Legal
Privacy Policy
Effective 2026-06-01. Plain-English summary of what we collect, why, how long we keep it, and the choices you have.
What we collect
| Data | Why | Retention |
|---|---|---|
| Email address | Deliver your API key, account notices | Until you delete the account |
| API key hash + prefix | Authenticate your requests | Until you revoke the key |
| Per-request usage events (tokens, model, latency, status, IP, UA) | Billing, rate limits, abuse investigation | 90 days, then purged automatically |
| Webhook delivery log (Paddle event_id, event payload, status) | Dispute resolution, dedup, debugging | 180 days, then purged automatically |
| Login attempts and brute-force counters | Stop credential-stuffing attacks | 1 hour sliding window |
We do not log the contents of your prompts or the model completions. The proxy records metadata only — enough to bill you and to debug incidents. Your prompt text never lands in our database.
Why we can run on minimal data
Routing a chat completion needs a token count, a model identifier, and a cost. We don't need the prompt text, and storing it would make us a target for a data breach while delivering no operational value. The same logic applies to completions.
Sub-processors (third parties we share data with)
| Sub-processor | Data shared | Purpose |
|---|---|---|
| Managed Postgres (DigitalOcean) | All persistent data | Storage, EU region |
| Managed Redis/Valkey (DigitalOcean) | Rate-limit counters, sessions | Caching, EU region |
| Upstream model provider | Your prompt and the model you chose | Inference |
| Paddle | Email, payment details (via Paddle) | Payment processing |
| Resend | Transactional email (API key delivery) |
Upstream providers receive your prompts because that's the point of an inference API. We pick providers with reasonable data-handling practices and configure them to discard inputs after the request completes (where the provider supports zero-retention). We do not contractually prohibit an upstream from logging your prompts — check each provider's own policy if that matters to your use case.
Cookies
We use strictly necessary cookies for the customer dashboard session and CSRF protection. We do not use analytics or advertising cookies. The cookies are first-party, HttpOnly, SameSite=Lax, and are not shared with any third party.
Your rights (GDPR)
If you're in the EU/EEA, you have the right to:
- Access — request a copy of all personal data we hold about you. Email [email protected] and we'll send you a JSON export within 30 days.
- Rectification — correct inaccurate data. Self-serve in the dashboard for everything except email (which is your login identifier).
- Erasure — delete your account and all associated data. Self-serve from the dashboard settings, or email us if you can't log in.
- Portability — the access export is machine-readable JSON.
- Object / restrict processing — write to us. The only automated decisioning is rate-limiting and credit enforcement; we can pause either at your request.
- Complain to a supervisory authority — if we don't resolve a request to your satisfaction, you can escalate to your local data protection authority (in Germany: the BfDI at each Land; in practice most cases go to the Hessian Datenschutzbeauftragte since we're registered in Frankfurt).
Security
- All traffic is TLS 1.2+ in transit. HSTS is enabled.
- API keys are stored as SHA-256 hashes — the raw key exists only in your inbox and your code, never in our database.
- Sessions are signed with an HMAC key that lives only in process memory; rotation logs out all users.
- All production deploys are read-only filesystems with no-new-privileges and all capabilities dropped.
- Database access is restricted to the application server's private network. No public Postgres endpoint.
Children
The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has created an account, email [email protected] and we'll delete it.
Changes to this policy
Material changes are announced by email at least 30 days before they take effect. Non-material changes (typo fixes, clarifications) are published silently.
Contact
Data controller: veritas, Frankfurt, Germany. Reach the privacy team at [email protected].
Last updated 2026-06-01.