Data Processing Addendum.
Default processor terms for customer-submitted personal data in Haunt extraction requests.
Last updated: 3 June 2026.
Trust route
Legal and privacy questions go to support@hauntapi.com. Security reports go there too.
These pages are plain-English operating terms, not a badge saying a lawyer has blessed every comma.
Purpose and scope
This Data Processing Addendum applies when Haunt processes personal data on behalf of a customer through the API. It is designed for small SaaS use, not procurement theatre. If you need a signed custom DPA, contact support before sending sensitive workloads.
Roles
For customer-submitted URLs, prompts, authorised page content, and extraction outputs, the customer is usually the controller and Haunt is the processor. For account, billing, security, abuse-prevention, and service analytics data, Haunt is usually the controller.
Processing details
| Item | Detail |
|---|---|
| Subject matter | Providing web extraction, structured JSON output, support, debugging, billing evidence, security, and abuse prevention. |
| Duration | For the term of the customer account, then for the retention periods needed for support, security, billing, legal, and business records. |
| Nature of processing | Receiving requests, fetching permitted pages, rendering pages where needed, extracting visible data, returning JSON, logging bounded metadata, and storing account/usage records. |
| Personal data categories | Account contact data, submitted URLs and prompts, request metadata, extracted page content where the source page contains personal data, support messages, and billing metadata. |
| Data subjects | Customer users, support contacts, people named or shown in submitted page content, and people whose data appears in customer-provided prompts or outputs. |
Customer instructions
Haunt processes customer-submitted personal data only to provide, secure, support, debug, bill, and improve the service, or as legally required. The customer is responsible for ensuring its instructions are lawful and that it has the right to submit the data.
Security measures
- HTTPS for public service traffic.
- Hashed API keys and password hashes.
- Redaction and encryption for sensitive request history where appropriate.
- Access limited to operational need.
- Rate limits, request IDs, abuse monitoring, and SSRF protections.
- Backups, deployment controls, and health checks designed not to expose secrets.
Subprocessors
Haunt may use subprocessors listed at /subprocessors. Haunt remains responsible for subprocessors used to provide the service. Customers should review the list before sending sensitive or regulated workloads.
Deletion, assistance, and incidents
Haunt will provide reasonable assistance for deletion, access, security, and data-subject requests where the request relates to customer-submitted personal data and the customer cannot handle it alone. Security incidents affecting customer personal data should be notified without undue delay after Haunt confirms the issue and scope.
Transfers
Some subprocessors may process data outside the UK or EEA. Haunt relies on provider transfer safeguards where available. Customers with strict transfer rules should contact support before using the API for sensitive personal data.