Privacy Policy

This Privacy Policy explains how Andain Router and its operators ("we," "our," or "us") collect, use, disclose, and protect information when you visit our websites, interact with Andain Router documentation or community forums, subscribe to managed or hosted Router services we offer, integrate with Router using your organization's own provider credentials (BYOK — bring your own key), or run Router software on your infrastructure.

Overview and BYOK

Andain Router is positioned as routing and tooling for inference requests. Except where explicitly described in a supplement for a hosted product offering, Router does not require you to use our upstream API keys as the default integration model: you configure end-user or organizational credentials for each configured model provider when you operate the software. Prompts and responses are ordinarily handled between your applications, Router, and the third-party inference providers whose terms you agree to separately. We encourage you to read those providers' privacy notices and DPAs alongside this Policy.

What this Policy covers

• Marketing and documentation websites that describe Router, linking to OSS repositories and optional signup flows.
• Community and support surfaces such as discussions or issue trackers on third-party platforms (those services have their own policies).
• Self-hosted deployments you operate: we may receive limited telemetry or support logs only if you choose to enable them or share them with us; otherwise data remains on your systems.
• Managed / hosted Router, if offered: supplemental terms may describe subprocessors, retention, and security attestations beyond this general Policy.

Information we may collect

Information you provide directly

• Contact details (such as name, email, organization) when you request information, create an account for hosted services, join a waitlist, or correspond with support.
• Billing identifiers and invoicing contacts when you subscribe to fee-based offerings; payments may be processed by processors subject to their own terms.
• Content you voluntarily submit — for example, support tickets, feature requests, or bug reports — including any attachments or reproductions you attach.

Automatically collected technical data

• Log data such as IP address, timestamps, approximate location derived from IP, user agent, referrer, and coarse device or browser identifiers when you browse our websites or authenticate to managed services we operate.
• Operational telemetry for Router instances we host — for example routing metadata, aggregated error rates, request volume, latency, and configuration fingerprints — to operate, secure, and improve the service. Telemetry design should exclude or minimize payloads when feasible; specifics may be described in the hosted-service documentation or DPA addendum.
• Cookies or similar technologies on our marketing surfaces (for example preference storage, session IDs, or, where used, analytics). You can control cookie behavior through browser settings where applicable.

Inference traffic routed through Router

When Router forwards requests using keys you supplied, the third-party inference provider, rather than Router's publisher, primarily processes model inputs and outputs under that provider's policies. On self-hosted installs, inference content typically stays inside your perimeter except as sent to configured providers or any logging you enable locally. Where we operate hosted Router: prompts and completions may traverse our managed environment only as reasonably necessary for routing — treat that environment per your contractual controls and DPIA requirements.

How we use personal information

• To provide websites, signup flows, OSS documentation, downloads, releases, and support.
• To authenticate users, authorize access tiers, troubleshoot incidents, enforce acceptable use policies, and secure against abuse or fraud.
• To maintain, optimize, meter, invoice, analyze usage patterns at an aggregate level for capacity planning, and improve reliability — including training internal models only if a separate lawful basis and clear notice exist; absent such notice do not infer that free-form prompt text is repurposed for model training by us without contractually agreed terms.
• To communicate service changes, outages, lifecycle notices for versions you run, surveys (where opted-in), and legal or safety notices required by regulators.
• To comply with law, subpoenas reasonably interpreted as valid where we honor them, lawful government demands, audits, merger diligence (under confidentiality), corporate transactions, rights defense, or agreement enforcement.

Legal bases (EEA, UK, and similar regions)

Depending on jurisdiction, grounds may include: performance of an agreement or pre-contract measures; legitimate interests (security, aggregated analytics subject to balancing tests); consent where we ask it (newsletters non-essential cookies); legal obligations. You may lodge complaints with supervisory authorities and may have rights enumerated below subject to exemptions.

Sharing and onward disclosure

• Processors and subprocessors who assist hosting, CDN, observability, email delivery, billing — bound by contractual data processing terms where GDPR or equivalent regimes apply.
• Model providers naturally receive payloads you route when your keys authorize those calls; that relationship is principally between your organization (or downstream end users instructed by your product terms) and the provider unless we supply keys under a supplemental commercial offering expressly described elsewhere.
• Professional advisors, insurers, auditors, or acquirers under confidentiality in corporate events.
• Legal and safety disclosures when we believe disclosure is legally required or necessary to protect rights, property, or safety.

Retention

We retain personal data only as long as reasonably needed for the purposes above, dispute resolution, contract performance, troubleshooting, backups in rolling windows, audit, tax, legal compliance, or anonymized aggregates. Hosted logs may rotate on short windows; credential material you store in our hosted systems should rely on KMS or vault patterns described in security documentation — we do not intend to retain raw provider secret keys beyond operational necessity unless you choose long-lived storage features with explicit risks accepted in product terms.

Security

We implement administrative, technical, and organizational measures appropriate to the risk — including access controls, encryption in transit for services we operate, monitoring, and incident response processes. No method of transmission or storage is perfectly secure; you are responsible for securing your own endpoints, keys, and self-hosted deployments.

Your choices and rights

Subject to law, you may request access, rectification, deletion, restriction, portability, or objection to certain processing, and may withdraw consent where processing was consent-based. Identity verification may apply. For hosted accounts, use in-product settings or support channels. If we cannot resolve a concern, you may contact your regulator. We do not sell personal information in the "sale" sense under U.S. state laws that define that term; if we add programs that could constitute sales or sharing for cross-context behavioral advertising we will update this Policy and offer opt-outs as required.

International transfers

If we transfer personal data across borders, we employ appropriate safeguards such as Standard Contractual Clauses or other mechanisms recognized by applicable law, plus supplemental measures when assessments require them.

Children

Router and our commercial sites are not directed to children under 16 (or higher age where required). We do not knowingly collect personal information from children. If you believe we have, contact us and we will take prompt steps to delete it.

Changes to this Policy

We may update this Privacy Policy periodically. Material changes will be highlighted (for example banner, email, changelog) when appropriate. Continued use after the effective date constitutes notice of updates where permitted by law. The "Last updated" date above reflects revisions.

Contact

Privacy-related requests or questions regarding this Policy: use our community forums at github.com/your-org/andain-router/discussions open an issue privately if security-sensitive, or the contact channel stipulated in any written ordering document for hosted services you purchase. Related terms appear in our Terms of Service.

← Back to product overview