Privacy — llmdeal.me · what we log, what we don't

1. What llmdeal logs

For every API call, the only fields we write to durable storage are the six we need to bill you. They are:

account_id — the opaque id of your account.
model_alias — which model you asked us to forward to (e.g. claude-3-5-sonnet).
prompt_tokens — input token count, returned by the upstream provider.
completion_tokens — output token count.
requested_at — UTC timestamp.
duration_ms — how long the upstream call took.

That row is the billing event. No prompt body, no response body, no IP address, no user-agent string are written into usage_events by today's gateway code.

2. What llmdeal does not do

Not done, by default

Train any model on your prompts or responses.
Sell, lease, or share your data with data brokers.
Run content analytics or moderation ML on the bodies passing through.
Write request or response bodies to disk in the gateway path.
Store IP addresses in usage_events.

The language we use

"By default" — operator can opt in to billing-dispute logging on a per-key basis if a customer asks.
"Today's architecture" — this is what the running code does as of the last review date above.
We do not claim "we never will." We claim "we do not, and a change would be announced here 30 days in advance."

3. Where data lives

All primary data — accounts, API keys, usage events — lives on a single VPS at Hetzner HEL1 (Helsinki, Finland), inside the EEA. There is no replica outside the EEA today.

Backups are encrypted on the box with restic (client-side AES-256) and shipped to iDrive. iDrive sees ciphertext only. When a customer asks for deletion, both primary and backup copies are purged on the same cycle.

4. Routing transparency

We forward to upstream LLM providers you select via a model alias. Today the upstream mix includes:

Groq and Cerebras for high-throughput open-weight inference;
NVIDIA NIM consortium as the no-cost backend tier;
Any upstream you bring yourself via a customer-supplied API key (BYO).

Some upstreams are physically located in the United States. The EU/US tier on your account selects which set we route to per request; choose EU to keep traffic on EEA infrastructure. The full live list is at the sub-processor table below and machine-readable at /api/legal/subprocessors.json.

5. Encryption

In transit: TLS 1.2 or higher on every public endpoint. The edge is Cloudflare; the origin is the same VPS over Cloudflare Tunnel — no public origin IP is exposed.

At rest: upstream provider tokens and customer credentials are AES-256-GCM encrypted before they touch disk. Decryption keys are held by the running process via dotenvx; they are not in the repo and not in logs.

6. Your rights under GDPR

One-click email invocations of the four GDPR articles you'll actually use. Each opens your mail client with the right subject line so the operator can find your request quickly:

Article 15

Access

Ask what we hold about you. We send you a JSON copy.

Article 17

Erasure

Delete every record we have on you. Confirmed by timestamp.

Article 21

Object

Object to a specific kind of processing. We answer in 30 days.

Article 28

DPA

Or skip the email — use the download form below.

7. Sub-processors

Every third party that may touch your data or operate the infrastructure underneath us. The live machine-readable list is at /api/legal/subprocessors.json and changes are emitted to subprocessors.rss so compliance teams can subscribe and be notified.

Name	Role	Country
Groq, Inc.	Upstream LLM inference (open-weight, high throughput)	United States
Cerebras Systems	Upstream LLM inference (open-weight, alternative)	United States
NVIDIA NIM consortium	Upstream LLM inference (no-cost backend tier)	United States
Customer-BYO upstreams	Any provider whose API key you supply us	per-customer
Hetzner Online GmbH	VPS hosting — primary infrastructure, HEL1	Finland (EEA)
Cloudflare, Inc.	TLS, DNS, CDN, tunnel ingress	United States
iDrive Inc.	Encrypted off-site backups (ciphertext only)	United States
NOWPayments	BTC checkout	Estonia

8. Downloads

Download a signed DPA

Pre-filled with your contact, today's date, and a SHA-256 fingerprint over the body. No sales call, no NDA, no account required. Reply with the fingerprint in the subject line to countersign.

Opens the rendered HTML in a new tab. Save with your browser's "Save Page As" — the fingerprint header makes the saved file verifiable later.

subprocessors.json subprocessors.rss