Privacy Policy — llmdeal.me

1. Who runs this

llmdeal.me is operated by an EEA-based independent operator. I'm the data controller under GDPR Article 4(7) — meaning I decide what gets collected and why, and I'm the one you complain to if something goes wrong.

Contact: privacy@llmdeal.me · Matrix (preferred): <owner-matrix-handle> · Telegram: <owner-telegram-handle> · Discord (expires soon): discord.gg/ZgcKssAWJ6

2. What we collect

✓ Collected

Contact handle. The email or messaging handle you give us when you preorder or join the launch ping list. Used to deliver your API key and billing-related DMs.

Order data. Order ID, SKU, currency (BTC / XMR / LTC), USD amount, status, timestamps. Append-only ledger so we can credit your account at launch.

Token counts. Once the gateway is live, we log the number of input + output tokens per request — for billing only. Never the prompt content, never the response content.

Transient: IP + user-agent. Captured at request time for fraud and rate-limit purposes. Deleted within 24 h of order settlement.

✗ Not collected

Prompt or response content. Not logged, not retained, not used for training. Once a request completes, the content is gone.

KYC / identity documents. No name, no address, no ID, no date-of-birth. Crypto-only checkout means we don't need any of it.

Persistent IP addresses. We don't keep IPs beyond the 24 h fraud window.

Tracking cookies / analytics scripts / pixels. No Google Analytics, no Mixpanel, no Segment, no Facebook pixel, no anything. The only cookie we may set post-launch is a session cookie for the customer portal.

Card details. We never see them. Crypto only.

2a. No KYC. No model training. No exceptions.

Two commitments that materially differentiate us from most LLM gateways. They are stated here because they are operational rules, not aspirations.

No KYC, ever. We do not collect government identity documents, billing addresses, dates of birth, phone numbers, or any other identity-verification data. Crypto-only checkout means there is no card-issuer or bank-side identity flow either. The most we know about you is the messaging handle you signed up with.
We do not train models on your prompts or completions. Request / response content is processed in-memory to fulfil the inference call, then discarded. It is not logged, not retained, not sampled, not human-reviewed, and not fed into any training, fine-tuning, eval, or model-improvement pipeline operated by us.
We do not allow upstream providers to train on your content where their contracts permit us to override that default. Where an upstream provider's contract allows opt-out of training-data inclusion, we exercise it on the gateway account. Where the upstream's terms do not permit override (rare for API-tier access in 2026, but always check the provider directly), we surface that under §6 in the sub-processor list and you can choose not to route to that provider.
No human review for "quality" or "safety" purposes. No staff at llmdeal.me reads your prompts. No moderation pipeline scans your prompts. The only time we would ever look at request metadata (never content) is a court order, a subpoena, or an active fraud / abuse investigation — and even then we see token counts and routing data, not what you asked for.

If you believe these commitments have been breached, GDPR Art. 21 (objection) and Art. 17 (erasure) apply — DM us with subject GDPR breach report and we respond within 72 hours.

3. Why we're allowed to collect it (lawful basis)

GDPR Article 6 requires a lawful basis for each piece of personal data we process. Ours:

Performance of contract (Art. 6(1)(b)). Order processing, credit delivery, customer support. We can't sell you credits without recording that you bought them.
Legitimate interest (Art. 6(1)(f)). Fraud prevention and rate-limiting — the transient IP + user-agent capture. Balanced against your privacy by the 24 h delete window.
Consent (Art. 6(1)(a)). Optional launch-ping signup. You can withdraw consent at any time by DMing us "unsubscribe".

4. How long we keep it (retention)

Order records. Kept while your account is active. Deleted on request, or automatically 24 months after final activity.
Launch-ping contact. Kept until you unsubscribe, or automatically 12 months with no engagement.
IP + user-agent. 24 hours post-settlement, then purged.
Token-count billing data. 12 months for tax / accounting reasons (Norwegian bookkeeping law).

5. Your rights

Under GDPR Articles 15-22 you have seven rights. Here's each in one line plus how to use it.

The seven rights, plain English

Access (Art. 15). Ask what we hold about you. We send you a copy.

Rectification (Art. 16). Fix anything wrong (typo in your email, wrong order, etc.).

Erasure (Art. 17). "Right to be forgotten" — delete everything we have on you.

Restriction (Art. 18). Tell us to stop processing your data while a complaint is resolved.

Portability (Art. 20). Get your data in a machine-readable format (we hand you a JSON file).

Objection (Art. 21). Object to legitimate-interest processing — e.g. opt out of fraud-IP capture (we'd have to refuse service, but the option exists).

Automated decisions (Art. 22). Not subject to purely automated decisions with legal effect. We don't run any.

How to exercise any of these

DM us using the contact handle you signed up with — that's how we verify you're the right person. Subject line / opener: GDPR request: <right>.

We respond within 30 days (GDPR statutory limit). Erasure requests are typically completed within 48 hours and we send you a deletion timestamp.

No fee for the first request. Repeat / abusive requests may incur a reasonable admin fee per Art. 12(5).

6. International transfers & data location

Inference may run in the EU or the US depending on which routing option you choose (see below). Order records and contact handles are stored on EU-based infrastructure (Hetzner DE/FI).

What happens when your request is routed to US GPU capacity?

When your request is processed on US-based GPU capacity, inference runs on our open-weight models (Qwen, Llama, DeepSeek, and similar) hosted in the United States. The no-logging, no-training, no-prompt-retention commitments in §2a apply equally to US-routed requests — these are our own infrastructure obligations, not upstream provider policies.

Where we use third-party US-hosted infrastructure or model providers as sub-processors (listed below), requests forwarded to them are processed under their respective data policies. We exercise training-opt-out rights on our gateway accounts where the provider permits it.

If you want to keep everything in the EU, choose EU-resident routing — available as the default on the Elite tier and as an opt-in on other tiers. With EU-resident routing active, all requests are pinned to our EEA GPU capacity running open-weight models; no inference payload leaves the EEA. US GPU capacity is equally available and is the default for non-Elite tiers; requests processed there are subject to the same no-logging, no-training commitments under §2a but are physically processed in the United States.

Upstream processors (sub-processor list)

The following third parties may act as sub-processors under GDPR Art. 28:

Groq Inc. (US) — high-throughput open-weight model inference
NOWPayments (EE) — crypto payment processing
Hetzner Online GmbH (DE / FI) — VPS hosting
Cloudflare, Inc. (US) — TLS termination, DNS, DDoS

Customers who choose EU-resident routing get inference pinned to EU-resident sub-processors (Hetzner DE/FI). US sub-processors above are used when US routing is active (the non-Elite default) or when a customer explicitly selects a US-capacity workload on any tier.

7. Cookies

None for tracking. No analytics, no fingerprinting, no third-party scripts. We may set one session cookie for the customer portal once it goes live — purely functional (keeps you logged in), first-party, HttpOnly, SameSite=Lax. No advertising cookies, ever.

8. Security

What we actually do:

Environment + secrets encrypted at rest (dotenvx).
Persistence files (orders.jsonl, waitlist.jsonl) are mode-0600 on the host.
TLS 1.2+ everywhere. HTTPS-only, HSTS preload-eligible.
Minimum-necessary access. Single operator, no third-party support staff.
Crypto IPN webhooks are HMAC-SHA512 verified before any state mutation.

What we don't claim: no SOC2 audit (we're not at scale to pay for one yet), no HIPAA (we're not a healthcare service), no PCI-DSS scope (we don't take card data — crypto only).

8a. Hardware-key authentication for Pro & Elite tiers

Pro-tier API access, Elite-tier access, and all credit / capacity top-ups (any tier) require a FIDO2 hardware key at sign-in for NDA integrity, legal compliance, and security of high-value accounts. YubiKey is included FREE with Pro and Elite — we cover the hardware cost; it's not priced into the per-token rates. See options below (shipped to a mail-drop, reimbursed in credits, or bring your own).

What is FIDO2? Fast Identity Online 2 — an open standard from the FIDO Alliance and W3C. A physical hardware key performs a cryptographic challenge-response on each sign-in. The private key never leaves the hardware, so phishing, credential-stuffing, SIM-swap attacks, keyloggers, and server-side password leaks cannot compromise the account. Browser API: WebAuthn. Device protocol: CTAP2.

Approved hardware-key alternatives (priority order — EEA + open-source first):

Token2 — Switzerland, €25-35, USB-A / USB-C / NFC, EEA-friendly
Nitrokey — Germany, €49-69, fully open-source firmware + hardware
SoloKey / Solo 2 — open-source, ~$30, USB-A / USB-C
YubiKey — Yubico (US), $50-100, industry standard — included FREE with Pro/Elite (we cover the cost; not priced into per-token rates)
Google Titan — US, $30-35, widely available
Platform passkeys (Apple Touch ID, Windows Hello) are accepted but offer lower NDA-defensibility — a dedicated hardware key is preferred for Pro+.

Starter tier and waitlist signups continue with passwordless email magic-link plus optional FIDO2. Enrol your key any time from account settings.

9. Breach notification

What happens if there's a breach?

If a personal data breach is likely to result in a risk to your rights and freedoms, we notify you within 72 hours of becoming aware of it — per GDPR Articles 33 and 34.

Notification goes to the contact handle on file. We also notify the Norwegian Datatilsynet (the supervisory authority) within the same 72 h window.

The notification will include: what happened, what data was affected, what we're doing about it, and what (if anything) you should do.

10. Children

Age restrictions

llmdeal.me is not directed to children under 16. We don't knowingly collect data from minors. If you believe a child has given us personal data, DM us and we'll delete the record.

11. Changes to this policy

Material changes (anything that affects what we collect, how long we keep it, who we share it with) are emailed to the contact on file 30 days before they take effect. You can object or close your account in that window.

Non-material changes (wording, typos, new sub-processor of the same category) are deployed when ready and noted in CHANGELOG.md. Effective date at the top of this page always reflects the current version.

12. Supervisory authority

Our lead supervisory authority is the Norwegian Datatilsynet (Norwegian Data Protection Authority). EU residents can also complain to the supervisory authority of their own member state. Contact info is on each authority's website.

We'd rather you DM us first — we'll fix it faster than a regulator can — but you have the right to skip us and go straight to them.

13. California residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you a parallel set of rights. We extend them to every customer, not just CA residents — but here is the CA-specific summary.

Right to know. What categories of personal information we collect, from whom, for what purpose, and to whom we disclose it. The answer: contact handle, order data, token counts, transient IP / UA. From you (we do not buy lists). For account provisioning, billing, fraud prevention. To the sub-processors listed in §6.
Right to delete. Same as GDPR Art. 17 — DM us, deleted in 48 hours.
Right to correct. Same as GDPR Art. 16.
Right to portability. Same as GDPR Art. 20 — we hand you a JSON.
Right to opt out of sale or sharing. Do Not Sell or Share My Personal Information. We do not sell personal information and we do not share it for cross-context behavioural advertising. This link is here because the statute requires it; clicking it sends an opt-out preference that is already our default.
Right to limit use of sensitive personal information. We do not collect SPI as defined under CPRA §1798.140(ae) (no precise geolocation, no SSN, no financial-account credentials, no biometric data, no health data).
Right to non-discrimination. Exercising any of these rights does not change your service, your pricing, or your access.

Categories of personal information collected in the past 12 months (CCPA §1798.130(a)(5)(B)): Identifiers (messaging handle, transient IP), Commercial information (order record, payment cryptocurrency + amount), Internet activity (request token counts — not content). No biometric, geolocation, sensory, employment, education, inference, or sensitive-PI categories.

14. Change log

v1.1 · 2026-05-14. Added §2a (no-KYC + no-training-on-content + no-upstream-training-where-permitted + no-human-review). Added §13 (CCPA / CPRA). Made the TL;DR more concrete. Reaffirmed Art. 21 / 17 path for breach reports.
v1.0 · 2026-05-14. Initial launch policy.

Any change that affects what we collect, how long we keep it, or who we share it with is announced 30 days before it takes effect (per §11). Wording-only changes are listed here without notice.