Legal
Privacy Policy
Last updated: July 4, 2026
This policy explains what data RouterPlex collects, why we collect it, and where your prompts actually go. We have tried to keep it short and honest.
01What we collect
- Account data — email address, first and last name, a salted hash of your password (never the password itself), and, if you enable it, a TOTP two-factor secret.
- Usage metadata — per-request logs with timestamp, model, token counts, cost, and the API key used. This powers your dashboard analytics and billing.
- Payment records — top-up amount, payment method, status, and a payment reference from the processor. Card details are handled entirely by our payment processors and never reach our servers.
- GitHub OAuth — if you sign in with GitHub we receive your GitHub account ID and email address, nothing else.
02Your prompts and outputs
To answer a request we must forward your prompt to the third-party provider operating the model you selected, and return its response. That provider processes your prompt under its own privacy terms — this is inherent to what an AI gateway does.
We do not use your prompts or outputs to train models, and we do not sell them. Prompt and output content is not stored in your dashboard logs — only the usage metadata listed above (model, tokens, cost). Transient copies may exist in server memory and short-lived error logs while a request is being processed.
03Cookies
We use exactly one cookie: a session cookie that keeps you signed in (httpOnly, secure, first-party, expires after one hour). No analytics cookies, no advertising trackers, no third-party scripts.
04Who we share data with
- Model providers — receive your prompts to generate a response, as described above.
- Payment processors — process card and crypto top-ups; they see the payment details, we see only the reference.
- Infrastructure — our servers and databases, operated by us and our hosting provider.
We do not sell personal data to anyone. There are no advertising partners.
05Retention
Account data is kept while your account exists. Usage metadata and payment records are kept for accounting and abuse prevention. If you delete your account, we delete or anonymize your personal data within 30 days, except records we are legally required to keep (e.g. payment records for tax purposes).
06Your rights
You can access and update your account data from the dashboard. You can request a copy of your data, or deletion of your account and data, by emailing us. Depending on where you live (e.g. under GDPR), you may also have rights to restrict or object to processing and to lodge a complaint with a supervisory authority.
07Security
All traffic is encrypted in transit (TLS). Passwords are stored as salted hashes, API keys are held only in hashed or encrypted form by the gateway, two-factor authentication is available on every account, and access to production systems is restricted. No system is perfectly secure — if we learn of a breach affecting your data, we will notify you without undue delay.
08Changes & contact
We will announce material changes to this policy on the website or by email. Privacy questions and requests: [email protected]