Privacy Policy
Effective date: 2026-05-25
OpenLLM is operated by Quantide LLC, a Wyoming (USA) limited liability company. Privacy questions and rights requests: support@quantide.xyz.
1. Who we are
This Privacy Policy describes how Quantide LLC, a Wyoming limited liability company ("Quantide", "we", "us"), processes personal information when you use the OpenLLM service (the "Service"). For privacy questions, requests, or complaints, contact us at support@quantide.xyz.
This Policy is incorporated into and forms part of the Terms of Service. Capitalised terms not defined here have the meaning given in the Terms.
The Service is available to individuals and organisations. We do not knowingly collect personal information from children under 13. In some EEA member states, processing personal data of users under 16 requires parental or guardian consent; if you are under that age, please obtain consent before using the Service. Do not use the Service if you cannot lawfully agree on your own behalf or on behalf of the organisation you represent.
2. Roles under data-protection law
For account and operational data (sign-in identifiers, audit logs, request metadata, billing-related records), Quantide acts as a controller. For content that you submit through the Service for processing (prompts, files, plugin inputs and their resulting embeddings, and any personal data contained in them — collectively "Customer Content"), Quantide acts as a processor on your behalf and you are the controller. You are responsible for the lawfulness of the Customer Content you submit and for any required notices and consents from the data subjects involved.
When you connect an Upstream Provider, that provider becomes an independent controller (or processor under its own contract with you) for the prompts and outputs sent to it. Their privacy notices apply in addition to this Policy.
3. Information we collect
3.1 Account information
When you sign in with Google through Neon Auth we receive your Google account identifier and the email address associated with it. We store: your user id, email, role (user or admin), terms-acceptance timestamp and version, configuration preferences (e.g. fallback chains, model preferences), and vault metadata (see §3.4).
3.2 Request usage metadata
For every /v1/* call we log to the private requests table: model id, provider, prompt and completion token counts, latency, status (success / error / timeout / rate-limited), error code (if any), cost estimate, endpoint path, optional Idempotency-Key, timestamp, and the associated API-key id and user id. We do not log prompt text, completion text, files, audio, images, or any other request payload, except as described in §3.8 (Idempotency-Key cache).
3.3 Audit / security log
For security, fraud-prevention, and abuse-prevention purposes we record account-level events to a private audit log: sign-in, terms acceptance, vault begin / commit / reset, credential connect / rotate / delete, API-key mint / revoke, custom-endpoint registration, admin actions (suspend / promote / delete) and similar. Each entry includes the actor's user id, action, structured metadata about the change, the source IP address (from the x-forwarded-for or cf-connecting-ip header), and a timestamp.
3.4 Provider Credentials — zero-knowledge vault
Your Upstream Provider API keys, OAuth tokens, and similar secrets ("Provider Credentials") are end-to-end encrypted in your browser before they ever reach our servers. Specifically:
- A random 32-byte Data Encryption Key (DEK) is generated in your browser and AES-256-GCM-wrapped by a wrap-key derived from your Recovery Phrase via Argon2id (the
wrap_saltis public; the phrase is not). - Only the
wrap_salt, the wrapped DEK (wrapped_dek), and a monotonically-increasingvault_versionare stored onpublic.users. The Recovery Phrase and the unwrapped DEK never touch our database, our logs, or our infrastructure outside of volatile memory during a single request. - Each Provider Credential is AES-256-GCM-encrypted under the DEK in your browser before
POST /api/credentials; we store only{ ciphertext, nonce, vault_version }. - API keys (
sk-llm-…) carry the DEK, not a hash. The DEK is wrapped under a per-key HKDF-derived sub-key that is recoverable only by presenting the secret half of the API key. On each request, the gateway un-wraps the DEK, decrypts the relevant Provider Credential, completes the upstream call, and zeroes the in-memory copy infinally. - If you lose your Recovery Phrase we cannot recover it. You will need to reset the vault, which destroys all stored Provider Credentials and invalidates all existing API keys.
- If a
sk-llm-…API key is leaked, the holder can decrypt every Provider Credential in your vault and call any Upstream Provider on your behalf. Treat OpenLLM API keys as the master credential for your Provider stack; rotate immediately on suspicion of leak.
3.5 Plugin content
If you install the optional claude-context or supermemory plugins, the content you explicitly send through them — code chunks, files, documents, memories — is stored in plaintext in the public.embeddings table (text + 1024-dim vector embedding + metadata such as source identifier), strictly partitioned per-user via user_id and ON DELETE CASCADE. We compute the embeddings via AWS Bedrock Titan v2 at our cost. Re-indexing state and chunk-reference data is stored alongside in plugin_indexing_jobs and plugin_chunk_refs, also per-user. Plugin state for each user is stored in plugin_state.
