Privacy Policy
Data Controller
Ali Lamari
Reginastr. 14
34119 Kassel, Germany
Email: [email protected]
VAT ID and legal entity details will be added upon business registration.
What we collect and why
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Account creation, login, transactional emails | Contract performance |
| API keys (hashed) | Authentication for API requests | Contract performance |
| API request metadata | Usage metering, billing, abuse prevention | Legitimate interest |
| IP address | Security, rate limiting | Legitimate interest |
| Billing information | Payment processing — managed by Polar, not stored by us | Contract performance |
We do not use advertising trackers, marketing pixels, or analytics cookies. We do not sell your data to third parties.
API input processing
task and input
fields you send are processed on third-party GPU infrastructure where we deploy and run our own software. Do not include personal
data of third parties in API inputs unless you have a legal basis to process that
data and have disclosed this to the individuals concerned.
The content of task and input fields is not intentionally stored.
It is processed transiently in memory and discarded after the response is returned.
We only retain request metadata (timestamp, API key ID, response status, token count)
for billing and abuse prevention.
Third-party services (subprocessors)
| Service | Purpose | Location |
|---|---|---|
| OVH | Infrastructure and database hosting | EU (France) |
| Polar | Billing and payment processing | US |
| MXroute | Transactional email delivery (OTP, notifications) | US |
| GPU infrastructure providers | AI inference compute — we deploy and run our own software on third-party hardware | Global |
For transfers outside the EU (Polar, GPU infrastructure providers), we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Art. 46. For transactional email (MXroute, US), transferred data includes recipient email address and minimal metadata required for delivery. GPU infrastructure providers supply hardware only and do not process data for their own independent purposes.
Cookies
We use a single strictly necessary HTTP-only session cookie for authentication. This cookie does not track you across sites and does not require consent under GDPR or ePrivacy rules. We use no advertising, analytics, or marketing cookies.
Data retention
- Task and input content — not stored; processed transiently in memory and discarded after each request
- Account data — retained until you delete your account
- API request metadata — 90 days
- Billing records — 7 years (legal obligation under German tax law)
- Session tokens — expire after 30 days of inactivity
Your rights
Under GDPR you have the right to:
- Access — receive a copy of the data we hold about you
- Correction — have inaccurate data corrected
- Deletion — request erasure of your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest
- Restriction — request that we limit how we process your data
To exercise any right, email [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. In Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).
Security
Account data and request metadata are stored on EU infrastructure (OVH, France). AI inference runs on third-party GPU infrastructure on which we deploy our own software stack — inputs are not intentionally stored on disk and are processed transiently in memory. Data is encrypted in transit (HTTPS/TLS). API keys are stored as hashed values — we cannot retrieve your raw key. Access to production systems is restricted and logged.
Changes to this policy
We will notify registered users by email at least 14 days before material changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
Contact
For privacy questions or data requests: [email protected]