Privacy Policy
Last Modified: March 2026
Auriko, Inc. ("Auriko," "we," "us," or "our") operates a multi-LLM inference routing platform that routes your API requests to optimal large-language-model providers based on performance, cost, and your preferences. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit auriko.ai, create an account, or use our platform and related services (collectively, the "Services").
Our core privacy commitments:
- We do not train AI models on your data. We have no AI training pipeline and do not use your data to train or fine-tune any model.
- We do not sell your personal information. We have never sold personal information and have no plans to do so.
Auriko's Role
When we process your account, billing, and usage data to operate the Services, Auriko acts as the data controller — we determine why and how that data is processed.
When we route your inference requests to LLM providers, Auriko acts as a data processor — we process your content solely on your instructions to deliver the Service.
If you are a business customer using our API, a Data Processing Agreement ("DPA") applies in addition to this Policy. Contact privacy@auriko.ai to request a countersigned copy.
1. Information We Collect
| Category | Examples | Source |
|---|---|---|
| Account Information | Email address, display name, avatar | You provide this when registering via email or GitHub SSO |
| Workspace Information | Team name, workspace slug, member roles, billing email | You provide this when creating or joining a workspace |
| API Keys | Auriko-issued API keys (stored as SHA-256 hashes); your third-party provider keys (encrypted at rest with AES symmetric encryption) | You provide these through the dashboard |
| Request Metadata | Request ID, timestamp, provider, model, tokens in/out, latency (TTFT, total), throughput, success/failure, HTTP status, streaming flag, tool-use flag | Collected automatically when you make inference requests through the Services |
| Billing Information | Credit balance, purchase history, payment method ID, Stripe customer ID, auto-reload preferences | Collected when you purchase credits or configure billing |
| Usage & Log Data | IP address (at the network edge), user agent, request timestamps | Collected automatically when you interact with the Services |
| Cookie & Session Data | Authentication session tokens, CSRF tokens | Set automatically for session management |
| Communications | Support emails, feedback | You choose to send these to us |
What We Do Not Collect
- Biometric data, health data, or government identifiers.
- Precise geolocation. We do not request GPS or fine-grained location access.
2. How We Use Your Information
We use personal information for the purposes described below:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide and operate the Services — authenticate users, route inference requests, display usage in your dashboard, enforce rate limits | Account, Workspace, API Keys, Request Metadata | Performance of contract |
| Process payments and maintain billing — apply credit deductions, process purchases, detect fraudulent transactions | Billing Information, Request Metadata | Performance of contract |
| Secure the Services — detect abuse, prevent unauthorized access, enforce rate limits, monitor system health | Usage & Log Data, Request Metadata, API Keys (hashes only) | Legitimate interest (platform security) |
| Communicate with you — send transactional messages (security alerts, credit-balance notices, workspace invitations), respond to support requests | Account Information, Communications | Performance of contract; legitimate interest (responding to inquiries) |
| Improve the Services — analyze aggregated, anonymized usage to understand performance trends, plan capacity, and optimize routing | Request Metadata (aggregated) | Legitimate interest (service improvement) |
| Comply with law — satisfy legal obligations, enforce our Terms of Service, protect rights and safety | Any category as required | Legal obligation; legitimate interest (protecting rights) |
We may create de-identified or aggregated data that cannot reasonably identify you. We may use and share such data for analytics, capacity planning, and industry benchmarking.
We do not use your data for model training.
3. How We Share Your Information
We may disclose personal information in the following circumstances:
3.1 Sub-Processors
We use a limited set of third-party service providers to operate the Services. Each is bound by contractual confidentiality and data-protection obligations.
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase (via AWS) | Database hosting, authentication, storage | Account, Workspace, encrypted API keys, Request Metadata, Billing | United States |
| Cloudflare | Edge routing, request caching, KV storage, DDoS protection | Request Metadata, API key hashes, rate-limit state | Global (edge network) |
| Stripe | Payment processing | Billing Information, email | United States |
| Railway | Backend API hosting | Account, Request Metadata, Billing | United States |
| Vercel | Frontend hosting | Session cookies, IP address | United States |
| Upstash | Async job queues (billing events, metrics ingestion) | Request Metadata, credit transactions | United States |
| Resend | Transactional email delivery | Email address, message content | United States |
We maintain this sub-processor list and will update it when changes occur. Material sub-processor changes will be communicated to business customers per the DPA.
3.2 LLM Providers You Select
When you make an inference request, your content is forwarded to the LLM provider our routing engine selects (or that you specify). This transmission is the core function of the Services. Each LLM provider processes your content under its own privacy policy and terms.
If you use Bring Your Own Key (BYOK), you select your provider and requests are made using your own credentials. You are responsible for reviewing that provider's privacy practices.
If you use Auriko-managed routing, we select the provider on your behalf based on performance, cost, and your configured preferences. Supported providers include OpenAI, Anthropic, Google, Groq, Fireworks, DeepSeek, Together AI, and others listed in our documentation.
3.3 Legal & Safety
We may disclose personal information to competent authorities where required by law, court order, or governmental regulation, or where we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or other illegal activity; or (d) protect the safety of users or the public.
3.4 Business Transfers
In connection with a merger, acquisition, financing, or sale of all or a portion of our assets, personal information may be transferred to the acquiring entity, provided the recipient honors this Policy or provides equivalent protections.
3.5 With Your Consent
We may share personal information in other circumstances where you have given us explicit consent.
