Privacy Policy
Last updated: May 2026
What we collect
- Account data — email, billing details, API keys you create.
- Request metadata — timestamp, model name, token counts, status code, latency. Used for billing, abuse detection, and quality monitoring.
- Request & response content — passed through to the upstream provider you invoked. We do not store the bodies by default. We may retain bodies up to 30 days only if you explicitly enable trace logging on your account.
What we don't do
- We do not train any model on your data.
- We do not sell your data.
- We do not share your prompts or completions with anyone other than the upstream provider you selected.
Upstream providers
When you invoke a model, your request body is forwarded to the provider hosting that model (Anthropic, OpenAI, Google, AWS, etc.). Each upstream has its own data policy — by using flatkey you accept that the provider you select will receive and may log your data per its own terms.
Data retention
- Metadata: kept for billing reconciliation and abuse audit, up to 24 months.
- Request bodies: not stored unless trace logging is on, in which case 30 days max.
- Account data: retained while your account is active, deleted within 90 days of closure (subject to legal retention requirements).
Security
API keys are stored salted and hashed. Database connections are TLS. Backend traffic is end-to-end encrypted across all upstreams.
Your rights
If you're in a jurisdiction with privacy rights (GDPR, CCPA, etc.) you can request access, correction, or deletion of your data by emailing hi@flatkey.ai. We respond within 30 days.