PRIVACY POLICY

This Privacy Policy explains how personal data is collected, processed, and used when you use our website and services at llmapi.ai (the “Service”). We are committed to protecting your privacy and ensuring transparency about our data practices.

In Short: We are responsible for your data, and you can contact us with any questions.

The website llmapi.ai and the LLM API service is operated by:

Spendbase LTD

Cornwall Buildings, 45 Newhall St

Birmingham B3 3QR

United Kingdom

(hereinafter referred to as “LLM API,” “we,” “us,” or “our”).

We are the controller within the meaning of the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable data protection laws.

For questions about this Privacy Policy or your personal data, please contact us:

Email: privacy@llmapi.ai 

In Short: We collect information you provide directly, API usage metadata, and some technical data automatically. You control whether we store your API request content through your data retention settings.

2.1 Information You Provide (Account Information)

When you create an account or communicate with us, we may collect:

• First and last name;
• Email address;
• Company or organization name (if provided);
• Google account information (if you sign up via Google OAuth);
• Content of your communications with us (support requests, feedback).

Sensitive Information: We do not intentionally collect sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data.

2.2 API Usage Data

When you use our API gateway service, we collect metadata about your usage:

• API request metadata (timestamps, model selected, token counts, response times);
• Error logs and status codes;
• Usage analytics (requests per day, costs, provider breakdown);
• Cache hit/miss statistics.

Caching Data: If you enable caching features, we may temporarily store hashed representations or embeddings of your requests to identify similar queries and return cached responses. Cached data is automatically deleted after 30 days. You can disable caching in your dashboard settings.

AI Request Data: Depending on your data retention settings, we may store:

• Retain All Data: Request payloads and responses with metadata
• Metadata Only: Usage, pricing, and provider statistics (excluding request content)

We do not use your data to train AI models.

2.3 Information Collected Automatically

When you visit our website, certain technical information is collected automatically:

• IP address;
• Browser type and version;
• Operating system;
• Date and time of access;
• Pages visited and referring URL;
• Device type and screen resolution.

This information is necessary to ensure the functionality, security, and optimization of our Service.

2.4 Categories of Personal Information Collected (California Residents)

We collect the following categories of personal information as defined by the California Consumer Privacy Act (CCPA):

• Identifiers (name, email address, IP address, account credentials)
• Professional information (company name)
• Internet activity (browser type, pages visited, API usage metadata)
• Inferences (usage patterns for analytics purposes)

We do not collect: biometric information, precise geolocation data, sensory data, or the content of your AI prompts/responses.

In Short: We use your information to provide the Service, improve our platform, communicate with you, and comply with legal obligations. We do NOT use your data to train AI models.

We process your personal information for the following purposes:

• To provide, maintain, and improve our LLM API gateway service;
• To authenticate and manage your account;
• To process payments and manage your subscription;
• To display usage analytics and cost breakdowns in your dashboard;
• To route your API requests to the appropriate AI provider;
• To communicate with you about your account, service updates, and security alerts;
• To respond to your inquiries and provide customer support;
• To ensure platform security and prevent fraud;
• To analyze usage patterns and optimize Service performance;
• To comply with legal obligations and regulatory requirements;
• To send marketing communications (with your consent, where required).

We do NOT use your data to train AI models. Your API requests, prompts, and responses are never used for machine learning training purposes by us. The AI providers you access through our Service may have their own data usage policies, which we encourage you to review.

In Short: We only process your data when we have a valid legal basis under applicable law.

Under GDPR and UK GDPR, we rely on the following legal bases:

Contract Performance (Art. 6(1)(b) GDPR): To provide the Service, manage your account, process payments, and route your API requests.

Consent (Art. 6(1)(a) GDPR): For non-essential cookies (analytics, marketing), marketing communications, and where otherwise required. You may withdraw consent at any time.

Legitimate Interests (Art. 6(1)(f) GDPR): To operate and improve our Service, ensure security, prevent fraud, and conduct analytics, where these interests do not override your rights.

Legal Obligations (Art. 6(1)(c) GDPR): To comply with applicable laws, tax requirements, and regulatory obligations.

Under CCPA/CPRA, we process personal information for disclosed business purposes and do not “sell” your personal information in the traditional sense. However, the use of certain advertising cookies may constitute “sharing” for cross-context behavioral advertising purposes (see Section 5.3).

In Short: We use cookies for essential website functionality, analytics, and advertising. You can manage your preferences through our cookie consent banner.

