1. Home
  2. Legal
  3. GDPR & Data Protection

GDPR & Data Protection

Demografix ApS is a Danish company. We are subject to the General Data Protection Regulation (GDPR) directly — not by extension or adequacy decision, but as an EU-based data controller and processor.

This page explains how we handle data protection in plain language. For the full legal details, see our Privacy Policy, Terms of Service, and Data Processing Agreement.

What we process

Our APIs (genderize.io, agify.io, nationalize.io) accept names and return statistical predictions about likely gender, age, or nationality. That is the entirety of what we process.

We do not ask for or process email addresses, physical addresses, phone numbers, national ID numbers, or any other personal identifiers through the API. The only input is a name.

What we store

Almost nothing.

  • Individual API requests: Names are processed in real time and immediately discarded. They are not written to any database, log, or file. We do not log the IP addresses of API requests.
  • CSV file uploads: The original file is processed in memory only. The results file is stored temporarily and automatically deleted after download or after 24 hours, whichever comes first.
  • Account data: Your email address, hashed password, and subscription details.
  • Payment data: Handled entirely by Stripe. Card details never reach our servers.

Is a name "personal data"?

It depends on context.

A first name submitted to our API — without a surname, email address, or any other identifier — generally cannot identify a specific individual. "Maria" is not personal data. It is a query to a statistical model.

However, if you are using our API as part of processing personal data in your own systems — for example, enriching a database of identified individuals — then the name may be personal data in your context, even though it is not in ours.

We built the service with this distinction in mind. We do not store names, we do not link predictions to individuals, and we do not build profiles. Whether the data you send us qualifies as personal data depends on what you know about the person behind the name, not on what we know.

Data minimization

We practice data minimization by design:

  • We accept only names. No other personal identifiers are required or accepted.
  • We do not store the names you submit.
  • We do not log IP addresses of API requests.
  • Our website analytics (Plausible) are cookieless and collect no personal data.
  • Request metadata is stored in aggregate form and cannot be linked to individual requests.

International transfers

Our servers are hosted by DigitalOcean in the United States (New York). For transfers of data from the EEA to the US, we rely on the EU-US Data Privacy Framework, under which our infrastructure providers (DigitalOcean, Stripe, Sentry) are certified or participating.

If the adequacy framework is invalidated, we will implement alternative transfer mechanisms as required by GDPR Chapter V.

Sub-processors

Provider Purpose Location Safeguards
DigitalOcean Hosting USA EU-US Data Privacy Framework
Stripe Payments USA EU-US DPF; Standard Contractual Clauses
Sentry Error monitoring USA EU-US Data Privacy Framework

We do not share data with any other third parties.

Special category data

Nationalize.io predicts nationality, and genderize.io predicts gender. Under GDPR Article 9, racial or ethnic origin and data concerning sex are considered "special categories" of personal data, subject to additional protections.

Our position: the API returns statistical probabilities about a name, not assertions about a specific person. A prediction that the name "Yuki" is 62% likely to be Japanese is a property of the name, derived from aggregated data — not a claim about an individual named Yuki.

That said, if you are using our predictions in ways that affect individuals (hiring decisions, eligibility screening, audience segmentation of identified people), you should conduct your own assessment of whether GDPR Article 9 applies to your specific use case. We recommend consulting a data protection professional if you are processing predictions about identified individuals at scale.

Data Processing Agreement

If you process personal data and use our API as part of that processing, you may need a DPA to meet your own compliance obligations.

Our Data Processing Agreement is incorporated automatically through our Terms of Service. No separate signature is required. If your organization requires a countersigned copy, contact us at info@genderize.io.

Your rights

Under GDPR, you can:

  • Request access to the data we hold about you
  • Request correction or deletion of your data
  • Object to processing or request restriction
  • Request your data in a portable format
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority

To exercise any right, email info@genderize.io. We respond within 30 days.

Supervisory authority

Our lead supervisory authority is the Danish Data Protection Agency:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
dt@datatilsynet.dk
datatilsynet.dk

Contact

Demografix ApS
Eriksvej 30, 1 th.
Roskilde, Sjælland 4000, Denmark

Email: info@genderize.io
CVR: DK40697179