Privacy Policy

Effective Date: February 14, 2026 | Last Updated: February 16, 2026

MockLayer ("we", "us", "our") is a software product operated from Romania, a member state of the European Union. We are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

1. Data Controller

MockLayer is the data controller for the personal data collected through our website at mocklayer.dev. For questions about this policy or your data, contact us at support@mocklayer.dev.

2. What Data We Collect

2.1 Email Address

We collect your email address when you:

  • Request a free trial license
  • Purchase a subscription through our payment processor
  • Request retrieval of a lost license key

Your email is used solely to deliver license keys and send subscription-related notifications (renewal confirmations, cancellation confirmations).

2.2 IP Address and Email (Trial Rate Limiting)

Your IP address is processed for rate limiting purposes (preventing abuse of trial requests, downloads, and checkout). For most rate limiters (downloads, checkout, email), IP addresses are held only in server memory and lost on restart. For trial request rate limiting, your IP address and email address are persisted to a local file on the server to enforce the one-trial-per-email limit across service restarts. This data is automatically deleted after 30 days and is never shared with external parties.

2.3 Website Analytics

If Google Analytics is enabled on our website, standard analytics data may be collected (pages visited, browser type, approximate geographic region). This data is processed by Google under their own privacy policy.

2.4 What We Do NOT Collect

  • No payment or financial data — All payment processing is handled by Paddle (our Merchant of Record). We never see, process, or store credit card numbers, billing addresses, or financial information.
  • No user accounts or profiles — We do not maintain user accounts.
  • No SAP data — The MockLayer proxy runs entirely on your own infrastructure. It does not transmit any data from your SAP systems to us.
  • No database — We do not operate a database. Minimal trial rate-limiting data (email and IP) is persisted to a local file on the server and automatically deleted after 30 days.

3. How We Use Your Data

We use the data we collect for the following purposes:

  • License delivery: To email you your license key after a trial request or purchase.
  • Subscription notifications: To send transactional emails related to your subscription (renewal confirmations, cancellation confirmations).
  • Abuse prevention: To enforce rate limits on API endpoints (trial requests, downloads, checkout).

We do not use your email address for marketing, newsletters, or any purpose other than those listed above.

4. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): Processing your email to deliver license keys and manage your subscription.
  • Legitimate interest (Art. 6(1)(f)): Rate limiting using IP addresses to prevent abuse of our services.

5. Third-Party Services

We use the following third-party services that may process your data:

Paddle (paddle.com)

Role: Merchant of Record for all payments. Paddle collects and processes all payment data including credit card information, billing addresses, and tax information. Paddle is the data controller for payment data. Paddle Privacy Policy

Postmark (postmarkapp.com)

Role: Transactional email delivery. Postmark receives your email address to deliver license keys and subscription notifications on our behalf. Postmark Privacy Policy

Microsoft Azure

Role: Hosting infrastructure. Our website is hosted on Azure Static Web Apps and our API on Azure App Service, located in the West Europe (Netherlands) region. Microsoft Privacy Statement

Google Analytics

Role: Website analytics (if enabled). Collects standard analytics data such as pages visited and browser type. No personally identifiable information is sent to Google Analytics by our code. Google Privacy Policy

Cloudflare R2

Role: Binary file storage for software releases. Downloads are served through time-limited pre-signed URLs. No user data is stored in Cloudflare R2.

6. Data Retention

  • Email addresses: Retained by Paddle for the duration of your subscription and as required by applicable tax and accounting laws.
  • IP addresses: For most rate limiters, held in server memory only and lost on restart. For trial rate limiting, persisted in a local file for up to 30 days to enforce the one-trial-per-email limit, then automatically deleted.
  • Server logs: Retained for 30 days with daily rotation. Logs are privacy-sanitized — email addresses are hashed and license keys are masked before logging.

7. Your Rights (GDPR)

As a data subject under the GDPR, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate personal data.
  • Right to erasure: Request deletion of your personal data.
  • Right to restrict processing: Request restriction of processing of your personal data.
  • Right to data portability: Receive your personal data in a structured, machine-readable format.
  • Right to object: Object to the processing of your personal data.

To exercise any of these rights, contact us at support@mocklayer.dev. We will respond within 30 days as required by the GDPR.

For payment-related data, please contact Paddle directly as they are the data controller for payment information.

8. California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect about you.
  • Request deletion of your personal information.
  • Opt out of the sale of your personal information.

We do not sell personal information. The only personal data we collect is your email address, used exclusively for license delivery and subscription notifications.

9. International Data Transfers

Our hosting infrastructure is located in the European Union (Azure West Europe — Netherlands). Third-party services we use (Paddle, Postmark, Google) may process data outside the EU. These providers maintain appropriate data transfer mechanisms, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

10. The MockLayer Proxy (Self-Hosted Software)

The MockLayer proxy server (MockLayer.Service) is self-hosted software that runs entirely on your own infrastructure. It is important to understand:

  • MockLayer.Service never communicates with our servers. It performs license validation locally using cryptographic signatures.
  • No data from your SAP systems is transmitted to us. All OData requests and mock responses stay within your network.
  • We have no access to your MockLayer.Service instances, configurations, or any data processed by them.

11. Security

We implement appropriate technical measures to protect your data:

  • All website traffic is encrypted via HTTPS/TLS.
  • Server logs are privacy-sanitized — email addresses are cryptographically hashed and license keys are masked before being written to logs.
  • License keys are generated using HMAC-SHA256 cryptographic signatures for tamper protection.
  • Rate limiting is enforced on all public API endpoints.

12. Cookies

Our website does not set first-party cookies. If Google Analytics is enabled, it may set third-party cookies for analytics purposes. No cookies are used for advertising or tracking across sites.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this page periodically.

14. Contact

For any questions about this Privacy Policy or to exercise your data rights, contact us at:

MockLayer
Email: support@mocklayer.dev
Website: https://mocklayer.dev

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) or any other competent EU supervisory authority.