1. Data we collect

We collect:

• Account data — username, email, display name, and authentication data.
• Usage and billing data — API keys, projects, requests, token counts, costs, credits, and transactions used for routing, billing, and troubleshooting.
• Log and technical data — request metadata, timestamps, IP address, and device/browser information.
• Request content — prompts and outputs you send through the gateway, which are transmitted to the relevant model provider to fulfil your request.

2. How we use data

We use personal data to provide and secure the Service, route and bill requests, prevent abuse and fraud, provide support, comply with legal obligations, and — only with your consent — to measure aggregate usage through analytics.

3. Legal bases (EEA/UK)

We rely on: performance of a contract (to provide the Service); legitimate interests (security, abuse prevention, improving the Service); consent (analytics cookies and optional communications); and compliance with legal obligations (tax, accounting). You may withdraw consent at any time.

4. Sharing and sub-processors

We share data with: model providers that fulfil your requests; infrastructure, hosting, and payment processors acting as sub-processors; and authorities where required by law. We do not sell personal data. [A current list of sub-processors to be maintained by the Company.]

5. International transfers

Where data is transferred outside the EEA/UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses. [Transfer mechanisms to be confirmed per sub-processor.]

6. Retention

We keep personal data for as long as your account is active and as needed to provide the Service, then for the periods required for legal, tax, and security purposes, after which it is deleted or anonymised. [Specific retention periods to be confirmed by counsel.]

7. Your rights (GDPR/UK GDPR)

Subject to applicable law, you may request access, correction, deletion, restriction, portability, and object to certain processing, and you may lodge a complaint with your supervisory authority. To exercise these rights, contact [privacy@uouoduo.example].

8. California privacy rights (CCPA/CPRA)

California residents have the right to know, delete, and correct personal information, and to opt out of its “sale” or “sharing”. We do not sell personal information. To exercise these rights, contact [privacy@uouoduo.example]; we will not discriminate against you for doing so.

9. Cookies

We use strictly necessary cookies for sign-in and security, and — with your consent — analytics cookies. Manage your choices anytime via the cookie settings in our footer. See the Cookie Policy for details.

10. Security

We apply technical and organisational measures appropriate to the risk. Gateway admin credentials are never exposed to the browser. No method of transmission or storage is completely secure.

11. Children

The Service is not directed to children under 16 and we do not knowingly collect their data.

12. Changes and contact

We may update this Policy and will notify you of material changes. Questions or requests can be sent to [privacy@uouoduo.example].