Do not send to these plugins any data you are not authorised to store on our infrastructure or to transmit to AWS for embedding.
3.6 Cookies
We use a signed session cookie issued by Neon Auth (Better Auth) to keep you signed in, and a small first-party openllm_cookie_consent cookie to remember your cookie-consent choice. With your consent we also set first-party product-analytics cookies (PostHog) to understand usage and monitor errors; if you decline, no analytics cookies are used and capture is disabled. We do not set advertising or cross-site tracking cookies. Your browser may also store short-lived helper cookies set by Google during the OAuth sign-in redirect; those are governed by Google's privacy notice. See the Cookie Policy for the full list and how to change your choice.
3.7 Server logs
Our hosting provider (Vercel) and our database provider (Neon) automatically collect technical logs (IP address, user-agent, request path, status code, timing) for security, debugging, and abuse-prevention. These are governed by the providers' own privacy policies and retention periods.
3.8 Idempotency-Key cache
When a /v1/* request includes an Idempotency-Key header, the response body of that request is held in Vercel Runtime Cache for up to ten minutes so that an immediate retry returns the cached response instead of re-billing the Upstream Provider. After ten minutes the cache entry is auto-expired. This is the only path by which completion text is held outside transient request memory. Requests without an Idempotency-Key do not use this cache.
4. What we do NOT collect or store
- Prompt text or completion text of
/v1/*calls, except for the ten-minute Idempotency-Key response cache described in §3.8. - Files, images, audio, or other binary payloads sent to
/v1/*endpoints (beyond their transient existence in memory while we forward them upstream). - Your Recovery Phrase or the unwrapped Data Encryption Key.
- Plaintext Provider Credentials at rest. We see them only in memory during a single request.
- Advertising identifiers or cross-site tracking cookies; we do not sell or share personal information with advertisers or data brokers. We do use a first-party product-analytics processor (PostHog) under your consent (see §3.6 and the Cookie Policy), configured to mask inputs and exclude secret screens.
We do not use your prompts, completions, files, embeddings, or other Customer Content to train, fine-tune, distil, or evaluate any AI model. Per AWS's published Bedrock commitments, content sent to AWS Bedrock for embedding (via the claude-context and supermemory plugins) is not used by AWS to train or improve AWS or third-party models.
Sensitive personal data we do not knowingly process unless you have a separate signed agreement with us: Protected Health Information subject to HIPAA, cardholder data subject to PCI DSS, government identifiers, biometric identifiers, and similar regulated categories. Do not submit such data through the Service.
5. How we use the information
- Provide the Service — authenticate you, route your requests to the Upstream Providers you have selected, return responses, mint and validate API keys, compute plugin embeddings.
- Operate and secure the Service — fraud and abuse prevention, rate limiting, debugging, audit, incident response.
- Show you usage and costs — render the dashboard, overview charts, and per-key sparklines from the
requeststable. - Comply with legal obligations and enforce our Terms.
- Communicate with you about the Service, security incidents, and material changes.
Where required by applicable law (e.g. UK / EEA GDPR), our legal bases are: performance of a contract (delivering the Service you requested); our legitimate interests in securing the Service, preventing abuse, and operating our business; compliance with legal obligations; and, where applicable, your consent (which you may withdraw at any time).
6. Sub-processors and recipients
We share personal information only with the following sub-processors and recipients, each used solely to operate the Service:
- Vercel Inc. — application hosting, edge/serverless compute, Vercel Runtime Cache (for Idempotency-Key replays), logs.
- Neon, Inc. — managed Postgres database (account data, encrypted Provider Credentials, request logs, audit log, plugin embeddings) and Neon Auth identity service.
- Google LLC — OAuth identity provider for sign-in.
- PostHog, Inc. — first-party product analytics, session replay (inputs masked, secret screens excluded), and error monitoring, used only with your cookie consent. Events are sent via a first-party reverse proxy; we do not use this data for advertising.
- Amazon Web Services, Inc. — AWS Bedrock Titan v2 embeddings, called by the gateway when you use the
claude-contextorsupermemoryplugins. AWS does not use this content to train AWS or third-party models, per Bedrock's published commitments. (Host-paid; you are not separately billed.) - Upstream Providers you select — OpenAI, Anthropic, Google (Gemini API), Moonshot AI (Kimi), Alibaba Cloud (DashScope: Qwen, GLM, Kimi, MiniMax), Z.AI, and any other provider or custom endpoint you register. Each request you send is forwarded to the provider that fulfils it, using the Provider Credential you supplied. Their privacy policy and terms govern the request payload, the output, and any further processing.
