Privacy Policy

EFFECTIVE: APRIL 21, 2026

This Privacy Policy explains what information aiusage.ai ("we", "us", "our") collects, how we use it, and your rights. By using the Service you agree to this policy. If you do not agree, do not use the Service.

Short version: We collect the minimum needed to run the Service. Your Anthropic API key is encrypted at rest and never sent back to your browser. We do not sell your data. We do not store the content of your prompts or Claude's responses.

1. Information We Collect

You give us:

Account info: email address (required) and password hash.
Anthropic API key: encrypted at rest with AES-256-GCM; used solely to forward your requests to Anthropic.
Payment info: handled by Stripe. We receive a Stripe customer ID and the last four digits of your card — never the full card number.
Support messages: if you contact us or chat with the onsite assistant.

We collect automatically:

Usage metadata: timestamps, request counts, response sizes, latency, credit balance. Used for billing and service integrity.
Technical data: IP address (hashed), user agent, referrer, approximate location derived from IP.
Cookies: a single HTTP-only session cookie (bai_session) so you stay signed in, plus analytics cookies set by Google Tag Manager (disabled if you use Do-Not-Track or decline in GTM-managed consent).

We do NOT collect or store:

The content of your prompts sent to Claude.
The content of Claude's responses.
Your decrypted Anthropic API key after initial storage.
Full credit card numbers.

2. How We Use Your Information

To authenticate you and deliver the Service.
To route your requests to Anthropic using your own API key.
To charge you via Stripe and maintain an accurate credit balance.
To detect abuse, diagnose incidents, and improve reliability.
To send transactional emails (verification, receipts, low-balance alerts, service notices).
To provide support if you contact us.

3. How We Share Your Information

We share only what is necessary with the following processors, each under contractual data-protection obligations:

Anthropic (Claude API): we forward your API requests using your key. Your prompts are sent directly to Anthropic; see Anthropic's Privacy Policy.
Stripe: processes payments. See Stripe's Privacy Policy.
Supabase: identity + authentication storage. See Supabase's Privacy Policy.
Fly.io: hosts our application servers. See Fly.io's Privacy Policy.
Resend / email delivery: sends transactional email (verification, receipts).
Google (Tag Manager, Analytics, Ads): measures marketing effectiveness. See Google's Privacy Policy.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising by third parties (per CCPA/CPRA).

4. Data Retention

Account records: retained while your account is active and up to 90 days after closure for billing reconciliation.
Usage metadata: retained up to 13 months for capacity planning and fraud detection.
Prompt / response content: not stored on our servers.
Support messages: retained up to 24 months.

5. Security

We use industry-standard safeguards including TLS in transit, AES-256-GCM encryption for API keys at rest, hashed passwords (managed by Supabase Auth), hashed IP addresses in our logs, and least-privilege server access. No system is perfectly secure, and you use the Service at your own risk.

6. Your Rights

Regardless of where you live, you may:

Access the personal information we hold about you.
Correct inaccurate information.
Delete your account and associated data (subject to legal retention obligations).
Export a copy of your account data.
Opt out of marketing emails (transactional emails required to operate the Service will continue).

California residents have additional rights under the CCPA/CPRA, including the right to know, the right to delete, and the right to non-discrimination. EU/UK residents have additional rights under GDPR including the right to restrict or object to processing, and the right to lodge a complaint with a supervisory authority. To exercise any of these rights, email privacy@aiusage.ai.

7. Children

The Service is not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect information from children. If you believe a child has provided us with information, email us and we will delete it.

8. International Transfers

aiusage is operated from the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers.

9. Cookies and Tracking

We use a minimum of essential cookies for authentication. Marketing and analytics cookies are served via Google Tag Manager and fire only where consent (implicit or explicit) applies. You can clear cookies through your browser at any time.

10. Changes to This Policy

Material changes will be announced by updating the "Effective" date above and, where appropriate, by email. Continued use after a change constitutes acceptance.

11. Contact

Privacy questions: privacy@aiusage.ai
General: hello@aiusage.ai