

11. Your rights

You can export or delete your data at any time from your account settings. Depending on where you live, you also have the following rights:

  • EU / EEA / UK / Switzerland: access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your supervisory authority. See your GDPR rights for details.
  • Canada (PIPEDA + provincial laws): access, correction, withdrawal of consent, and the right to file a complaint with the Office of the Privacy Commissioner of Canada or your provincial regulator. Quebec residents have additional rights under Law 25, including the right to data portability and the right to know about automated decisions affecting them.
  • California (CCPA / CPRA), Brazil (LGPD), and other comprehensive regimes: equivalent rights are available; contact support to invoke them.

To exercise any right, contact support. We respond within thirty (30) days. To protect your data, we'll typically verify your identity by sending a confirmation link to the email on file before fulfilling the request.

12. Cookies

We use a small number of strictly necessary cookies to keep you logged in and protect against CSRF. We do not use advertising, analytics, or tracking cookies. See our Cookie Policy for the full list and what each cookie does.

13. Children

REST Countries is not directed at children under thirteen (13), or (where applicable) the age of digital consent in your jurisdiction. We do not knowingly collect their personal data. If you believe a child has provided personal data through the Service, please contact support and we will delete the account.

14. Automated decision-making

We do not use automated decision-making (including profiling) that produces legal or similarly significant effects on you. Rate-limiting, plan-quota enforcement, and automated abuse signals are operational controls, not legal decisions about you, and you can always reach a human via support if you believe a control has been mis-applied.

15. Changes to this policy

If we change this policy materially we will notify you by email or in-app notice at least fourteen (14) days in advance. Non-material changes (e.g. clarifying language, fixing typos) are reflected by updating the "Last updated" date at the top of this page.

16. Contact

Questions or requests? Contact our privacy team. We aim to acknowledge every privacy enquiry within five (5) business days.