4. Cookies and Tracking Technologies
We use cookies strictly necessary for the operation of the Services:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Supabase auth session | Strictly necessary | Authenticate your session, maintain login state | Session / 7 days |
| CSRF token | Strictly necessary | Prevent cross-site request forgery | Session |
We do not currently use advertising or tracking cookies.
You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent you from using the Services.
5. Data Retention
We retain personal information only as long as necessary for the purposes described in this Policy:
| Data | Retention Period | Rationale |
|---|---|---|
| Account and Workspace records | Life of account + 60 days after deletion | Account administration; grace period for accidental deletion |
| API keys (hashed) | Until revoked by you or account deletion | Service operation |
| Provider keys (encrypted) | Until removed by you or account deletion | Service operation |
| Request Metadata | 13 months from collection | Usage analytics, billing reconciliation, capacity planning |
| Billing and credit records | 6 years after the relevant tax year | Tax and audit compliance |
| Billing events (idempotency) | 30 days | Prevent duplicate charge processing |
| Workspace invitations | 7 days (auto-expire) | Security; prevent stale invitations |
| Transactional email logs | Per Resend's retention policy | Email delivery |
| Backups | Up to 30 days after source deletion | Disaster recovery |
When data is no longer needed, we delete, anonymize, or aggregate it in accordance with applicable law.
6. Data Security
We employ administrative, technical, and organizational measures to protect your information:
- Encryption in transit: All connections use TLS (HTTPS). No plaintext transmission.
- Encryption at rest: Provider API keys are encrypted using industry-standard symmetric encryption. Auriko-issued API keys are stored as irreversible SHA-256 hashes — we never store your raw API key.
- Infrastructure isolation: Backend services run in isolated containers. Database access is restricted by row-level security (RLS) policies scoped to each workspace.
- Authentication: Supabase JWT with asymmetric key verification (ES256 via JWKS in production). Internal service-to-service authentication uses constant-time comparison to prevent timing attacks.
- Access controls: Role-based workspace permissions (owner, admin, member). Principle of least privilege for infrastructure access.
- Rate limiting: Per-key and per-workspace rate limits enforced at the edge to prevent abuse and protect platform availability.
No internet transmission is fully secure. You are responsible for safeguarding your API keys and account credentials. If you believe your credentials have been compromised, revoke them immediately in your dashboard and contact us.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
- Access: Request confirmation of whether we process your personal information and obtain a copy.
- Correction: Request correction of inaccurate or incomplete personal information.
- Deletion: Request deletion of your personal information, subject to legal retention obligations.
- Portability: Receive your personal information in a structured, commonly used, machine-readable format.
- Restriction: Request that we limit processing of your personal information in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Consent withdrawal: Where processing is based on your consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. (Currently, we do not rely on consent as a legal basis for any processing described in this Policy.)
To exercise any right, email privacy@auriko.ai. We will verify your identity before fulfilling requests and respond within the timeframe required by applicable law (30 days under GDPR; 45 days under CCPA). You will not be discriminated against for exercising your rights.
If you believe we have not adequately addressed your concern, you may lodge a complaint with your local supervisory authority:
- EU: Your local data protection authority — list
- UK: Information Commissioner's Office — ico.org.uk
- Switzerland: Federal Data Protection and Information Commissioner — edoeb.admin.ch
8. International Data Transfers
Auriko is headquartered in the United States. Our primary infrastructure is hosted in the United States through Supabase (AWS), Railway, and Vercel. Cloudflare operates a global edge network through which your inference requests are routed.
If you access the Services from outside the United States, your personal information will be transferred to the United States for processing. Where we transfer personal data from the UK, EEA, or Switzerland to the United States or other countries without an adequacy decision, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Article 46)
- UK International Data Transfer Addendum where applicable
For details on specific transfer mechanisms, contact privacy@auriko.ai.
9. U.S. State Privacy Disclosures
9.1 Categories of Personal Information
We collect the following categories of personal information (as defined under the CCPA and similar state laws):
- Identifiers: Email address, display name, IP address, API key hashes
- Commercial information: Credit purchase history, billing records
- Internet or electronic network activity: Request Metadata (model, provider, token counts, latency, success/failure)
- Account credentials: Hashed API keys, encrypted provider keys
9.2 Sale and Sharing
We do not "sell" or "share" (as defined under the CCPA) personal information, nor have we done so in the preceding 12 months.
9.3 California Residents
Under the California Consumer Privacy Act (CCPA), California residents have the right to:
- Know what personal information is collected, used, and disclosed
- Delete personal information
- Opt out of the sale or sharing of personal information (not applicable — we do not sell or share)
- Non-discrimination for exercising privacy rights
To exercise these rights, contact privacy@auriko.ai.
9.4 Nevada Residents
We do not sell personal information as defined under Nevada Revised Statutes Chapter 603A. Opt-out requests may be submitted to privacy@auriko.ai.
10. Children's Privacy
The Services are not directed to children under 13. We do not knowingly collect personal information from anyone under 13 years of age. If you believe a child has provided us personal information, contact privacy@auriko.ai and we will promptly delete it.
11. Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will notify you by email to the address associated with your account or by a prominent notice within the Services. The "Last Modified" date at the top of this Policy will be updated accordingly.
Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Policy.
12. Contact Us
Auriko, Inc. Email: privacy@auriko.ai
For data-protection inquiries, include "Privacy Request" in your subject line.