If you are providing an Application Programming Interface (API), you're most likely to be collecting data from end-users. This means you'll need a Privacy Policy.

This article will look at what types of data collection and exchanges you're most likely to be making through an API. It will then look at why you need to have a Privacy Policy, and what you'll need to cover in your Privacy Policy document itself.

Let's begin.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your mobile app. Just follow these steps:

  1. At Step 1, select the App option.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your app.

    TermsFeed Privacy Policy Generator: Answer questions about Mobile App - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new App Privacy Policy.



What is an API?

An Application Programming Interface (API) is like a middleman for different applications, i.e. it's how they talk to each other, and how they exchange information that makes the app or software work together. In many cases, an API will be how an app or software interacts with another service or capability, or gains access to data from another provider.

For example, if you wanted to build an online store, you might use the Stripe payment service. You would use the Stripe API to allow your website to connect with the Stripe payment system.

If you are providing or creating an API for others to use, your business will be providing a "connecting" service between one application or system (such as the online store), and another (such as a payment service).

What Data is Collected Through an API?

Some of that data could be personal information, such as:

  • End-users' names and addresses
  • IP addresses
  • Payment or bank information, such as for a payment API
  • Location information, such as for a ride-sharing API
  • Any information in free text fields, e.g. for a messaging API
  • Information about the developer using the API, such as the developer's IP address

The API itself defines what information is necessary to make it work, and other information that could be optionally provided by end-users. If an application is using your API, the developer of that application needs to know what information your API could collect from end-users.

Many privacy laws around the world have rules about "personal information", what it is, how you need to inform users you're collecting it, and how you need to deal with it.

For example, the General Data Protection Regulation (GDPR) defines "personal data" as any information that can identify a natural person, either directly or indirectly (such as through combining data sets).

In the U.S., laws like the California Online Privacy Protection Act (CalOPPA) define personal information similarly.

As your API is probably collecting personal information or personal data, you'll need to comply with what these laws require. Let's take a look in more detail.

Why Do API Providers Need a Privacy Policy?

Once created, your API is likely to be used by a wide range of developers. APIs can grant access to data, or can exchange data through them from both sides. Since some of the information collected or shared by the API is potentially personal information, you are likely to be covered by privacy laws in your country.

You will need to inform yourself about the privacy laws relating to you, and what they require. However, most privacy laws have similar rules.

For example, under the GDPR, Article 13 requires that you inform people when you are collecting their data, and provide them with information about that processing.

Under the GDPR, you also need to inform users of their rights to access data, right to correct data, erasure (right to be forgotten), and data portability.

CalOPPA also requires websites and "online services" to conspicuously post a copy of their Privacy Policy on their website or make that policy available by other means. In many cases, an API will form part of an "online service."

You need to inform developers and users what information your API collects for two purposes:

  1. So that app developers can consent to any sharing of their own information with your API.
  2. So that app developers can inform their end-users through their own Privacy Policy, what information your API collects.

The French Data Protection Authority (CNIL) has also released recent guidance on helping to keep APIs compliant. Along with having an appropriate Privacy Policy, CNIL recommends:

  • Identifying relevant actors and their roles (data holder, API manager, re-user) to ensure appropriate data access
  • Limit any data sharing to data that is strictly necessary
  • Separate calls to API common functions and administrative functions
  • Have informative logs to track data exchanges, and to detect misuse or unusual behavior
  • Keep documentation up to date

These steps will help to make sure your API is a secure and privacy-compliant aspect of any application.

Now let's take a look at what you need to include in your Privacy Policy for your API.

What Should a Privacy Policy for API Providers Cover?

A Privacy Policy for API should cover what you require of developers who use your API in terms of privacy, as well as what data your API collects, what your API does with it, and whether you share it or transfer it to other parties or jurisdictions. You should also tell users what their privacy rights are, such as the right to erasure under the GDPR.

Let's take a look at each of those in more detail.

Requirements for Developers

Since your API will be used by developers to help their applications function, if you have any privacy requirements or rules they need to follow, include them in your Privacy Policy.

For example, Google API Services allow developers to "connect directly with Google users" and to "request access to Google user data."

This would be used when a website wants to allow its users to sign in using Google, like the example below from Outfittery. In the example, you can see that a user has the option to "Continue with Google", which would connect the Outfittery user to Google API Services, specifically, Google Sign-in:

Outfittery login form

When a developer wants to use Google API Services, they need to comply with the Google API Services User Data Policy.

Part of this User Data Policy requires API users to tell end users clear and accurate information about using Google API services. You can see below that this includes:

  • Information about who is requesting Google user data (i.e. you)
  • What data you are requesting
  • Why you are requesting Google data

Google API Services User Data Policy: Accurately represent identity excerpt

If you have specific requirements for people using your API, ensure these are spelled out in your Privacy Policy or API user agreement.

Now let's look at what else you should include in your Privacy Policy.

What Data You Process

In your Privacy Policy, you should describe what personal data you process, and for what purposes.

