Legal template

Privacy Policy

This policy explains how a CustomRouter deployment may collect, use, store, and share information when operating an OpenAI-compatible routing proxy, admin console, and any managed BYOK-hosting or assisted self-hosting services.

Terms of ServiceBack to Admin
Operator details to fill in

Replace [LEGAL ENTITY NAME] and add any regional disclosures that apply to your users before launch.

1. Information we collect

  • Account details such as name, email address, hashed password, and session metadata.
  • API metadata such as request timestamps, request identifiers, thread identifiers, model routing decisions, and operational logs.
  • User-submitted prompts, messages, and other content needed to process requests.
  • Security and abuse-prevention data such as IP-based rate limiting counters and audit events.

2. How we use information

  • Authenticate users, manage accounts, and issue or revoke API keys.
  • Route requests across models, persist thread pins, and troubleshoot service behavior.
  • Detect abuse, enforce limits, maintain uptime, and improve reliability.
  • Comply with legal obligations and protect the service, users, and upstream providers.

3. Routing-specific processing

CustomRouter may inspect prompts or message context to classify intent, choose an upstream model, apply fallback behavior, pin a thread to a model for continuity, and store routing explanations or operational metadata for debugging and analytics.

Depending on configuration, the service may persist thread identifiers, routing decisions, model names, latency, errors, and limited conversation context needed to provide explainability or reliability features.

4. Sharing and processors

Requests may be sent to third-party model and infrastructure providers as needed to operate the service. Those providers may process prompts, metadata, and generated output under their own terms and privacy practices.

These providers may include Cloudflare-hosted infrastructure, OpenRouter, and other OpenAI-compatible upstream gateways that you or the operator configure.

5. BYOK credentials

If you store your own upstream API credentials in the service, we may retain those credentials in encrypted form so the router can call your selected providers on your behalf. You should rotate or remove credentials you no longer want associated with your account.

6. Retention

We keep data only for as long as reasonably necessary to operate the service, investigate incidents, comply with law, or enforce our terms. Retention periods may vary by data type, deployment configuration, and upstream provider behavior.

7. Security

We use reasonable administrative, technical, and organizational measures to protect data, but no system is completely secure. You should avoid sending highly sensitive information unless you have verified the deployment meets your requirements.

8. Your choices

Depending on your jurisdiction and account type, you may be able to request access, correction, deletion, or export of certain personal data. Operational and security logs may be retained where necessary for legitimate business or legal reasons.

9. Contact

Privacy questions or requests should be sent to me@therealpablo.com. Add an effective date and any region-specific rights language here before launch.

Before you publish this

This version reflects the router’s actual behavior, but you still need your entity name, contact email, subprocessors, retention schedule, and any cookie, analytics, or jurisdiction-specific disclosures you use.