Privacy Policy

Summary

• We do not log the contents of your prompts or completions by default. Body capture is opt-in and controlled per account from your Privacy & Logging Controls page.
• We always log metadata needed to run the service: model id, upstream provider, token counts, latency, status code, timestamp, and a truncated cache key.
• We never sell user data. We do not train models on your traffic. We do not route to providers whose terms permit training unless you have explicitly opted in.
• You can export or delete your account data from the dashboard at any time.

Data we collect

Account data

When you sign in, our authentication provider (Clerk) supplies us with your email address, a stable user identifier, and any profile fields you choose to share (name, avatar). We store these in our database to associate keys, presets, and usage records with your account. We do not store passwords; Clerk handles authentication directly.

API keys

Inference keys (prefix sk-ar-) and management keys (prefix ak_) are generated on request and stored in our database. Inference keys are hashed and cached for fast verification. Bring-your-own-key (BYOK) credentials you provide for upstream providers are encrypted at rest with a per-row salt; the plaintext is only available in memory at the moment a request is being forwarded.

Request metadata

For every request you send through the gateway we record: timestamp, the inference key used (by hash), the model id requested, the upstream provider selected, prompt and completion token counts, latency, HTTP status code, and the IP address the request originated from. This is the minimum set we need to bill, debug, and meet our own security obligations.

Request and response bodies

We do not store the contents of your prompts or model completions unless you explicitly enable the "Log request/response bodies" switch on your Privacy & safety dashboard. When the switch is on, the full payload (messages, tool calls, attached images) is stored alongside the metadata above, subject to your configured retention window. Bodies are automatically passed through a PII redactor before persistence; you can disable redaction or supply custom rules. Turning the switch off stops new bodies from being stored; previously stored bodies age out on the retention window.

What upstream providers see

AnyRouter forwards your request body to whichever upstream provider is selected by your routing configuration. The provider receives the full prompt and any attached content; AnyRouter cannot strip data from a request without breaking the request. Each provider has its own privacy and data-handling terms. The set of providers eligible to receive your traffic is controlled by your account's training-consent toggles and provider block list. By default, AnyRouter excludes any provider whose terms permit training on paid or free traffic.

Cookies and analytics

The dashboard and marketing site set session cookies for authentication (via Clerk) and first-party cookies for UI preferences. We do not use third-party advertising trackers. We may use first-party server-side analytics to measure aggregate traffic to public pages; these analytics do not identify individual users.

How we use data

• Operate the service. Authenticate requests, route to the chosen upstream, return responses, enforce rate limits, and bill usage.
• Debug and improve reliability. Investigate errors, identify slow or failing providers, and tune routing heuristics. We rely on metadata for this; we do not read stored bodies unless you have explicitly opened a support ticket and granted access.
• Security. Detect abuse, credential stuffing, and policy violations. IP addresses and request patterns are retained for this purpose.
• Communication. Send transactional email about your account, key rotations, billing events, and incident notifications. We do not send marketing email without opt-in.

We do not use your prompts, completions, or routing patterns to train our own models. We do not sell, rent, or share your data with advertisers or data brokers.

Subprocessors

AnyRouter relies on the following processors to deliver the service. Each has its own privacy commitments and data-handling terms; we contract for the minimum scope required.

• Cloudflare — Workers, D1, KV, R2, and AI Gateway. Hosts the API, stores metadata and account records, and proxies requests to upstream providers.
• Clerk — Authentication, session management, organization membership. Receives your email and profile information when you sign in.
• Upstream LLM providers — OpenAI, Anthropic, Google, xAI, Z-AI, DeepInfra, Together, Groq, Mistral, and others. Each receives the prompts you route to it. The full eligible set depends on your account's consent and block-list configuration.
• Stripe (if applicable to your plan) — Payment processing for paid plans. Receives billing information directly; AnyRouter does not see or store card numbers.

Retention

• Account and key records — retained for the life of your account, plus up to 30 days after deletion for backup expiry.
• Request metadata — retained per your plan's retention window (typically 30 to 90 days), then aggregated into anonymous monthly totals and the per-request rows are deleted.
• Request and response bodies — only stored when you opt in, and only for the retention window configured on your account. The default is 7 days.
• Security and abuse logs — retained for up to 12 months to support incident response.

Your rights

Depending on where you live, you may have the right to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain kinds of processing. You can exercise most of these rights directly from the dashboard:

• Access & export — download a JSON export of your account data from the Settings page.
• Correct — update profile fields on the Account page.
• Delete — delete your account from the Settings page. Deletion is irreversible and removes all keys, presets, logs, and metadata associated with the account. A small set of records may be retained where required by law (e.g., payment records for tax purposes).

For any right that is not exposed in the dashboard, email privacy@anyrouter.dev. We will respond within 30 days.

Security

Data in transit is protected by TLS 1.2 or higher. Sensitive at-rest data — BYOK credentials, webhook secrets — is encrypted with per-row salts. We run on Cloudflare Workers with isolation enforced at the runtime level. Access to production systems is restricted, logged, and reviewed.

No system is perfectly secure. If you discover a vulnerability, please email security@anyrouter.dev. We do not pursue legal action against researchers who report issues in good faith.

International transfers

AnyRouter runs on Cloudflare's global network. Your data may be processed in any region Cloudflare operates. Where required, transfers are governed by standard contractual clauses between us and our subprocessors. Some upstream providers are U.S.-based and process data in the United States; the "Always enforce ZDR" control on the Privacy & safety dashboard restricts routing to providers offering zero-data-retention guarantees.

Children

AnyRouter is not directed at children under 16 and we do not knowingly collect personal data from anyone in that age range. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to this policy

We will update this page when our data practices change. The effective date at the top reflects the most recent revision. For material changes affecting how we use or share your data, we will email account holders before the change takes effect.

Contact

Privacy questions: privacy@anyrouter.dev
Security disclosures: security@anyrouter.dev
General support: support@anyrouter.dev