Zero Data Retention for API lookups
Overview
Zorro's lookup APIs operate on a zero-data-retention basis: we do not store the content of your lookup requests. When you query a company number, domain, or email address, we process the request, return the result, and discard the request content. This applies to all lookup endpoints, whether called directly or via partner integrations.
What we never store
- The identifiers you submit — company numbers, domains, and email addresses sent for verification
- The responses we return to you
- Any record of which companies you looked up
Email addresses submitted for verification are processed transiently and never written to logs or storage.
What we retain
| Data | Purpose | Retention |
|---|---|---|
| Account information | Email, organisation, API credentials | Duration of account |
| Usage counts | Billing — number of calls per period, no content | Duration of account |
| Rate-limit counters | Abuse prevention | Auto-expire within 24 hours |
| Access logs | Security — endpoint, timestamp, status code; no lookup content | Up to 12 months |
| Billing records | Invoicing and tax | As required by UK law |
Our underlying company dataset (registry data, enrichment) exists independently of your queries — your lookups do not add to it.
How it's enforced
- Lookup endpoints are excluded from request-content logging at the middleware level
- All traffic encrypted in transit; data at rest encrypted and hosted in the UK
- Token-based authentication, rotatable on request
Regulatory alignment
This policy supports the UK GDPR and EU GDPR data-minimisation principle (Article 5(1)(c)) and storage-limitation principle (Article 5(1)(e)), the UK Data Protection Act 2018, and is aligned with US privacy regulation (CCPA/CPRA).
Contact
Questions about this policy: [email protected]