Privacy Policy
Effective date: April 16, 2026
1. Data We Collect
- Account data: Email address, name, and OAuth profile information when you sign up.
- Usage data: API request metadata (model, provider, token counts, cost, latency, timestamps).
- Prompt content: Scheduled prompts and prompt templates store user-provided prompt content for deferred execution. Proxy requests that transit through InferLane are forwarded to the selected LLM provider and are not stored by InferLane after delivery. Confidential-tier workloads use architecture designed to prevent InferLane from accessing prompt content in transit.
- Payment data: Processed by Stripe. We store Stripe customer IDs and subscription status but never store full credit card numbers.
- Technical data: IP address (for compliance screening and abuse prevention), user agent, and request headers.
- Analytics: Usage analytics via PostHog, collected only with your explicit consent. No personally identifiable information is sent to PostHog.
2. Lawful Basis for Processing
Under GDPR Article 6, we process your data on the following legal bases:
| Data category | Lawful basis |
|---|---|
| Account data (name, email, OAuth profile) | Contract — necessary to provide the Service |
| Usage and spend data | Legitimate interest — service improvement, fraud prevention, and cost optimization |
| Payment and billing data | Contract (providing the Service) and Legal obligation (tax and financial record-keeping) |
| IP addresses and audit logs | Legal obligation — compliance with sanctions/export controls, fraud prevention |
| Analytics cookies | Consent — opt-in via cookie banner; not placed until you consent |
| Marketing emails | Consent — opt-in only, disabled by default |
3. How We Use Your Data
- To provide, maintain, and improve the Service.
- To process payments and manage subscriptions.
- To enforce acceptable-use policies and comply with sanctions/export controls.
- To send transactional emails (welcome, payout confirmations, subscription changes).
- To detect and prevent fraud and abuse.
- To make automated routing decisions (see Section 11).
4. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
- Usage and spend data: 1 year, then aggregated and anonymized.
- Proxy request logs: 90 days.
- Audit logs: 7 years (compliance).
- Financial records: 7 years (tax and regulatory compliance).
- Waitlist entries: 12 months, then deleted unless you create an account.
5. Your Rights
Under GDPR, CCPA, and similar regulations, you have the right to:
- Access: Request a copy of all personal data we hold about you (via
/api/account/export). - Deletion: Request deletion of your account and associated data.
- Portability: Export your data in a machine-readable JSON format.
- Rectification: Correct inaccurate personal data.
- Objection: Object to processing of your data for specific purposes.
- Withdraw consent: Withdraw consent for analytics cookies or marketing emails at any time without affecting the lawfulness of prior processing.
- Restrict processing: Request restriction of processing in certain circumstances.
6. Sub-Processors
We use the following third-party services to operate InferLane:
| Service | Purpose | Data processed |
|---|---|---|
| Stripe | Payments, KYC (Stripe Identity), operator payouts (Stripe Connect) | Payment info, identity verification data, subscription status, payout details |
| Neon (PostgreSQL) | Primary database (US region) | Account, usage, and transaction data |
| Vercel | Hosting and serverless functions (US East) | Application data in transit, server-side logs |
| PostHog | Product analytics (only with user consent) | Anonymized usage events; no PII sent |
| Resend | Transactional email delivery | Email address, email content |
| LLM providers (Anthropic, OpenAI, Google) | AI model inference | Prompt content in transit (forwarded, not stored by InferLane) |
| Cloudflare | DNS | DNS query data |
7. Cookies
InferLane uses the following cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
next-auth.session-token | Essential | Authentication — identifies your logged-in session | Session |
next-auth.csrf-token | Essential | CSRF protection | Session |
il_demo | Essential | Demo mode indicator | Session |
il_partner | Functional | Referral attribution | 90 days |
il_analytics_consent | Essential | Records your cookie consent preference | 1 year |
| PostHog cookies | Analytics | Anonymous product analytics | 1 year |
Analytics cookies (PostHog) are only placed after you give explicit consent via the cookie banner. You can withdraw consent at any time through your account settings. We do not use third-party advertising cookies.
8. International Transfers
Data may be processed in the United States. We rely on Standard Contractual Clauses (SCCs) for transfers from the EU/EEA. Our sub-processors maintain appropriate safeguards.
9. Security
We employ encryption at rest and in transit, role-based access controls, and regular security audits. Provider API keys are AES-encrypted before storage.
10. Changes
We may update this policy from time to time. Material changes will be communicated via email. The "Effective date" at the top reflects the latest revision.
11. Automated Decision-Making
InferLane uses automated routing logic to select AI model providers for your requests. This routing considers factors such as cost, latency, model quality scores, and your configured preferences. These decisions determine which provider processes your request and at what cost, but do not involve profiling or produce legal effects.
You can override automated routing decisions at any time by setting explicit provider preferences in your account settings or by specifying a provider directly in your API requests. You also have the right to request human review of any routing decision by contacting us at privacy@inferlane.dev.
12. Contact
For privacy inquiries, data export requests, or deletion requests, contact us at privacy@inferlane.dev.