Privacy Policy

Last updated: May 28, 2026 · Version 2.2 · Operated by Logorhythms

Plain-language summary: We log every API request you send so we can (1) keep the service running and (2) if and only if you opt in at /consent, include best-effort anonymized derivatives of your request and response content in datasets we may sell or license. IP addresses, User-Agent strings, HTTP headers, and account identifiers are never included in datasets we sell or license — consent or no consent. "Best-effort" means automated PII removal using standard tooling (Microsoft Presidio + spaCy NER with custom recognizers); it is not perfect, and you should not submit content you would regret ending up in a dataset even after this pipeline runs. You can opt out at any time, free of charge, with no loss of access to free-tier service.

1. What We Collect

We collect data about every API request. The categories below describe what is received by our infrastructure. At ingest, request and response content is run through an automated best-effort PII scrubber (Microsoft Presidio + spaCy NER with our custom recognizers) before it is written to the trace store. Best-effort means the scrubber runs on every request but is not guaranteed to catch every piece of identifying information — free-form text written by humans in formats the recognizers miss can slip through. See §3a for detail and the important caveat.

The categories of data we collect are:

Account data: Your username, hashed password (bcrypt), API key hash (SHA-256), and your API key in plain text. We also store the exact timestamp at which you accepted the Terms of Service and your current data-sale consent state.
Request content (scrubbed at ingest, best-effort): The body of your API request — messages, prompts, system instructions, and parameters — after it has passed through our automated PII scrubber. The raw pre-scrub body is not persisted to the trace store; it exists only transiently in memory while the request is routed to the upstream provider.
Response content (scrubbed at ingest, best-effort): The response from the LLM — generated text, token usage, and metadata — after it has passed through the same scrubber.
Network information: Your IP address and X-Forwarded-For headers. Retained for up to 90 days for security / abuse purposes and then blanked from logs (see §4). Not included in any dataset we sell or license (see §3a).
Client information: User-Agent string and HTTP headers (excluding the Authorization header itself). Same 90-day retention and the same exclusion from sold datasets as network information.
Request metadata: Timestamps, latency measurements, the model requested, the provider used, streaming status, and error information.

2. How We Use Your Data

We use collected data for two distinct purposes:

2a. Service operation (always — no opt-out)

Routing your request to the appropriate LLM provider
Service monitoring, analytics, and performance optimization
Security, fraud detection, and abuse mitigation
Statistical reporting (aggregated, non-identifying)
Compliance with legal obligations

Our lawful basis for these activities under GDPR is legitimate interest (Article 6(1)(f)). You cannot opt out of service operation while continuing to use the Service — but the data used for these purposes is never sold or licensed.

2b. Dataset creation, sale, and licensing (opt-in only)

Only if you have explicitly opted in at /consent (or during account registration), best-effort anonymized derivatives of your request and response content may also be used for:

Creating and publishing datasets for machine learning research and training
Commercial sale or licensing to third parties

Our lawful basis under GDPR is consent (Article 6(1)(a)). You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawal is described in §5 below.

3a. Best-Effort Anonymization Before Sale or Licensing

Before any data is included in datasets sold or licensed to third parties, we apply the following steps. These commitments are part of this Privacy Policy and create a binding obligation; failure to follow them would be a violation of these terms. Nothing in this section should be read as a warranty that the output is perfectly de-identified — see the caveat at the end of this section.

Removed entirely from every dataset we sell or license, unconditionally: IP addresses, X-Forwarded-For headers, every non-content HTTP header, User-Agent strings, account identifiers (username, API key, API key hash, account-linked request IDs), error messages that may name internal systems, and timestamps below day-level granularity. These fields are excluded regardless of whether the user consented to data sale; consent authorizes the use of content derivatives only.
Best-effort PII removal from request and response content: We run an automated pipeline based on Microsoft Presidio and spaCy en_core_web_lg NER, with custom recognizers for email addresses, phone numbers, postal addresses, government-issued identifiers (SSN, AU TFN, AU Medicare, AU ABN), payment card numbers, API keys and tokens, and URL-embedded credentials. Detected PII is replaced with numbered placeholders (e.g., <PERSON_1>) that preserve conversational coherence. The original values are not retained in any mapping table outside the single request's processing session, so placeholders are not reversible by recipients. This pipeline is best-effort only: NER models miss names, emails, and phone numbers in unusual formats or languages, and any free-form text written by a human can contain identifying content (writing style, context, references to specific people or events) that no automated system will catch.
Aggregation: Where the dataset use case allows, individual prompts are aggregated to further reduce the risk of re-identification.

