Data Processing Agreement

Data Controller: You (the operator using the whatsmy.fyi API or website to process data on behalf of your users).

Data Processor: whatsmy.fyi (operated by its owner), providing IP geolocation services via https://whatsmy.fyi/api/v1/ip.

whatsmy.fyi receives an IP address as part of an inbound HTTP request and returns geolocation, network, and connection metadata associated with that IP address in the HTTP response. The processing is instantaneous and transient — it is completed the moment the response is sent.

Purpose: Returning geolocation and connection metadata to the data controller in real-time, for use in their own application.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — the data controller requests the processing, receives the result immediately, and no data is retained by whatsmy.fyi thereafter.

whatsmy.fyi retains zero user data after an API response is sent. Specifically:

• ✓No IP addresses are written to any database, log file, or persistent store.
• ✓No geolocation data is retained beyond the in-flight HTTP response.
• ✓No User-Agent strings, request headers, or metadata are logged.
• ✓Cloudflare KV stores API key hashes and usage counters — never IP addresses or PII.
• ✓Cloudflare D1 stores account data provided voluntarily by registered users only.

This architecture means there is no personal data to be breached, no retention period to comply with, and no data subject access requests that require retrieval of IP history.

whatsmy.fyi uses a single sub-processor for infrastructure:

Resend only receives email addresses for registered dashboard users — it never processes IP addresses or end-user data.

Because whatsmy.fyi retains zero personal data beyond the HTTP response, most data subject rights are satisfied by design:

• ·Right of access (Art. 15): No data retained — nothing to return.
• ·Right to erasure (Art. 17): No data retained — nothing to delete.
• ·Right to portability (Art. 20): No data retained — nothing to export.
• ·Right to rectification (Art. 16): No data retained — nothing to correct.
• ·Registered account data: Email, name, OAuth provider — deletable via Dashboard → Settings → Delete account.

Technical and organisational measures in place:

• 🔒All traffic encrypted with TLS 1.3 — older protocols rejected.
• 🔒API keys stored as SHA-256 hashes only — plaintext never persisted.
• 🔒Cloudflare Workers runtime provides process-level isolation per request.
• 🔒Cloudflare's infrastructure is ISO 27001, SOC 2 Type II, and PCI DSS Level 1 certified.
• 🔒No credentials stored in code — environment variables via Cloudflare secrets.

Cloudflare routes requests to the nearest Point of Presence globally. For EEA data subjects, this typically means processing within Europe. Cloudflare participates in the EU-U.S. Data Privacy Framework and provides Standard Contractual Clauses (SCCs) for international transfers.

Because whatsmy.fyi retains zero data after the response, there is no ongoing international transfer of personal data by whatsmy.fyi itself.

For enterprise customers who require a signed DPA as part of their vendor onboarding process, contact us at:

We respond within 1 business day for enterprise DPA requests.

Material changes to this DPA will be announced via the changelog at least 30 days before they take effect. The effective date at the top of this page is updated on every revision.