Privacy Policy
We are committed to protecting your privacy and being transparent about how we handle data.
Last updated: April 28, 2026
1. Introduction
AI Control Plane Gateway ("we", "us", "our") operates the website aicontrolplanegateway.com and the managed API gateway service ("Service"). This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.
This policy applies to users of the managed/hosted Service. Users of the self-hosted open-source version process all data on their own infrastructure and this policy does not apply to them.
2. Information We Collect
2.1 Account and Contact Information
When you create an account or contact us, we collect:
- Name and email address
- Company or organization name
- Billing information (processed by our payment provider, not stored by us)
- IP address and browser information (for security purposes)
2.2 API Usage Data
When you use the managed Service, we collect:
- Request metadata: timestamp, model requested, token counts, latency, provider selected, cache hit/miss, cost estimate. We do NOT store the full request/response body in our analytics systems.
- Audit logs: For compliance tiers, an encrypted, immutable record of each request is stored. The contents and retention period depend on your subscription and configuration.
- Error logs: When requests fail, error details (excluding request body content) are logged to enable debugging and reliability improvements.
2.3 Website Analytics
Our website uses privacy-preserving analytics to understand page traffic. We use no third-party advertising trackers. Analytics data is aggregated and cannot identify individual visitors.
3. How We Use Your Information
- Service delivery: Routing requests, managing budgets, enforcing policies, and providing the features you subscribed to.
- Billing and account management: Sending invoices, processing payments, and managing your subscription.
- Security: Detecting and preventing abuse, fraud, and unauthorized access.
- Support: Responding to your inquiries and debugging issues you report.
- Product improvement: Understanding aggregate usage patterns to improve reliability and add features. We do not use request content to train AI models.
- Legal compliance: Meeting our legal obligations, including retaining audit logs as required by applicable law or contract.
4. PHI and Sensitive Data
The Service includes PHI redaction capabilities. When enabled, PHI is detected and replaced with anonymized placeholders before the request is forwarded to any LLM provider. The original PHI values are held in memory only for the duration of the request to restore the response and are never written to disk or external storage.
Users who are HIPAA-covered entities must execute a Business Associate Agreement (BAA) before transmitting PHI through the Service (Enterprise plan required). Without a BAA, PHI must not be transmitted.
We do not process PHI for any purpose other than providing the redaction/restoration pipeline service you have requested.
5. Data Sharing and Third Parties
We do not sell your data. We share data only in the following circumstances:
- LLM Providers: Your requests (after PHI redaction, if enabled) are forwarded to the LLM provider you have selected. Their privacy policies govern that processing.
- Payment Processors: Billing information is handled by our payment processor (Stripe). We do not store full payment card details.
- Infrastructure Providers: The managed Service runs on major cloud providers (AWS, Azure, GCP). Data is processed within the regions you configure.
- Legal Requirements: We may disclose information if required by law, court order, or regulatory authority.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.
6. Data Retention
- Account data: Retained while your account is active and for 90 days after deletion, then permanently deleted.
- Audit logs (compliance tiers): Retained per your configuration and contractual requirements (default: 90 days; Healthcare add-on: 7 years).
- Analytics data: Aggregated, anonymized usage statistics retained indefinitely. Raw metadata retained for 30 days.
- Billing records: Retained for 7 years to comply with tax and accounting obligations.
7. Security
We implement industry-standard security measures:
- All data in transit encrypted with TLS 1.3.
- All data at rest encrypted with AES-256.
- API keys stored using salted hashing (we cannot recover your key if lost).
- Access to production systems is limited to authorized personnel via multi-factor authentication.
- We undergo regular security reviews and vulnerability scanning.
Despite these measures, no system is completely secure. If you discover a security vulnerability, please report it responsibly to [email protected].
8. Cookies and Tracking
Our website uses the following types of cookies:
- Strictly necessary: Session cookies required for account authentication and security (cannot be disabled).
- Analytics: Privacy-preserving, first-party cookies to measure page popularity. No cross-site tracking. You can disable these via your browser settings.
We do not use advertising cookies, social media pixels, or third-party tracking scripts.
9. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your personal data (subject to legal retention requirements).
- Portability: Receive your data in a machine-readable format.
- Objection: Object to certain processing activities.
- Opt-out of marketing: Unsubscribe from marketing communications at any time via the unsubscribe link in emails.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
10. International Data Transfers
The Service operates primarily in the United States. If you are located outside the US, your data may be transferred to and processed in the US. We rely on Standard Contractual Clauses and other approved mechanisms for international data transfers where required.
Enterprise customers can request data residency in specific AWS or Azure regions. Contact us for details.
11. Children's Privacy
The Service is not directed to persons under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by email or website notice at least 30 days before changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact Us
For privacy-related questions, requests, or concerns:
AI Control Plane Gateway — Privacy
Email: [email protected]
Website: aicontrolplanegateway.com
For GDPR-specific inquiries, please include "GDPR Request" in your subject line and we will respond within the required statutory period.