Important caveat (read this before opting in): We use commercially reasonable efforts and standard industry tooling (Presidio + spaCy NER + custom recognizers, score threshold 0.7) to minimize residual identifiability, but we do not represent, warrant, or guarantee that the output is anonymous, de-identified, or impossible to re-associate with you. We use the phrase "best-effort anonymized" everywhere in this Policy specifically to avoid that overclaim. If you submit content you would not want included in a third-party dataset even after this pipeline runs — for example, anything you would be uncomfortable seeing quoted back at you in a research paper or a future model's output — opt out of the Financial Incentive Program at /consent and your data will be excluded from sale entirely.

Pre-v2 data: Content collected before May 2, 2026 was collected under our prior Terms of Service. This historical data is retained for internal service operation and quality improvement only, and is not included in datasets sold, licensed, or otherwise distributed to third parties under the Financial Incentive Program described in §3b. The Financial Incentive Program applies prospectively only — to content submitted on or after May 2, 2026 by users who have actively opted in.

3b. Financial Incentive Program (CCPA §1798.125(b))

We offer different levels of service based on whether you consent to the use of your best-effort anonymized content for sale or licensing. This program is structured as a Financial Incentive Program under California Civil Code §1798.125(b). Participation is entirely optional.

Material terms:

What we provide if you opt in: Access to the Premium model tier (newer / larger models — for example, frontier-class models from major LLM providers) in addition to the Free tier.
What we provide if you opt out: Full access to the Free tier (smaller / older but fully functional models) at no cost. The Free tier is genuinely usable, not crippled — it is not a "pay or consent" arrangement.
How to opt in: Check the optional consent box during registration, or visit /consent at any time.
How to opt out: Visit /consent or /do-not-sell, or email support@logfare.ai. Opt-out applies going forward; data already included in distributed datasets cannot be recalled.
Right to withdraw: You may opt back out at any time, free of charge, without losing access to your account or the Free tier.

Good-faith estimate of the value of consumer data and methodology: Datasets derived from opted-in content are licensed in bulk to third parties — typically to AI labs, ML researchers, and data brokers — and are not priced per individual user. We estimate the realized value to our business at approximately $1 to $20 USD per million tokens of opted-in content included in licensed datasets, based on (a) reference rates we have observed for comparable LLM training and evaluation datasets, and (b) the proportion of our content that retains commercial value after the anonymization pipeline described in §3a. Actual realized value depends on dataset composition, buyer demand, and the outcome of negotiations with specific buyers; early estimates may be exceeded or fall short of this range. In exchange, opted-in users receive ongoing free access to Premium-tier models, which retail at $1-$30 per million input/output tokens on commercial APIs — equivalent to substantial monthly value for active users.

We share data with the following categories of third parties:

Datadog: Our observability platform, which receives post-scrub request and response data for monitoring and analysis. Datadog acts as a processor under our instructions and is not a data purchaser under §3a.
LLM providers: Your raw, pre-scrub request content is sent to the upstream LLM provider routing your request (e.g., OpenRouter, Together, etc.), which is necessary to generate a response. This is the only category of recipient that ever receives un-scrubbed content, and only for the duration of routing the request. Each provider has its own privacy policy that may apply to the data it receives.
Data purchasers (only if you opt in): Best-effort anonymized datasets may be sold or licensed to third parties — typically AI labs, ML researchers, or data brokers — under contracts that include data-protection terms. Datasets sold under this program contain only content derivatives as described in §3a. They do not contain IP addresses, User-Agent strings, HTTP headers, account identifiers, or any other field listed as "removed entirely" in §3a.
Researchers (only if you opt in): We may publish best-effort anonymized datasets derived from consented content for non-commercial research purposes, subject to the same field exclusions as §3a.
Law enforcement: If required by applicable law or valid legal process. We will challenge overbroad requests where lawful and notify affected users where legally permissible.

