Privacy Policy
Last updated: May 24, 2026
1. Introduction
This Privacy Policy explains how Mimicry ("we", "the Service") collects, uses, and protects your information when you use our Mock API Engine available at mimicry.rest.
Mimicry is a personal, independent project (indie project) developed and maintained by an individual developer. We are committed to protecting your privacy and handling your data transparently.
2. Data Controller
For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws, the data controller is:
Mimicry (independent project)
Contact: available via the contact options in the website footer.
We have determined that the appointment of a Data Protection Officer (DPO) is not required under applicable law given the nature and scale of our data processing activities.
3. Information We Collect
3.1 Account Data (Registered Users)
When you create an account, we collect:
- Email address — used for authentication, account verification, password resets, and service notifications
- Password — stored securely using one-way hashing; we never store or have access to your plaintext password
- Display name (optional) — if you choose to provide one
3.2 Guest Data
If you use Mimicry without registering, a randomly generated guest identifier is created and stored in your browser's local storage. This identifier is used solely to associate your mock projects with your browser session. It is not a cookie and is never sent to third parties.
3.3 Technical Logs (API Activity)
When your mock endpoints receive API calls, the Service logs technical information for debugging, activity monitoring, and abuse prevention:
- IP address — used for rate limiting and abuse prevention
- User-Agent string — used for debugging and activity log display
- Request headers, query parameters, and body — logged to provide you with a detailed activity log of calls to your mock endpoints
- Response body — logged for your reference in the activity log
These logs are visible only to the owner of the project and are retained for a limited period (see Data Retention below).
Activity logs may contain data submitted by third parties who call your mock endpoints. You should avoid configuring mock endpoints in ways that encourage submission of real personal or sensitive information. You are responsible for the content exposed through your endpoints.
3.4 Project Data
We store the mock endpoints, schemas, CRUD resources, API keys, and project metadata that you create. This data is necessary to provide the core functionality of the Service.
4. Cookies and Local Storage
4.1 Authentication Cookies
The Service uses strictly necessary cookies to maintain authenticated sessions for registered users. These cookies are used solely for authentication and session management. Their lifetime and technical attributes may vary for security or operational reasons.
These cookies cannot be used for tracking or advertising purposes and are not accessible to client-side scripts.
4.2 Security Cookies (Cloudflare)
The Service is protected by Cloudflare's bot management and DDoS mitigation infrastructure. As part of this protection, Cloudflare may set a cookie named cf_clearance on your device after you successfully pass an automated security challenge.
| Cookie | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
cf_clearance | Cloudflare, Inc. | Records that the visitor has passed a bot/security challenge, preventing repeated challenges during the session | ~30 minutes | Strictly necessary - security |
This cookie is strictly necessary for the secure operation of the Service and is exempt from consent requirements under Art. 5(3) of the ePrivacy Directive and the Italian Data Protection Authority (Garante) Cookie Guidelines (2021). It is not used for tracking, profiling, or advertising purposes.
For more information, see Cloudflare's Privacy Policy.
4.3 Local Storage
For guest users, a client-side identifier is stored in your browser's local storage. This is not a cookie and is used exclusively to link your browser to your guest projects.
4.4 No Tracking or Advertising Cookies
The Service uses only strictly necessary cookies (for authentication and security). Mimicry does not use any tracking, advertising, or marketing cookies.
5. Third-Party Services
5.1 Error Monitoring
We use Sentry (Functional Software, Inc.) for error monitoring. Sentry may collect error reports and related technical diagnostic information, such as browser type and operating system. Sentry acts as a data processor on our behalf. For details, see Sentry's Privacy Policy.
5.2 Analytics
When enabled, we use a privacy-focused, self-hosted analytics solution configured to avoid the use of cookies and to minimize collection of personal data. Analytics data is stored on our own infrastructure and is not shared with third parties.
5.3 Email Provider
We use a third-party email service to send transactional emails only (account verification, password reset, inactivity notifications). Your email address is shared with the provider solely for this purpose. We do not send marketing or promotional emails.