- Plugin operators — when you choose to install or invoke a third-party MCP plugin distributed through the Service, that plugin may call its own external services (e.g.
supermemorymay call its own cloud backend). You are responsible for reviewing and accepting that plugin's terms before sending data to it. - Professional advisers and authorities — where necessary to comply with law, enforce our Terms, protect our rights, or as part of a merger, acquisition, financing, or sale of assets (in which case we will require the recipient to honour this Policy or give you notice).
Sub-processor changes. We will give at least 14 days' notice in-product or by email before adding a new sub-processor that processes personal data on our behalf. You may object by emailing support@quantide.xyz. We do not consider Upstream Providers you choose to be our sub-processors.
We do not sell or share personal information for cross-context behavioural advertising.
7. International transfers
Quantide is established in the United States and our sub-processors operate in the United States, the European Union, and other regions depending on routing and Upstream Provider choice. When personal information moves out of your jurisdiction, we rely on appropriate safeguards — including the European Commission's 2021 Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable — and on the public commitments of our sub-processors. By using the Service you understand that Customer Content will be transmitted to the Upstream Providers you choose, in whichever region they operate.
8. Retention
- Account record — kept until you delete your account.
- Encrypted Provider Credentials — kept until you delete the credential, reset your vault, or delete your account.
- Request usage metadata — kept for the lifetime of your account so we can render historical usage and cost; older rows may be summarised or pruned at our discretion.
- Audit log — kept for up to 24 months for security and abuse-prevention, then deleted or aggregated, unless a longer retention is required by law or to investigate an open incident.
- Plugin embeddings + content — kept until you uninstall the plugin, clear the index, or delete your account.
- Server logs — retained per Vercel / Neon defaults (typically 30 days for hot logs).
- Idempotency-Key response cache — Vercel Runtime Cache; auto-expired after ten minutes.
We may retain limited information after account deletion where required by law or for legitimate fraud-prevention, accounting, or dispute-resolution purposes.
9. Security
We protect personal information with a combination of organisational, administrative, and technical controls, including TLS in transit, AES-256-GCM at rest for sensitive fields, the zero-knowledge vault architecture described in §3.4, principle of least privilege, audit logging, and monitoring on our hosting and database providers. No system is perfectly secure; you are responsible for the security of your account credentials, Recovery Phrase, and API keys.
If we become aware of a security incident affecting your personal information, we will notify you and any required authorities without undue delay, in accordance with applicable law. Report suspected incidents to support@quantide.xyz.
10. Your rights
Depending on where you live, you may have rights under applicable law (e.g. GDPR in the UK/EEA, CCPA/CPRA in California) to:
- access the personal information we hold about you;
- correct inaccurate information;
- delete information, subject to limited exceptions (e.g. records we must keep by law);
- port a copy of certain information to another service;
- restrict or object to certain processing, including processing based on legitimate interests;
- withdraw consent where processing is based on consent;
- limit the use or disclosure of sensitive personal information (where applicable);
- not be discriminated against for exercising your privacy rights;
- lodge a complaint with a supervisory authority (in the EEA, your local Data Protection Authority; in the UK, the ICO).
You can exercise most rights yourself from the Settings page (export, delete account). For anything else, email support@quantide.xyz. We may need to verify your identity before fulfilling a request and will respond within the timeframes required by applicable law.
Because we operate as a processor for Customer Content, requests from data subjects whose data you have submitted should generally be directed to you as controller; we will support you in fulfilling them as required by law.
11. California disclosures (CCPA / CPRA)
In the prior 12 months we collected the categories of personal information described in §3 (identifiers, internet/network activity information, geolocation inferred from IP, and commercial usage records). We use this information for the business purposes described in §5 and share it with the sub-processors listed in §6.
We do not sell personal information and we do not share it for cross-context behavioural advertising. We do not knowingly collect or process Sensitive Personal Information as defined under the CPRA; if you nonetheless submit such information, you may direct us to limit its use and disclosure under Cal. Civ. Code §1798.121 by emailing support@quantide.xyz.
California residents have the rights described in §10, including the rights to know, correct, delete, port, and limit. You may designate an authorised agent to make requests; we will not discriminate against you for exercising these rights.
12. Deleting your account
You can delete your account from the Settings page. On deletion our database cascade permanently removes every row keyed to your user_id — API keys, encrypted Provider Credentials, request and audit history, plugin embeddings, and plugin state — with no soft-delete and no recovery, except for limited records we may retain as described in §8.
13. Changes to this Policy
We may update this Policy from time to time. We will update the version identifier and effective date at the top of this page, and where the change is material we will flag it in-product or by email. Your continued use of the Service after the effective date constitutes acceptance.
14. Contact
Quantide LLC · Wyoming, U.S.A.
- Privacy questions and rights requests: support@quantide.xyz
- Security incidents: support@quantide.xyz
- Legal notices: support@quantide.xyz
- General: support@quantide.xyz