Privacy Policy

Last updated: June 30, 2026

Overview

OriginStart AI ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI API Gateway service. For users in the United Kingdom and European Economic Area, we process personal data in line with applicable data protection laws, including the UK GDPR, EU GDPR, the Data Protection Act 2018, and the UK Privacy and Electronic Communications Regulations (PECR).

Information We Collect

Account Information

  • Email address
  • Name and organization details
  • Billing and payment information

API Usage Data

  • Request metadata (timestamp, model, token count, response time)
  • API keys and routing preferences
  • Error logs and performance metrics

What We DO NOT Collect

  • We do not store prompt content or AI responses. Your API requests pass through our routing layer but are not logged or retained.
  • We do not track your end users or their behavior.
  • We do not sell your personal data. If and when we use optional analytics or marketing cookies, we will provide an appropriate consent mechanism where required by law.

How We Use Your Information

  • Service delivery: Route API requests, cache responses, track usage quotas
  • Billing: Calculate costs, generate invoices, process payments
  • Analytics: Show you real-time dashboards and cost breakdowns
  • Support: Troubleshoot technical issues and respond to inquiries
  • Security: Detect fraud, prevent abuse, and maintain service integrity
  • Measurement and marketing: Measure website performance, understand campaign effectiveness, and improve onboarding. If and when we use optional analytics or marketing cookies, we will provide an appropriate consent mechanism where required by law.

Data Retention

  • Usage metadata: Retained for 90 days for billing and analytics
  • Account information: Retained until account deletion
  • Cached responses: Automatically expire based on your cache TTL settings (default 24 hours)

Data Security

We implement industry-standard security measures:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • SOC 2 Type II certified infrastructure
  • Regular third-party security audits
  • API keys encrypted and never logged in plaintext
  • Multi-region redundancy with automatic failover

Third-Party Services

We integrate with the following third parties:

  • AI Providers: Your API requests are routed to providers like Anthropic, OpenAI, Google. Each provider has their own privacy policy.
  • Payment processors: Stripe handles payment processing (PCI DSS compliant).
  • Infrastructure: AWS and Cloudflare for hosting and CDN.
  • Analytics and advertising partners: Services such as Google Analytics, Google Ads, and Meta may be used to measure site performance and advertising effectiveness. If and when we use optional analytics or marketing cookies, we will provide an appropriate consent mechanism where required by law.

Your Rights

You have the right to:

  • Access: Request a copy of your data via your account dashboard
  • Correct: Ask us to correct inaccurate account information
  • Delete: Request account deletion (data deleted within 30 days unless we must retain limited records for legal, billing, or security reasons)
  • Restrict or object: Ask us to restrict certain processing or object to processing based on legitimate interests
  • Export: Download usage logs and billing history as CSV
  • Withdraw consent: Withdraw cookie or marketing consent where processing is based on consent
  • Complain: UK users may contact the Information Commissioner's Office (ICO), and EEA users may contact their local supervisory authority

To exercise these rights, email us at privacy@originstart.ai

Cookies

We use essential cookies for authentication, security, and session management. We may also use optional analytics and marketing cookies or similar technologies to measure website performance and advertising effectiveness. Non-essential cookies are described in our Cookie Policy. If and when we use optional analytics or marketing cookies, we will provide an appropriate consent mechanism where required by law.

International Data Transfers

Your data may be processed in data centers located in the US, UK, EU, and Asia-Pacific. Where personal data is transferred internationally, we use appropriate safeguards such as Standard Contractual Clauses, the UK International Data Transfer Addendum or equivalent mechanisms required by UK GDPR and EU GDPR.

Children's Privacy

Our service is not directed to individuals under 18. We do not knowingly collect data from children.

Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be announced via email 30 days in advance.

Contact Us

For privacy questions or data requests: