Privacy Policy

Introduction

Onerouter ("we", "our", or "us") operates the website onerouter.app and provides an API relay service that enables developers to access leading large language models. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you use our service.

We are committed to protecting your privacy and being transparent about our practices. Our service is designed with privacy at its core: we do not log, store, or monitor the content of your prompts or model completions. Please read this policy carefully.

1. Information We Collect

1.1 Information You Provide

Account Information: When you sign up, we collect your email address and a hashed password. You may also choose to set up multi-factor authentication, which may involve collecting a phone number or authenticator app metadata.

Payment Information: Our payment processing is handled by Stripe. When you make a purchase, you provide payment card details directly to Stripe. Onerouter may have access to transaction records and the last four digits of your card, your billing address, and subscription status via Stripe's dashboard for billing, fraud prevention, and support purposes. We do not store full card numbers on our own servers.

Communications: If you contact us (e.g., via support@onerouter.app), we collect the content of that correspondence and your contact details.

1.2 Information Collected Automatically

When you use our API, we automatically collect certain metadata that is essential for service operation, billing, and security:

API Call Metadata: Timestamp, IP address, token usage count, request ID, response status code, and the model endpoint called. This helps us calculate billing, prevent abuse, and monitor infrastructure health.

Website Usage Data: When you visit our website or dashboard, we may collect standard log data (IP address, browser type, pages visited) using minimal analytics. This data is aggregated where possible and not used to track individual browsing across the web.

What we do NOT collect: We do not log, store, or examine the content of your prompts (input) or completions (output). They are processed in memory transiently and never written to disk in our systems.

2. How We Use Your Information

We use your personal data for the following purposes:

Service Provision: To create and maintain your account, authenticate you, process API requests, and deliver our services.

Billing & Payments: To calculate usage charges, process payments via Stripe, and maintain financial records.

Security & Abuse Prevention: To monitor and prevent fraudulent, unauthorized, or illegal activity. Metadata may be used for rate limiting and threat detection.

Communication: To send important account updates, security alerts, and support responses. We do not send marketing emails unless you explicitly opt in.

Importantly, we never use your prompts or completions for training machine learning models or any purpose beyond delivering the API service to you.

3. Data Sharing & Disclosure

We do not sell your personal information. We may share data only in the following limited circumstances:

Service Providers: We engage Stripe for payment processing. We may use cloud infrastructure providers such as AWS, GCP, or Azure to host our service. These providers are contractually bound to process data only on our instructions.

Legal Requirements: We may disclose information if required to do so by law or in response to valid legal process, such as a court order or subpoena.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, with the assurance that confidentiality will be maintained.

4. Data Retention

Account Information: Retained for as long as your account is active. Upon account deletion, we will remove your email and profile data within 30 days.

API Call Metadata: Retained for up to 90 days for billing verification, debugging, and abuse monitoring. After that, it is permanently deleted or irreversibly anonymized.

Payment Records: Financial transaction records are kept for the period required by applicable tax and accounting laws (typically 5–10 years).

Correspondence: Support emails are retained for up to 2 years to ensure continuity.

5. Data Security

We implement robust technical and organizational measures:

  • Encryption: All data in transit is encrypted using TLS 1.3. Data at rest is encrypted with AES-256.
  • Access Control: Access to personal data is strictly limited to authorized personnel on a need-to-know basis, protected by multi-factor authentication.
  • Infrastructure Security: Our systems are continuously monitored for vulnerabilities, and we undergo regular security reviews.
  • Multi-Factor Authentication (MFA): We strongly encourage and support MFA for your account.

6. International Data Transfers

Onerouter is based in HongKong, China, and our server infrastructure may be located in various regions worldwide to ensure low latency. When we transfer data internationally, we ensure adequate safeguards are in place, such as incorporating the European Commission's Standard Contractual Clauses (SCCs) and adhering to applicable legal frameworks. By using our service, you consent to such transfers.

7. Your Data Protection Rights

Depending on your jurisdiction, you may have the following rights:

GDPR (EU/EEA): Right of access, rectification, erasure, restriction of processing, data portability, and the right to object to processing.

CCPA/CPRA (California): Right to know what personal information is collected, right to delete personal information, right to opt-out of the sale of personal information (note: we do not sell data), and right to non-discrimination.

General: You can update your account information directly in the dashboard. For any other requests, contact us at support@onerouter.app. We will respond within 30 days.

8. Children's Privacy

Our service is not directed to individuals under the age of 13 (or 16 in some EU countries). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our website prior to the change becoming effective.

10. Contact Us & Data Protection Officer

For questions about this policy or to exercise your rights, please contact our Data Protection Officer at:

Email: support@onerouter.app (please include "DPO Inquiry" in the subject line)