5.4 Network & Security Infrastructure
The Service uses Cloudflare, Inc. as its network infrastructure and security provider. Cloudflare processes traffic passing through the Service for the purposes of content delivery, DDoS mitigation, and bot protection. As part of this, Cloudflare may process technical data such as IP addresses and HTTP headers. Cloudflare acts as a data processor on our behalf. For details, see Cloudflare's Privacy Policy.
5.5 International Data Transfers
Some third-party providers (including Cloudflare and Sentry) may process data in countries outside the European Economic Area. Such transfers are subject to appropriate safeguards (e.g., Standard Contractual Clauses) as described in the respective providers' privacy policies.
6. How We Use Your Data
We use the information we collect to:
- Provide and operate the Service (create and serve mock endpoints, manage projects)
- Authenticate your identity and maintain your session
- Display activity logs showing calls to your mock endpoints
- Enforce rate limits and prevent abuse (via IP-based throttling)
- Debug errors and improve the Service's reliability
- Send transactional emails (verification, password reset, data retention warnings)
- Generate aggregated, anonymous usage statistics (daily call counts per project)
We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.
7. Data Retention
- Guest projects and endpoints are temporary and automatically deleted after a short period of inactivity. Current retention periods are indicated in the product interface.
- Registered projects and endpoints are generally retained while the account remains active. Projects with prolonged inactivity may be subject to cleanup in accordance with the Service's current retention rules.
- API activity logs are retained for a limited period necessary for debugging, monitoring, and abuse prevention, then aggregated into anonymous usage statistics.
- Aggregated statistics are not intended to identify individual users and may be retained indefinitely.
- Account data is retained until you request deletion. Upon deletion, your data is permanently removed through scheduled cleanup processes.
- Authentication tokens expire automatically and are cleaned up periodically.
8. Data Security
We implement reasonable technical and organizational measures to protect your data, including:
- Passwords are securely hashed and never stored in plaintext
- Authentication data is protected using industry-standard security mechanisms
- Access controls and rate limiting are enforced to protect the Service from abuse
- Network traffic is protected via Cloudflare's infrastructure (TLS encryption, DDoS mitigation)
While we take reasonable measures to protect your data, no system can guarantee absolute security.
9. Your Rights
Under applicable data protection laws (including the GDPR if you are in the European Economic Area), you may have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data (e.g., update your name or email in your profile settings)
- Delete your account and all associated data
- Data portability — request a copy of the personal data we hold about you
- Object to or restrict certain processing of your data
To exercise any of these rights, contact us using the information in the Contact section below. For identity verification purposes, requests must be sent from the email address associated with your Mimicry account.
You also have the right to lodge a complaint with your local data protection supervisory authority. In Italy, this is the Garante per la Protezione dei Dati Personali.
10. Legal Basis for Processing
Where applicable (including under the GDPR), we process your data on the following legal bases:
- Performance of the service (Art. 6(1)(b) GDPR): Account management, authentication, and delivery of core functionality
- Legitimate interests (Art. 6(1)(f) GDPR): Security measures, rate limiting, abuse prevention, error monitoring, and service improvement
- Legal obligations (Art. 6(1)(c) GDPR): Compliance with applicable laws when required
Strictly necessary cookies (authentication and security) are processed on the basis of legitimate interest and are exempt from consent requirements under Art. 5(3) of the ePrivacy Directive.
11. IP Address Handling
IP addresses are collected in two contexts:
- Project-level: Your IP is recorded when creating projects, used exclusively for rate limiting and resource throttling to prevent abuse.
- API logs: The IP address of callers to your mock endpoints is logged as part of the activity log. These logs are visible only to you and are retained for a limited period.
IP addresses are never used for marketing, profiling, or user tracking. They serve purely technical and security purposes.
12. Children's Privacy
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Any updated version will be posted on this page with a revised "Last updated" date. Where required, we will take additional steps to notify users of material changes. Your continued use of the Service after the updated policy is published means you acknowledge the revised policy.
14. Contact
If you have any questions about this Privacy Policy or wish to exercise your data rights, you can reach us using the contact options available in the website footer. We will respond to data-related requests within a reasonable timeframe.