5.1 What Are Cookies

Cookies are small text files stored on your device when you visit websites. They help websites remember your preferences, authenticate users, and enable certain functions.

5.2 Types of Cookies We Use

Our website uses the following categories of cookies:

Essential/Necessary Cookies

These cookies are strictly necessary for the website to function and cannot be switched off. They are usually set in response to actions you take, such as logging in or setting privacy preferences.

Analytics/Performance Cookies

These cookies allow us to count visits and traffic sources to measure and improve the performance of our website.

Advertising/Targeting Cookies

These cookies are used to deliver advertisements more relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns.

This table is updated periodically as our technology stack evolves.

5.3 Analytics and Marketing Tools

We use the following analytics and marketing services:

Google Analytics (GA4): Website traffic analysis and user behavior tracking.
Privacy Policy: https://policies.google.com/privacy 

PostHog: Product analytics (self-hosted instance).
Privacy Policy: https://posthog.com/privacy 

Meta (Facebook) Pixel: Advertising conversion tracking and retargeting.
Privacy Policy: https://www.facebook.com/privacy/policy/ 

LinkedIn Insight Tag: B2B advertising and conversion tracking.
Privacy Policy: https://www.linkedin.com/legal/privacy-policy

CCPA Notice: The use of Meta Pixel and LinkedIn Insight Tag may constitute “sharing” of personal information for cross-context behavioral advertising under CCPA. California residents may opt out of this sharing (see Section 10).

5.4 Managing Cookies

You can manage your cookie preferences through our cookie consent banner displayed when you first visit our website. You can also control cookies through your browser settings:

• Google Chrome: https://support.google.com/chrome/answer/95647 
• Mozilla Firefox: https://support.mozilla.org/kb/cookies-information-websites-store-on-your-computer 
• Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471 
• Microsoft Edge: https://support.microsoft.com/microsoft-edge/delete-cookies 

Please note that blocking essential cookies may prevent some website features from functioning properly.

5.5 Do Not Track and Global Privacy Control

Do Not Track (DNT): As no uniform standard for DNT signals exists, we do not currently respond to DNT browser signals.

Global Privacy Control (GPC): We honor GPC signals as valid opt-out requests for the “sharing” of personal information, as required under CCPA/CPRA. To enable GPC, visit: https://globalprivacycontrol.org

In Short: We route your API requests to third-party AI providers. Your data is transmitted to and processed by these providers according to their own privacy policies.

LLM API acts as a gateway that routes your requests to various AI model providers. When you make an API request, your prompts and data are transmitted through our servers to the selected provider for processing.

Current AI providers include:

• OpenAI

Privacy Policy: https://openai.com/privacy

• Google (Vertex AI / AI Studio)

Privacy Policy: https://policies.google.com/privacy

• AWS Bedrock

Privacy Policy: https://aws.amazon.com/privacy/

• Moonshot AI

Privacy Policy: https://www.kimi.com/user/agreement/userPrivacy?version=v2

This list may be updated as we add support for additional providers. The current list of supported providers is available in our documentation.

Important: Each AI provider processes your data according to their own terms of service and privacy policies. We encourage you to review the privacy policies of any providers whose models you use. We do not control how AI providers process your data once it is transmitted to them. We act solely as a routing and analytics layer.

When you use our Service, you acknowledge that:

• Your prompts and data are transmitted to and processed by third-party AI providers;
• Each provider has their own data retention and usage policies;
• Some providers may use data for model improvement unless you opt out directly with them;
• You are responsible for compliance with each provider’s acceptable use policies.

In Short: We share your information only with trusted service providers, AI providers for routing, and when required by law. We do not sell your personal information.

We may share your personal information with the following categories of recipients:

Service Providers

• Stripe, Inc.:

Payment processing. We do not store your credit card information.
Privacy Policy: https://stripe.com/privacy

• Amazon Web Services (AWS):

Cloud hosting infrastructure (Frankfurt, Germany).
Privacy Policy: https://aws.amazon.com/privacy/

• Google LLC:

Analytics (Google Analytics), OAuth authentication.
Privacy Policy: https://policies.google.com/privacy

• PostHog:

Product analytics (self-hosted instance).
Privacy Policy: https://posthog.com/privacy 

AI Providers

When routing your API requests to AI models (OpenAI, Google, AWS Bedrock, Moonshot AI), your prompts and data are transmitted to these providers. See Section 6 for details.

Analytics and Advertising Partners

Google Analytics, Meta (Facebook), and LinkedIn receive data through cookies and tracking pixels for analytics and advertising purposes. See Section 5.3 for details.

