Honest privacy, in plain English.
We're a router — most of what we touch is just bytes in flight to a model. Here's exactly what we keep, what we throw away, and the knobs you control.
TL;DR
- Chat messages are encrypted at rest with your per-user key (ChaCha20-Poly1305 AEAD).
- Ephemeral conversations auto-delete after 24 hours.
- No-log API keys skip access logs and request metadata.
- We never store your prompts in usage analytics — only token counts.
- Full data export + hard delete available in /settings.
What we store
Everything we keep in our database, with the honest answer for each one.
What we don't do
- Resell closed-model APIs. No OpenAI or Anthropic relay. We host the open-weight models ourselves on our own GPUs.
- Train models on your data. Your prompts and completions are never fed into a training pipeline — ours or anyone else's.
- Share data with third parties. Stripe sees your billing email and the dollar amount. That's it.
- Log prompts or completions in analytics. Our analytics pipeline only sees token counts and model identifiers.
- Keep deleted accounts.
DELETE /api/accountis a hard wipe. No soft-delete, no recovery, no "deactivated" tombstone.
Encryption details
For the technically curious. The full implementation is open source — every claim here is verifiable.
- A per-user DEK (data encryption key) is generated at signup and stored wrapped by our master KEK.
- Messages are sealed with ChaCha20-Poly1305 AEAD, using a fresh 12-byte random nonce per record. Authentication is built into the cipher, so tampered ciphertext fails to decrypt loudly rather than silently.
- The master KEK can be rotated without re-encrypting every message body — we only re-wrap the per-user DEKs. Key rotation is cheap, so we can do it on a schedule instead of as an emergency.
- Read the code: apps/api/app/services/crypto.py
Privacy modes
Two opt-in toggles that change what we keep — both are off by default so the dashboard works as you'd expect, on by explicit choice.
No-log API keys
Set per key. Requests through a no-log key suppress pr.access logs at our edge, and pass the no-log flag to LiteLLM so spend metadata isn't recorded either. Token counts still increment for billing — that's the only thing we keep.
Ephemeral conversations
Mark a conversation ephemeral and it gets a 24-hour TTL. A background prune sweeps every 5 minutes and hard-deletes expired conversations and their messages — no soft-delete flag, no tombstone row.
Your rights
GDPR-style in plain language. Both actions are self-service — no support ticket needed.
- Export everything/settings → Download my data. You get a JSON bundle of your account, keys (hashed), conversations (decrypted server-side for you), and usage history.
- Delete everything/settings → Delete account. Hard wipe — no soft-delete, no recovery. Subscription is cancelled, all rows are removed, and any pending balance is forfeited.
What we're working on
Things we don't do yet but want to. We'd rather list them honestly than hide behind "coming soon."
- End-to-end encryption. Today we're encrypted at rest only — we still hold the master KEK. E2E with a client-held key is the next crypto milestone.
- Bring-your-own-KEK for paid plans. Wrap your DEK with a key you control (HSM, cloud KMS, or local).
- Audit log export for enterprise — structured event stream you can pipe into your SIEM.
- SOC 2. Not yet. We'll say so when we are, and we'll link the report.
Contact
Privacy questions, suspected incidents, or a request we've missed? Email privacy@privaterouter.com. A human reads it.