Last updated: April 22, 2026 · Effective: April 22, 2026
This Privacy Policy explains how Roushan, Inc. (a Delaware corporation, principal office in Dover, Delaware; “Roushan”, “we”, “us”) collects, uses, shares, and protects personal information in connection with the AIgateway and AI Gateway websites, APIs, dashboards, and related services (the “Service”). By using the Service you agree to this Policy.
We do not train on your data. We do not sell your data. We keep only what we need to bill you, return your response, and debug outages. You can delete your account and your logs at any time.
For your account data (email, payment info, etc.) we act as a data controller. For Customer Contentyou send through the API (prompts, files, completions) we act as a data processor on your behalf. If you process the personal data of EU/UK/Swiss individuals through the Service, the Data Processing Addendum at aigateway.sh/dpaapplies and is incorporated by reference.
3.1 Account data. Email, hashed password (or OAuth identifier such as Google or GitHub ID), organization name, billing name and address, last-4 and card-brand of the payment method (full card is held by Stripe; we do not see it), country, and preferred currency. Retained while your account is active.
3.2 API traffic metadata. Timestamp, request ID, model slug, upstream provider, token counts, latency, HTTP status code, cost, cache-hit flag, optional x-aig-tag header, source IP address (truncated to /24 for IPv4 and /48 for IPv6 within 24 hours), and user-agent. Retained 90 days for billing reconciliation and fraud detection, then aggregated to counters.
3.3 Request and response bodies. Archived only when you opt in by enabling the replay primitive or the logs feature. Retention is whatever window you configure — default 7 days on Free, 30 days on Pro, 90 days max on Enterprise unless you request longer in a signed agreement.
3.4 Website + dashboard analytics. Cloudflare Web Analytics (cookieless, no personal identifiers) for aggregate page-load, route, and performance metrics.
3.5 Support communications. Anything you send to support@, security@, privacy@, legal@, or abuse@aigateway.sh, retained 2 years unless you ask us to delete sooner.
We do not use prompts, completions, embeddings, or other Customer Content to train, fine-tune, or evaluate any model — ours or anyone else's — and we do not sell or rent Customer Content.
Where GDPR or UK GDPR applies we rely on: (a) contract — to provide the Service you asked for; (b) legitimate interest — to secure the Service, prevent fraud, and improve performance (balanced against your rights); (c) legal obligation — to comply with tax, accounting, and law-enforcement requirements; (d) consent — for marketing email, cookies other than strictly necessary, and any special-category data you choose to send; consent can be withdrawn at any time.
When you call a third-party model (Anthropic, OpenAI, Google, xAI, Moonshot, Meta, Deepgram, ElevenLabs, Black Forest Labs, Inworld, Cloudflare Workers AI, etc.), we forward your request to that provider under our account. Their data-handling terms apply to the forwarded data for the duration of the request. We negotiate zero-retention terms with every provider where available and surface those flags on the models page.
Beyond upstream providers, we share personal information only with our sub-processors (listed in the DPA), with your explicit authorization, or when required by law (court order, subpoena, lawful government demand). We do not sell personal information or share it for cross-context behavioral advertising.
We are based in the United States. For transfers from the EEA, United Kingdom, or Switzerland we rely on the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum (IDTA), and the Swiss Federal Data Protection Act. Copies of the signed SCCs/IDTA are available on request and attached to the executed DPA.
| Data type | Retention |
|---|---|
| Account data | Life of account + 90 days |
| Billing / invoices | 7 years (tax law) |
| API traffic metadata | 90 days, then aggregated |
| Request / response bodies (if enabled) | Customer-configured; default 7 days (Free), 30 days (Pro), up to 90 days (Enterprise) |
| Source IP (truncated) | 24 hours |
| Security / audit logs | 13 months |
| Support tickets | 2 years or on request |
| Backups | Rolling 35 days |
You can export, correct, or delete your data from the dashboard, or by emailing privacy@aigateway.sh. Depending on where you live, you may also have the right to restrict or object to certain processing, withdraw consent, obtain data in a portable format, or lodge a complaint with a supervisory authority. We honor verified requests within 30 days (extendable by 60 days in complex cases).
Categories of personal information collected in the last 12 months: identifiers (email, account ID), commercial information (transactions, credits), internet / network activity (API metadata), geolocation (country-level from IP), and inferences (usage patterns). We do not knowingly collect sensitive personal information as defined by CPRA unless you voluntarily include it inside a prompt.
Purposes: the uses described in §4 above.
Sources: you, your devices, our payment processor, and our sub-processors.
Recipients: upstream model providers (at your request), sub-processors listed in the DPA, and lawful authorities when required.
Sale / sharing. We do not sell personal information or share it for cross-context behavioral advertising.
Your CCPA rights: to know, access, correct, delete, limit use of sensitive personal information, and not be discriminated against for exercising these rights. Submit a request to privacy@aigateway.shwith the subject line “CCPA request”. We verify requests by account email and recent request-ID match.
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Delaware (DPDPA), Iowa, Montana, Tennessee, Minnesota, Indiana, New Jersey, and other states with enacted privacy laws have substantially similar rights. Submit requests to privacy@aigateway.sh with the state name in the subject.
If you are in India, you have the right to access, correct, erase, and withdraw consent for your personal data, and to nominate a successor. You may lodge a grievance with our Grievance Officer:
Rakesh Roushan
Grievance Officer, Roushan, Inc.
grievance@aigateway.sh
Response time: 30 days
If your grievance is not resolved you may escalate to the Data Protection Board of India.
If you are in Brazil, you have rights under the LGPD (Lei Geral de Proteção de Dados) substantially equivalent to GDPR, including access, correction, anonymization, portability, deletion, and consent withdrawal. Contact privacy@aigateway.sh.
See our Cookie Policy. We use Cloudflare Web Analytics, which is cookieless. Authentication sessions use first-party, HTTPOnly, Secure, SameSite=Lax cookies that are strictly necessary.
All traffic is TLS 1.3. Data at rest is encrypted with AES-256-GCM. Access to production is MFA-only and logged. We run annual third-party penetration tests. We hold SOC 2 Type I and are pursuing SOC 2 Type II (target 2026 Q3). Incident reports go to affected customers within 72 hours of confirmation. See /security for full posture.
We send marketing email only with your consent (for example, when you opt in to the changelog newsletter). Every marketing email has a one-click unsubscribe. We comply with the U.S. CAN-SPAM Act, Canada's CASL, and the GDPR/ePrivacy consent requirements in the EU/UK. Transactional messages (account, billing, security, deprecation notices) are sent on the lawful basis of contract performance and are not opt-out.
The Service is not directed to children under 13 (or 16 in the EU/UK). We do not knowingly collect personal information from them. If you believe a child has provided us personal information, email privacy@aigateway.shand we will delete it.
We do not use personal information for automated decisions that produce legal or similarly significant effects on you without meaningful human review.
We may update this Policy from time to time. For material changes we will give at least 30 days' notice via email or a prominent notice on the Service. The current version is at aigateway.sh/privacy.
Privacy questions: privacy@aigateway.sh
Data protection requests: privacy@aigateway.sh (subject: “DSAR”)
India Grievance Officer: grievance@aigateway.sh (Rakesh Roushan)
Mailing address: Roushan, Inc., 1111b S Governors Ave, STE 55131, Dover, DE 19904, USA
Phone: (838) 388-3047