Privacy Policy

Effective date: July 7, 2026

1. What we collect. Account data: email, name, organization, hashed credentials, MFA secrets, role and billing metadata. Request metadata (default): timestamps, model requested and served, provider, credential source, token counts, latency, cost, success/failure, routing reason, budget scopes checked, and route explanation. Request bodies: not stored by default; a workspace admin may opt in per workspace and can opt out again. BYOK provider keys: stored envelope-encrypted, decrypted only in memory at request time, never written to logs; you can rotate or delete them at any time. Billing: handled by Stripe; we store customer, subscription, checkout, invoice, and ledger metadata, never card numbers. Cookies: an httpOnly session cookie for the dashboard; no advertising trackers. Product analytics: PostHog in cookieless mode โ€” anonymous usage events (page views, feature clicks) held in memory, no analytics cookies, no cross-site identifiers, never used for advertising.

2. Where your prompts go. To serve a request, its content is transmitted to the provider selected by your routing policy, such as OpenRouter, Z.ai, DeepInfra, an approved direct provider, or your own BYOK provider. Each endpoint carries a data-policy flag (may-log / no-training / zero-retention / unknown) sourced from provider disclosures where available; an unknown policy never satisfies a stricter requirement you set. Providers process your requests under their own terms and policies.

3. How we use data. To operate, meter, secure, and bill the service; enforce budgets and provider policies; detect abuse and provider failures; compute aggregate provider quality statistics from metadata and synthetic probes; communicate account, billing, and service notices; and comply with law. We do not sell personal data and do not use your prompts or outputs to train models.

4. Retention. Metadata, financial ledgers, and route explanations are retained for 18 months for billing integrity, audit, dispute handling, and security, then aggregated or deleted where feasible. Opt-in prompt/response bodies are retained for 30 days rolling unless you delete them sooner. Deleted BYOK keys are removed from serving immediately and from backups within 35 days. Account deletion removes personal data within 30 days except records we must keep for tax, audit, security, legal, or legitimate business purposes.

5. Security. TLS in transit; encryption at rest; envelope encryption for secrets; least-privilege service roles; append-only financial ledgers; production access controls; rate limits; and operational audit logs. No method is perfect; we will notify you of breaches as required by law.

6. Your rights. You may request access, export, correction, deletion, or objection where applicable law provides those rights. Contact [email protected]. We aim to respond to verified requests within 30 days. WebikAI is a US-based beta service and does not currently claim EU data residency or a full GDPR transfer framework for all use cases; customers needing a DPA, SCCs, or regulated data handling should contact us before processing production personal data through the service.

7. Changes. We will provide at least 14 days notice for material privacy changes where practical. Continued use after the effective date means acceptance of the updated policy.