This Privacy Policy describes how Autrace, Inc. ("Autrace", "we", "us", or "our") collects, uses, and shares information about you when you use autraceai.com and the Autrace AI gateway service (the "Services").
1. Information we collect
1.1 Account information
When you create an account we collect your name, email address, and a hashed password. For paid plans, billing details are processed by Stripe. We do not store full payment card numbers.
1.2 Usage data
We collect data about how you use the Services: API key activity, request counts, policy configurations, and feature interactions. Used to operate and improve the Services.
1.3 Gateway request metadata
By default, when your application proxies LLM requests through Autrace, we log metadata only - timestamps, policy verdicts (ALLOW/BLOCK), model names, token counts, and matched rule IDs. We do not log prompt text or completions by default.
Full request/response logging is an opt-in feature (Starter and above). If enabled, prompt text and completions are stored in your audit trail subject to your retention period. You control this setting and can disable it at any time.
1.4 Website log data
Standard server logs including IP addresses, browser type, referring URLs, and pages visited. Used for security monitoring only.
1.5 Analytics
We use Plausible Analytics - a privacy-first tool that uses no cookies and collects no personal data. No consent banner required. We do not use Google Analytics or advertising trackers.
2. How we use your information
- Provide, operate, and maintain the Services
- Process transactions and send billing communications
- Respond to support requests
- Monitor for security incidents
- Improve the Services via aggregated, anonymised analysis
- Send product updates and security notices (opt-out available)
We do not sell your personal data. We do not use your data to train AI models.
3. Data sharing
- Infrastructure providers: AWS, Hetzner - each has a signed DPA.
- Payment processor: Stripe - PCI DSS compliant.
- Error monitoring: Sentry - personal data is scrubbed before transmission.
- LLM providers: When your app sends a request, the (possibly PII-redacted) prompt is forwarded to your chosen provider. You are responsible for your DPA with that provider.
- Law enforcement: Where required by valid legal process. We notify you unless prohibited.
We do not share your data with advertisers or data brokers.
4. Data retention
Account data: retained for account lifetime plus 90 days post-deletion. Gateway metadata logs: 7 days (Free), 30 days (Starter), 90 days (Growth), configurable (Enterprise). Opt-in full logs follow the same schedule. Export or delete your audit data at any time from the dashboard.
5. Data residency
The Autrace cloud processes data in the EU (Frankfurt) and US (Virginia) by default. Enterprise plans may request dedicated single-region infrastructure. EU-only, US-only, and APAC residency options are available on Enterprise.
6. Security
Encryption in transit (TLS 1.2+) and at rest (AES-256). API keys are hashed and never stored in plaintext. All administrative actions are logged in the immutable audit trail. SOC 2 Type II audit in progress (target: Q3 2026).
7. Your rights (GDPR / CCPA)
You may have the right to access, correct, delete, or export your personal data, and to restrict or object to processing. To exercise these rights: privacy@autraceai.com. Response within 30 days.
8. Children
The Services are not directed to children under 16. We do not knowingly collect their data. Contact us to request deletion if applicable.
9. Changes to this policy
Material changes are announced via email at least 14 days before taking effect. Continued use after the effective date constitutes acceptance.
10. Contact
Privacy questions: privacy@autraceai.com
Autrace, Inc.