Skip to content

Privacy policy

Last updated: July 12, 2026

In short

Browsing the marketing site collects no personal data and loads no third-party analytics. An account stores only what's needed to run it — your e-mail, plan, and usage counts. We never store the content of your prompts or the models' replies, and we never use them to train models. The CLI has no telemetry.

1. Who we are

The data controller is [legal entity — complete before going live]. For any privacy request, contact [privacy e-mail].

2. Data we collect

Account data: your e-mail and an encrypted password (via our auth provider, Supabase); your plan, subscription status and credit balance.

Usage data: aggregate request counts and token totals per billing period, used to enforce plan limits and show your dashboard.

API keys: only a cryptographic hash of each key is stored. The key itself is shown once, at creation, and never kept in readable form.

Technical data: your IP address and basic request metadata are processed transiently for rate-limiting, security and abuse prevention.

Payment data: handled entirely by Stripe (see §4). We do not collect or store card numbers.

3. Prompts, code & model requests

When you use the hosted API, your prompts and any file contents you include are sent to our endpoint and forwarded to a third-party model-routing provider only to generate the response.

We do not retain this content beyond what is needed to serve the response, and we do not use it to train any model. The routing provider and underlying model providers process it transiently under their own terms; abuse-detection systems on their side may briefly retain flagged content.

4. Payments

Subscriptions and credit packs are processed by Stripe. Card details go straight to Stripe and never touch our servers; we only receive a customer reference and payment status.

5. How we use data

To provide and secure the service, authenticate you, enforce plan and rate limits, process payments, prevent fraud and abuse, provide support, and comply with legal obligations. Our legal bases are performance of our contract with you, our legitimate interest in running a secure service, and consent where required.

6. Sharing & sub-processors

We share data only with the processors needed to run the service — Supabase (auth/database), Stripe (payments), and a third-party model-routing provider — each under a data-processing agreement. We may also disclose data where required by law or to protect the service, and in a business transfer. We do not sell your personal data. A current sub-processor list is available on request.

7. Retention

Account data is kept while your account exists and deleted when you delete it. Usage aggregates are retained per billing period for accounting. Technical logs are kept only briefly for security. Some records may be retained longer where the law requires.

8. Security

API keys are stored only as hashes; the service-role database key is server-only. Traffic is encrypted in transit, access follows least-privilege, and per-key rate limits bound abuse. No method of transmission or storage is 100% secure, but we apply commercially reasonable technical and organizational measures.

9. Your rights

Depending on where you live, you may access, correct, export, delete, or restrict your data, object to processing, and withdraw consent. You can delete your account yourself from the dashboard — this removes your profile, keys and usage records and cancels any active subscription. To exercise other rights, contact [privacy e-mail]. You may also complain to your local data-protection authority.

10. Cookies

Signed-in sessions use one strictly necessary authentication cookie (set by Supabase) to keep you logged in — not for tracking or advertising. Your cookie-banner choice and theme are stored in your browser's localStorage. We set no advertising cookies.

11. Children

The service is not directed to children under 16, and we do not knowingly collect their data. If you believe a child has created an account, contact us and we will delete it.

12. Changes & contact

We will post any changes here with a new date; significant changes will be highlighted. Questions or requests: [privacy e-mail — complete before going live].