Privacy Policy

1. Data we collect

Account data: your email address and, if you sign in with Google, your basic OAuth identity. Authentication data: session records and, where applicable, one-time sign-in tokens.

Service data: API keys (stored only as hashes), subscription and voucher records, request metadata (timestamps, model alias, token counts, status, correlation identifiers), and usage rollups.

Technical data: IP address and similar signals used for security, rate limiting, and abuse prevention.

2. Prompt and response content

To fulfil a request, the content you send is transmitted to the underlying model provider that serves your selected alias. We do not use your prompt or output content to train our own models, and we do not sell it.

Request content may be retained for a limited period for operational purposes such as abuse detection, debugging, and meeting legal obligations, then deleted in line with our retention practices. Do not submit personal or confidential data you are not authorised to share.

3. How we use data

We use personal data to provide and secure the service, authenticate you, enforce subscription tiers and fair-use limits, meter usage, prevent and investigate abuse and fraud, provide support, and comply with legal obligations.

Our legal bases include performing our contract with you, our legitimate interest in operating a secure service, and compliance with law.

4. Sharing and subprocessors

We share data with service providers who process it on our behalf, including the underlying model providers that serve requests, and our hosting and infrastructure providers. These parties are bound to use the data only to provide their services to us.

We may disclose data where required by law or to protect our rights, users, or the security of the service. We do not sell personal data.

5. Security

We apply technical and organisational safeguards, including encryption of sensitive credentials at rest, hashing of API keys, encrypted transport, access controls, and audit logging of administrative actions. No system is perfectly secure, but we work to protect your data and to respond to incidents.

6. Retention

We keep personal data only as long as needed for the purposes described here or as required by law. Account data is retained while your account is active; request logs and usage records are retained for defined operational periods and then pruned or aggregated.

7. Your rights

Subject to applicable law, you may request access to, correction of, or deletion of your personal data, and you may object to or restrict certain processing. To exercise these rights, contact us using the details below. We may need to verify your identity before acting on a request.

8. International transfers

Because the underlying model providers and infrastructure we rely on may operate outside Indonesia, your data may be processed in other countries. Where we transfer data internationally, we take steps to ensure an appropriate level of protection consistent with applicable law.

9. Children

NaraRouter is not directed to individuals under 18, and we do not knowingly collect their personal data. If you believe a minor has provided us data, contact us so we can address it.

10. Changes to this Policy

We may update this Policy from time to time. We will update the date above and, for material changes, provide additional notice where appropriate.