DimensionsPot is stateless not as a privacy policy, but as a structural property of the system. There is no mechanism to store, index, or retrieve any input data after a response is sent — not because the system is configured not to, but because no such mechanism exists.
What happens on each request
- The request body arrives and is parsed in-memory.
- Input validation runs.
- The prediction engine computes all requested dimensions.
- The response is serialized and sent.
- All intermediate data is released from memory.
No session token is issued. No user profile is created. No request is written to a persistent store. No log file records the input measurements.
The only durable records are standard infrastructure logs: request timestamp, HTTP method, endpoint path, response status code, and latency. No body data, no measurement values, no subject parameters are logged.
What data is sent
The API receives numerical measurement inputs — body_height in mm, body_mass in kg, optional anchors. These are numbers, not personal data in the GDPR sense.
A height of 1780 and a weight of 75 is not identifying information on its own. There is no name, no email, no device ID, and no IP-to-identity linkage stored on our side.
Under GDPR Recital 26, data is personal only if the data subject is identifiable. A set of numerical measurements with no persistent identifier and no retained record does not constitute personal data in the hands of the API provider.
Comparison with photo-based sizing
| Property | DimensionsPot | Photo-based API |
|---|---|---|
| Input type | Numbers (height, weight) | Full-body photographs |
| Biometric data? | No | Yes — GDPR Article 9 special category |
| PII exposure risk | None | High — photos may contain face, tattoos, background |
| Data retention | None — response only | Typically stored for model improvement |
| GDPR Article 9 | Not applicable | Requires explicit legal basis + consent |
| Data processing agreement | Not required | Required |
| Right to erasure (Art. 17) | Not applicable | Must be implemented |
| Infrastructure required | HTTPS POST | Photo upload, CDN, storage, moderation layer |
GDPR implications for your integration
Because DimensionsPot receives only anonymous numerical inputs and retains nothing:
- No data processing agreement (DPA) between you and DimensionsPot is required for the API call itself.
- No GDPR Article 9 obligations arise from the integration.
- No right-of-erasure mechanism needs to be implemented for DimensionsPot data.
Your own application may still handle personal data. If you link a user account to a prediction result, or store input measurements alongside a user record, that linkage exists in your system, not ours. Your GDPR obligations relate to your data model — not to the API call.
HIPAA
The API does not receive, process, or store Protected Health Information (PHI) as defined by HIPAA. No names, dates of birth, geographic identifiers, or other HIPAA-defined identifiers are required or accepted. A Business Associate Agreement (BAA) is not applicable.
For health and fitness applications that combine API outputs with identifiable health records on your side, consult your legal team regarding your PHI handling obligations.
EU AI Act
The EU AI Act categorizes predictive systems by risk level. Statistical anthropometric prediction from height and weight does not involve biometric identification, real-time surveillance, or any practice prohibited under Article 5. It does not use social scoring and is not applied by the API itself in high-risk domains (medical device, employment decisions, credit scoring).
DimensionsPot outputs are not medical advice and are not intended for clinical decision-making. The Confidence Score and 95% prediction interval are statistical outputs — not diagnostic assertions.
For security audits
| Question | Answer |
|---|---|
| Does the API store personal data? | No |
| Does the API process biometric data? | No |
| Is a data processing agreement required? | No |
| What data is logged? | Timestamp, HTTP method, endpoint path, status code, latency |
| Is request body data logged? | No |
| Where is data processed? | In-memory, per-request, discarded after response |
| Data retention schedule | No retention — nothing is persisted |
| SOC 2 / ISO 27001 | Contact support@dimensionspot.com |