In this example from the Uber API Terms of Use, it refers to the processing of "Controller Personal Data." In the below clause you can see what is covered by Controller Personal Data:

Uber API Terms of Use: Data Categories section

Uber also provides a link to its Privacy Policy, which indicates further data Uber collects in table form:

Uber Privacy Policy: Data category and types section

Here's another example from the UK Department of Education's Privacy Policy in relation to the "Find and Use an API" feature:

UK Dept of Education Privacy Policy: Information clause

You can see that it explicitly states which types of information are collected through using the Find and Use an API service. Using formats like tables and bullet points makes the information clear and easy to read for users.

Make sure your Privacy Policy clearly explains which data could be processed, transferred, or accessed by your API, and for what purposes.

Sharing Data

Your Privacy Policy should also cover whether you share data with any other parties.

Here's an example from Postman's Privacy Policy:

Postman Privacy Policy: How we share information clause

You can see Postman might share data with "trusted third parties" for website operation, conducting business, and providing services. It also says information might be released to comply with the law, enforce site policies, or protect someone's rights, property, or safety.

Make sure you accurately convey what data you share with others, through your API.

Transferring Data

If your API provider company is based in one country, but you store data on servers in another country, you need to let your users know.

This is particularly relevant if you are based in the EU, but store data on American cloud servers, or other countries that do not have an "Adequacy Decision." An Adequacy Decision is a legal ruling that specifies that another country's privacy laws are good enough, compared to the EU's.

Here's an example from Mercedes-Benz Developers, which offers data products and APIs from Mercedes-Benz:

Mercedes Benz Developers Privacy Policy: Data transmission outside EEA clause

You can see that it specifies that personal data might be provided to countries outside the EU, namely the USA and Turkey. It also discusses "adequacy", and how they use binding corporate rules to create sufficient privacy protection that would meet the EU's requirements.

User Rights

Finally, you need to let your users know what rights they have concerning their data.

Take a look at this section from Postman's Privacy Policy:

Postman Privacy Policy: User rights clause

You can see it spells out clearly what rights users have: to access and update information, change information, delete information, delete user accounts, or disabling third-party integration. Your clause should clearly state what legal and privacy rights your users have.

Here's another example from RapidAPI:

RapidAPI Privacy Policy: Choices clause

You can see in the section that users can update, correct, or delete their information. The section also provides an easy way for users to contact RapidAPI.

Alongside these sections, you also need to include common sections such as:

  • How you deal with children's data, if applicable
  • Jurisdiction, or which country's laws apply to your policy
  • When your policy was last updated, and how changes will be communicated
  • Your contact information

Now let's take a look at how you can get consent to your Privacy Policy.

How Do I Get Developers to Agree to My API Privacy Policy?

You can ensure developers agree to your Privacy Policy by including it when a user requests an access key, or during the login or sign-up process for the API.

Non-web APIs also exist, but usually as part of a larger piece of software and do not have separate Terms or a separate Privacy Policy. For these, you can embed a pop-up that appears during installation in your software to ask for agreement to your Privacy Policy and End User License Agreement.

Agreement When Requesting a Key

Including agreement to your Privacy Policy at sign-up or when getting an access key for the API is one way you can ensure developers have agreed to your Privacy Policy.

For example, when requesting an API key for the Google Search API, a pop-up appears in which users must click that they agree to the applicable Terms of Service of the API:

Google Search API agree form

You can see that the "Yes" and "No" buttons are obvious, and that agreement must be explicit. A clear link to the Terms of Service is also provided in the pop-up.

Then, when the user visits the Google APIs Terms of Service, a section explicitly refers to user privacy and a requirement that developers using the API must have a compliant Privacy Policy, as shown in section 3 below:

Google API Terms of Service: API Clients clause

This ensures the developer using the API has clearly and explicitly agreed to the Terms of Service, by clicking the "Yes" button.

If you set up your agreement process like this, make sure that the buttons are clear, and that there is an obvious, visible link to your Privacy Policy or relevant legal document next to the agreement button.

During Sign-Up

You can also embed a consent or agreement process in the sign-up process.

Here's an example from the Anthropic API showing the web sign-up:

Anthropic API Sign up form

Before the user can go ahead and use the Anthropic API, they need to agree to the Terms and Usage Policy, both of which reference Privacy, such as this Data Processing Agreement in their Commercial Terms of Service:

Anthropic API Terms of Service DPA

Now let's take a quick look at non-web APIs.

When Software is Installed

For APIs that are part of software installed on a computer, i.e. a non-web API, you would not have a separate agreement just for the API. It is simply part of how the software interacts with other applications.

However, the software would include an End User License Agreement or a Privacy Policy that can pop up during the installation or use.

Here's an example from Cities: Skylines on Steam, which includes a link to the EULA and Privacy Policy:

Cities Skylines Accept EULA form

If you include a pop-up like this in your software installation process, users can agree to your legal documents clearly before using the software.

Summary

Creating a Privacy Policy for your API is an important part of complying with your legal obligations and ensuring that developers using your API can comply with theirs. Your Privacy Policy should clearly explain what information your API collects, whether you share or transfer this data further, what you use it for, and users' rights to deletion, correction, access, and portability.

By keeping your API compliant with recommendations from data protection authorities such as CNIL, and having an up-to-date, clearly displayed Privacy Policy, you can ensure that your API meets your legal obligations.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy