Privacy Policy

Disclaimer: this is a draft generated for MVP launch. Founder will replace with lawyer-reviewed version before any commercial scale.

---

1. Data We Collect

• Account data: email address (required for account creation and billing notifications).
• Payment data: processed by Stripe; we never store full card numbers. We retain a Stripe customer ID and the last four digits of the payment instrument as metadata.
• Usage logs: API key identifier, endpoint called, timestamp, response status, byte counts, and a hash of the prompt payload (SHA-256). We do not log plaintext prompts or response bodies.
• Operational data: IP address (at the Cloudflare edge), user-agent string, request ID.

2. How We Use Data

• to provide and operate the Service;
• to bill Customers and detect abuse;
• to debug incidents and respond to support requests;
• to compute aggregate, non-identifying analytics on Service health.

We do not sell personal data and do not use Customer prompts to train models.

3. Data Retention

• Usage logs: retained 90 days, then deleted.
• Account data: retained until the Customer requests deletion or 12 months after account closure, whichever is sooner.
• Billing records: retained 7 years to satisfy tax and accounting obligations.

4. Third-Party Processors

• Stripe (payment processing, PCI-DSS Level 1).
• Cloudflare (TLS termination, DDoS protection, edge caching).
• Hetzner Online GmbH (origin compute, EU-located).
• DeepSeek / OpenRouter (downstream LLM inference, only when a Customer's request explicitly invokes an LLM-backed endpoint).

A current sub-processor list is available on request from privacy@Samurai.xyz.

5. Your Rights (GDPR)

If you are in the EU/EEA/UK, you have the right under the General Data Protection Regulation to:

• access your personal data (Article 15);
• rectify inaccurate data (Article 16);
• erase your data ("right to be forgotten", Article 17);
• restrict processing (Article 18);
• portability — receive your data in a structured, machine-readable format (Article 20);
• object to processing (Article 21);
• lodge a complaint with a supervisory authority.

Submit requests to privacy@Samurai.xyz. We respond within 30 days as required by Article 12(3).

6. Cookies

The Service uses only essential session cookies required to maintain authenticated sessions on the dashboard. No advertising, analytics, or third-party tracking cookies are set. See /legal/cookies for details.

7. Data Security

Data in transit is encrypted with TLS 1.3. Data at rest is encrypted with AES-256 on disk volumes. Access to production systems is restricted to the founder and is logged. We will notify affected Customers without undue delay and within 72 hours of becoming aware of a personal data breach (GDPR Article 33).

8. Children

The Service is not directed to individuals under 16. We do not knowingly collect data from anyone under 16 (GDPR Article 8 floor).

9. International Transfers

Origin servers are in the EU. Stripe and Cloudflare may process data in the US under Standard Contractual Clauses approved by the European Commission.

10. Contact

Data Protection inquiries: privacy@Samurai.xyz