Legal Requirements

We may disclose your information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to:

• Comply with applicable laws and regulations;
• Protect our rights, property, or safety;
• Prevent fraud or illegal activities;
• Respond to valid legal requests.

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your information.

Sale/Sharing of Personal Information: We do not “sell” your personal information in the traditional sense. However, the use of advertising cookies (Meta Pixel, LinkedIn Insight Tag) may constitute “sharing” for cross-context behavioral advertising under CCPA. You may opt out of this sharing through our cookie consent banner or by contacting us.

In Short: Your data is primarily stored in the EU (Germany). Transfers outside the EEA use appropriate legal safeguards.

Our primary infrastructure is hosted on Amazon Web Services in Frankfurt, Germany, within the European Union.

However, data may be transferred outside the European Economic Area (EEA) or the United Kingdom in the following circumstances:

• When your API requests are routed to AI providers located in the United States or other countries;
• When we use service providers located outside the EEA (e.g., Stripe for payments);
• When you access our Service from outside the EEA.

For transfers outside the EEA/UK, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs;
• EU-U.S. Data Privacy Framework for certified recipients;
• Adequacy decisions where applicable.

For more information about international transfers and the safeguards we use, please contact us.

In Short: We retain your data only as long as necessary for the purposes described. API request/response content is NOT retained.

We retain personal information as follows:

We may retain data longer if required by law, for tax purposes, or for the establishment, exercise, or defense of legal claims. When data is no longer needed, it is securely deleted or anonymized.

Under the General Data Protection Regulation, you have the following rights:

• Right of Access: Obtain confirmation of whether we process your data and request a copy;
• Right to Rectification: Correct inaccurate or incomplete personal data;
• Right to Erasure: Request deletion of your personal data (“right to be forgotten”);
• Right to Restriction: Limit how we process your data in certain circumstances;
• Right to Data Portability: Receive your data in a structured, machine-readable format;
• Right to Object: Object to processing based on legitimate interests or for direct marketing;
• Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.

You may lodge a complaint with your local supervisory authority:

• UK: Information Commissioner’s Office (ico.org.uk).
• EEA: Your local Data Protection Authority.

10.2 For California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the following rights:

• Right to Know: Request information about data collection, use, and disclosure practices;
• Right to Delete: Request deletion of your personal information;
• Right to Correct: Request correction of inaccurate personal information;
• Right to Opt-Out of Sharing: Opt out of the “sharing” of personal information for cross-context behavioral advertising;
• Right to Non-Discrimination: Equal service and pricing regardless of exercising privacy rights.

To opt out of the sharing of personal information through advertising cookies, you may:

• Use our cookie consent banner to disable advertising cookies;
• Enable Global Privacy Control (GPC) in your browser;
• Contact us at privacy@llmapi.ai.

We do not sell your personal information.

In Short: We implement appropriate technical and organizational measures to protect your data.

We have implemented security measures including:

• Encryption of data in transit using TLS/SSL (HTTPS);
• Secure hosting on AWS infrastructure with industry-standard security certifications;
• Access controls limiting data access to authorized personnel;
• Regular security assessments and monitoring;
• Secure API key management;
• DMARC email security configuration.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to addressing any potential data breaches promptly in accordance with applicable laws.

You are responsible for maintaining the confidentiality of your account credentials and API keys.

In Short: Our Service is not intended for children under 18.

Our Service is designed for businesses and developers and is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information promptly. If you believe we may have collected data from a minor, please contact us at privacy@llmapi.ai.

Our website may contain links to external websites, including AI provider documentation and third-party services. We have no control over the content or privacy practices of these third-party sites.

We encourage you to review the privacy policies of any third-party websites you visit before providing any personal information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

The updated version will be indicated by a revised “Last Updated” date at the top of this policy. We encourage you to review this Privacy Policy periodically.

For material changes, we will provide notice through the Service (such as a banner on our website) or via email to your registered email address before the changes become effective.

To exercise any of your privacy rights or for questions about this Privacy Policy, please contact us:

Email: privacy@llmapi.ai 

Mail: Spendbase LTD

Cornwall Buildings, 45 Newhall St

Birmingham B3 3QR

United Kingdom

When you submit a request, we will:

• Acknowledge receipt within 3 business days;
• Verify your identity before processing (we may request additional information);
• Respond substantively within 30 days (or 45 days for CCPA requests, with possible extension);
• Provide our response in writing via email.

If you are not satisfied with our response, you have the right to complain to your local data protection authority.