OpenTIN API – Privacy Policy

Last updated: December 17, 2025

This Privacy Policy describes how Maelstrom Media s.r.o. (“we”, “us”, “our”) processes personal data in connection with the OpenTIN API (the “Service”).

This policy applies only to the OpenTIN API and does not apply to other products or services offered under the Open Automation brand.

Data Controller

The data controller for the processing described in this policy is:

Maelstrom Media s.r.o. Sasovska 14, 851 06 Bratislava, Slovakia Email: contact@open-automation.io

Scope of the Service

OpenTIN API is a cloud-based application programming interface that validates the structural validity of Tax Identification Numbers (TINs) according to OECD and Common Reporting Standard (CRS) specifications.

The Service does not verify identity, ownership, tax residency, or tax status, and does not enrich submitted data using external databases or third-party data sources.

Personal Data Processed

When using the OpenTIN API, the following categories of data may be processed:

Data submitted by customers

Tax Identification Numbers (TINs)

Country codes associated with submitted TINs

Technical and operational data

API request timestamps

Request identifiers

IP addresses

Authentication and authorization tokens

Usage metrics and error logs

The Service is not designed to collect names, addresses, dates of birth, or other directly identifying personal data.

Purpose of Processing

Personal data is processed solely for the following purposes:

Execution of TIN validation requests

Delivery of validation responses to customers

Ensuring service security and preventing abuse

Monitoring availability, performance, and reliability

Usage measurement and billing via cloud marketplace platforms

Personal data is not used for marketing, profiling, resale, or data enrichment.

Legal Basis for Processing

Where applicable under data protection laws, processing is based on:

Performance of a contract (Article 6(1)(b) GDPR)

Legitimate interests in operating and securing the Service (Article 6(1)(f) GDPR)

Compliance with legal obligations, where applicable (Article 6(1)(c) GDPR)

Data Retention

Submitted TINs and validation requests are not persistently stored beyond what is technically required to process the request.

Technical logs (including request timestamps, identifiers, IP addresses, and error logs) are retained for 30 days for security, troubleshooting, and audit purposes, after which they are permanently deleted from all systems.

Aggregated, anonymized usage statistics may be retained indefinitely for service improvement and billing purposes, but contain no personal data.

Data Sharing and Subprocessors

Personal data is not sold or shared with third parties for commercial purposes.

Data may be processed by cloud infrastructure providers acting as data processors solely to operate and secure the Service. Such providers are contractually bound by confidentiality and data protection obligations.

International Data Transfers

Where personal data is processed outside the European Economic Area, appropriate safeguards are implemented in accordance with applicable data protection laws, including standard contractual clauses where required.

Security Measures

Appropriate technical and organizational measures are implemented to protect data, including:

Encrypted network communications

Access control mechanisms

Logging and monitoring

Least-privilege access principles

Data Subject Rights

Where applicable, individuals have the right to:

Access their personal data

Request rectification or deletion

Object to or restrict processing

Lodge a complaint with a supervisory authority

Requests may be submitted to contact@open-automation.io.

Changes to This Policy

This Privacy Policy may be updated from time to time. The current version will always be available at this location and identified by the “Last updated” date above.