This Privacy Policy explains how RoboVAI ("we", "us") collects, uses, and protects your personal information when you use our AI API gateway, website, and related services (the "Service").
1. Information We Collect
Account information: email address, password (stored as bcrypt hash), username, and profile preferences.
Usage data: API requests and responses (transient, forwarded to upstream AI providers), token consumption, billing transactions, IP address, device and browser type, and request timestamps.
Payment data: processed by third-party payment providers (e.g., Stripe, Airwallex). We do not store full card numbers or banking credentials on our servers. We retain only transaction references and billing records.
Configuration data: API keys (hashed for verification), account settings, and notification preferences.
2. How We Use Information
- To provide, operate, and maintain the Service, including routing API requests to appropriate AI model providers
- To process payments, manage subscriptions, and prevent fraud
- To monitor usage, enforce quotas and rate limits, and prevent abuse
- To send service notices, security alerts, billing reminders, and required legal notices
- To improve Service quality, optimize routing, and analyze aggregate usage patterns
- To comply with legal obligations
3. Legal Bases for Processing (GDPR)
For users in the European Economic Area, we process personal data on the following legal bases:
- Contractual necessity: to deliver the Service you requested
- Legitimate interests: fraud prevention, security, service improvement, and aggregate analytics
- Legal obligation: tax, accounting, and regulatory compliance
- Consent: where you have given explicit consent (you may withdraw at any time)
4. Data Retention
We retain personal data only as long as necessary for the purposes described, or as required by law:
- Account data: retained while your account is active; deleted within 30 days of account deletion request
- API request logs: retained for up to 90 days for abuse monitoring and debugging, then permanently deleted
- Billing records: retained for 5–7 years per applicable tax and financial regulations
- Usage analytics: aggregated and anonymized within 30 days; individual records deleted
5. Data Sharing
We do not sell your personal data. We share data only with:
- Upstream AI providers: your API request content is forwarded to the selected model provider to fulfill your request. Each provider processes data under its own privacy policy.
- Service providers: payment processors, cloud infrastructure (hosting), and email delivery services
- Authorities: when legally compelled to disclose by court order or regulatory requirement
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access, correct, or delete your personal data
- Export your data in a portable format
- Object to or restrict certain processing
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority
To exercise these rights, contact us through the Support section in your account settings.
7. International Data Transfers
Your data may be processed in countries other than your own. We use standard contractual clauses or equivalent safeguards for cross-border transfers where required by applicable law.
8. Security
We implement industry-standard security measures:
- Encryption in transit (TLS 1.3) for all API and web traffic
- Encryption at rest for sensitive data (API keys, credentials)
- Access controls and audit logging for administrative systems
- Regular security assessments and vulnerability scanning
However, no system is perfectly secure. We encourage you to use strong, unique passwords and enable two-factor authentication when available.
9. Cookies
We use minimal cookies for:
- Essential: authentication session, CSRF protection, language preference
- Analytics: aggregated, anonymized usage patterns (no personally identifiable information)
You can disable non-essential cookies via your browser settings. Disabling essential cookies may affect Service functionality.
10. Children's Privacy
The Service is not directed to children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be notified via email or in-app notice at least 7 days before they take effect.
12. Contact
Questions about this Privacy Policy? Contact us through the Support section in your account settings.