Privacy Policy
Effective date: June 25, 2026
1. Data We Collect
- Account data: Email address, name, and OAuth profile information when you sign up.
- Usage data: API request metadata (model, provider, token counts, cost, latency, timestamps).
- Prompt content: Scheduled prompts and prompt templates store user-provided prompt content for deferred execution. For proxy requests, InferLane stores only requestmetadata (requested and routed model, provider, token counts, cost, latency, status, and timestamp) — it does not store the prompt or response content of a proxied request after delivery. To fulfil your request, however, the content of a proxied request necessarily transits the third-party LLM provider you select (for example Anthropic, OpenAI, or Google), which processes it under its own terms and privacy policy. Confidential-tier workloads use architecture designed to prevent InferLane from accessing prompt content in transit.
- Payment data: Processed by Stripe. We store Stripe customer IDs and subscription status but never store full credit card numbers.
- Technical data: IP address (for compliance screening and abuse prevention), user agent, and request headers.
- Analytics: Usage analytics via PostHog, collected only with your explicit consent. No personally identifiable information is sent to PostHog.
2. Lawful Basis for Processing
Under GDPR Article 6, we process your data on the following legal bases:
| Data category | Lawful basis |
|---|---|
| Account data (name, email, OAuth profile) | Contract — necessary to provide the Service |
| Usage and spend data | Legitimate interest — service improvement, fraud prevention, and cost optimization |
| Payment and billing data | Contract (providing the Service) and Legal obligation (tax and financial record-keeping) |
| IP addresses and audit logs | Legal obligation — compliance with sanctions/export controls, fraud prevention |
| Analytics cookies | Consent — opt-in via cookie banner; not placed until you consent |
| Marketing emails | Consent — opt-in only, disabled by default |
3. How We Use Your Data
- To provide, maintain, and improve the Service.
- To process payments and manage subscriptions.
- To enforce acceptable-use policies and comply with sanctions/export controls.
- To send transactional emails (welcome, payout confirmations, subscription changes).
- To detect and prevent fraud and abuse.
- To make automated routing decisions (see Section 11).
4. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
- Usage and spend data: 1 year, then aggregated and anonymized.
- Proxy request logs (metadata): 90 days.
- Transient response cache: To deduplicate identical requests sent moments apart, InferLane keeps a short-lived in-memory cache of proxied responses with a default time-to-live of approximately 30 seconds; entries expire and are evicted automatically and are never written to long-term storage. You can bypass it per request (for example with a
Cache-Control: no-cacheheader). - Audit logs: 7 years (compliance).
- Financial records: 7 years (tax and regulatory compliance).
- Waitlist entries: 12 months, then deleted unless you create an account.
5. Your Rights
Under GDPR, CCPA, and similar regulations, you have the right to:
- Access: Request a copy of all personal data we hold about you (via
/api/account/export). - Deletion: Request deletion of your account and associated data.
- Portability: Export your data in a machine-readable JSON format.
- Rectification: Correct inaccurate personal data.
- Objection: Object to processing of your data for specific purposes.
- Withdraw consent: Withdraw consent for analytics cookies or marketing emails at any time without affecting the lawfulness of prior processing.
- Restrict processing: Request restriction of processing in certain circumstances.
6. Sub-Processors
We use third-party sub-processors to operate InferLane. In summary, these cover hosting and serverless compute (Vercel), our primary database (Neon), rate limiting (Upstash), object and backup storage and underlying email infrastructure (AWS), transactional email delivery (Resend), payments, identity verification, and payouts (Stripe), consent-gated product analytics with no PII (PostHog), and the LLM inference providers you choose to route through (including Anthropic, OpenAI, and Google, among others).
The complete, authoritative, and regularly-updated list — including each sub-processor's purpose and processing location — is maintained on our Subprocessors page. AI inference providers are contacted only when you explicitly send a request through the InferLane proxy, and the content of that request transits the provider you select (see Section 1).
7. Cookies
InferLane uses the following cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
next-auth.session-token | Essential | Authentication — identifies your logged-in session | Session |
next-auth.csrf-token | Essential | CSRF protection | Session |
il_demo | Essential | Demo mode indicator | Session |
il_partner | Functional | Referral attribution | 90 days |
il_analytics_consent | Essential | Records your cookie consent preference | 1 year |
| PostHog cookies | Analytics | Anonymous product analytics | 1 year |
Analytics cookies (PostHog) are only placed after you give explicit consent via the cookie banner. You can withdraw consent at any time through your account settings. We do not use third-party advertising cookies.
8. International Transfers
Data may be processed in the United States. We rely on Standard Contractual Clauses (SCCs) for transfers from the EU/EEA. Our sub-processors maintain appropriate safeguards.
9. Security
We employ encryption at rest and in transit, role-based access controls, and regular security audits. Provider API keys are AES-encrypted before storage.
10. Data Breach Notification
No system is perfectly secure. If we become aware of a data breach involving your personal data that is likely to result in serious harm or risk to your rights, we are committed to notifying affected individuals and the relevant authorities without undue delay, targeting notification within approximately 72 hours of confirming the breach.
Where the Australian Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth) applies, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required. Where the GDPR applies, we will notify the competent supervisory authority in line with Article 33 (generally within 72 hours of becoming aware) and affected data subjects in line with Article 34 where the breach is likely to result in a high risk to their rights and freedoms.
11. Children's Privacy
The Service is not directed at children, and you must be at least 18 years old to use it (see our Terms of Service). We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a child, we will delete it promptly. If you believe a child has provided us with personal information, contact us at privacy@inferlane.dev.
12. Changes
We may update this policy from time to time. Material changes will be communicated via email. The "Effective date" at the top reflects the latest revision.
13. Automated Decision-Making
InferLane uses automated routing logic to select AI model providers for your requests. This routing considers factors such as cost, latency, model quality scores, and your configured preferences. These decisions determine which provider processes your request and at what cost, but do not involve profiling or produce legal effects.
Automated spend watchdog (auto-pause). To protect you from runaway spend, InferLane operates an automated spend watchdog. It monitors usage against your configured spend caps and may automatically pause an API key — warning you when a capped key crosses 80% of its daily cap, and, where you have enabled the corresponding anomaly action, automatically pausing the key when it detects an abnormal usage spike. A pause is an automated decision that can temporarily affect your access to the Service for the affected key. You can review and reconfigure these caps and anomaly actions, and re-enable a paused key, in your account settings.
You can override automated routing decisions at any time by setting explicit provider preferences in your account settings or by specifying a provider directly in your API requests. You also have the right to request human review of any routing or auto-pause decision by contacting us at privacy@inferlane.dev.
14. Contact
For privacy inquiries, data export requests, or deletion requests, contact us at privacy@inferlane.dev.