4. Data Retention

Account data (username, password hash, API key hash, consent state) is retained while your account is active.
Identifying logs (IP addresses, X-Forwarded-For headers, User-Agent strings, account-linked metadata) are retained for at most 90 days for security and operational purposes. After 90 days, an automated job blanks the source_ip and user_agent columns on the corresponding request_logs rows and re-runs the PII scrubber (best-effort) over the associated trace file lines to remove residual identifiers.
Scrubbed request/response content may be retained indefinitely for use in datasets as described in §3a. "Scrubbed" means it has passed through our best-effort PII pipeline; it does not mean perfectly anonymized.
On account deletion: Account data is deleted within 30 days, and associated identifying logs are also deleted within that window. Best-effort anonymized historical content that has already been distributed in third-party datasets cannot be recalled — once a dataset is sold or licensed, it is out of our control. Going forward, no new data from your account will be included.
DSAR audit log (records of access, deletion, and opt-in/opt-out requests) is retained indefinitely without user content, for compliance audit purposes.

5. Your Rights

Regardless of jurisdiction, you may at any time:

Access: Request a copy of personal data we hold about you. Self-service via dashboard → "Download My Data", or email support@logfare.ai.
Deletion: Request deletion of your account and associated data. Self-service via dashboard → "Delete My Account", or email us.
Opt out of sale: Disable the Financial Incentive Program. Self-service via /consent or /do-not-sell, or email us. Your free-tier access is preserved; only the Premium tier becomes unavailable.
Rectification: Request correction of inaccurate account data. Email support@logfare.ai.

We respond to verifiable DSAR requests within 30 days (45 days under CCPA). We may require verification (e.g., signing a request with your active API key or otherwise confirming control of the account) before fulfilling requests.

If you are in the European Economic Area or the United Kingdom, you also have the right to:

Restriction of processing (Art. 18)
Data portability — receive your data in a structured, machine-readable format (Art. 20)
Object to processing based on legitimate interest (Art. 21)
Withdraw consent for processing based on consent, at any time (Art. 7(3))
Lodge a complaint with your data protection supervisory authority

Lawful bases: We rely on legitimate interest (Art. 6(1)(f)) for service operation and security, and consent (Art. 6(1)(a)) for the Financial Incentive Program (data sale).

International transfers: Logfare's infrastructure is hosted outside the EEA. Where we transfer EEA personal data internationally, we rely on Standard Contractual Clauses (SCCs) or other adequacy mechanisms recognized by the European Commission.

5b. Additional Rights for California Residents (CCPA / CPRA)

If you are a California resident, you have the right to:

Right to know: What categories of personal information we have collected, used, sold, or shared in the last 12 months.
Right to delete: Subject to specific exceptions enumerated in §1798.105(d).
Right to correct inaccurate personal information.
Right to opt out of sale or sharing. We sell personal information as defined under CCPA §1798.140 when users have opted in to the Financial Incentive Program. To exercise this right, visit /do-not-sell or email support@logfare.ai.
Right to limit use of sensitive personal information.
Right to non-discrimination for exercising any of these rights — except as expressly permitted under §1798.125(b) for our disclosed Financial Incentive Program (§3b above), where opting out reduces access to Premium-tier models but never to free-tier service.

5c. Additional Rights for Australian Residents (Privacy Act 1988)

If you are an Australian resident, you have the right to:

Access personal information we hold about you (APP 12)
Correct inaccurate or incomplete personal information (APP 13)
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

We process some categories of regulated personal information (including any TFN, ABN, or Medicare numbers that may appear in prompts despite our prohibition on submitting such data — see ToS §7). Our PII pipeline attempts to detect these with custom recognizers on a best-effort basis; detected matches are removed before any data is included in sold datasets. We do not warrant that every regulated identifier is detected, and you should not submit such data in the first place.

6. Security

We implement reasonable technical and organizational measures to secure stored data, including bcrypt password hashing, SHA-256 API key hashing, TLS in transit, and access controls on the trace store. However, no system is perfectly secure. We make no guarantees about the security or integrity of collected data; use the Service at your own risk.

7. Children

The Service is not directed to children under 18 (or under 16 in the EEA). We do not knowingly collect data from children under these ages. If you are a parent and believe your child has created an account, contact support@logfare.ai for immediate deletion.

8. International Users

Data collected through the Service may be stored and processed in any country where we or our service providers operate. By using the Service, you consent to the transfer of your data to jurisdictions that may not provide the same level of data protection as your home jurisdiction, subject to the safeguards described in §5a.

9. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes that affect your rights — for example, expanding the categories of data collected, adding new categories of data recipients, or changing the Financial Incentive Program structure — we will provide at least 30 days' advance notice via email or a prominent notice on the site, and we will not retroactively apply the new terms to data collected before the change.

10. Contact

For privacy-related questions, DSAR requests, or any other data-related matters, please contact support@logfare.ai or reach out via the Logorhythms Discord server.