Privacy.
A short, honest privacy policy for a product that lives or dies on whether you trust the audit. No dark patterns, no "we may share with selected partners."
What this is.
Ainfera is an inference router for autonomous agents. To operate it, we store account data (email, GitHub handle, billing) and the metadata of each routed call (model chosen, cost, timestamp, audit hash). We do not store your prompts or responses in any database we control — and the public audit log stores only hashes of those, never their contents.
What we collect.
Account. Email, public GitHub profile fields (handle, avatar URL), the workspace name you choose, billing details when payment turns on at GA.
Inference metadata. For each routed call: model chosen, candidate set, caps applied, token counts, latency, cost, timestamp, agent id. Required to bill, route, and prove.
Content (transient). Prompts and responses pass through our system to reach the model. By default, they are never persisted — we store only salted SHA-256 commitments (hashes) of the prompt and response, not the content itself. A workspace may explicitly opt in to 24-hour diagnostic retention for debugging; this is off by default and must be activated per workspace.
Telemetry. Crash logs, API error rates, region. No tracking pixels on the marketing site. No third-party analytics on the dashboard. why →
What lands on the public audit log.
The chain stores only the hashes of prompts and responses, not their contents. It stores the decision shape — candidate set, caps, winner, policy version — and dollar amounts. It does not store agent metadata, your prompts, or anything that could re-identify a user.
prompt_hash # sha-256 of canonical prompt
response_hash # sha-256 of canonical response
decision_hash # sha-256 of routing decision
cost # direct cost, margin, billed (USD)
timestamp # UTC, second precision
prompt_hash· sha-256 of canonical prompt · prompt itself never on the audit logresponse_hash· sha-256 of canonical response · response itself never on the audit logdecision_hash· sha-256 of canonical routing decision · the candidate setcost· direct cost, margin, billed amount, in USDtimestamp· UTC, second precision
The audit log is an Ed25519-signed append-only chain. It is public and we can't take a hash off it once posted. read the audit page →
How we use what we collect.
- Route your calls within your caps · the product
- Bill you for inference · the only revenue
- Show you the dashboard · operational
- Notify you of incidents · operational
- Compute the leaderboard on /models · aggregate, not per-account
We do not sell, license, or rent any of it. We do not train models on your traffic. We do not use it to "improve user experience" in any sense beyond the operational ones above.
if request.kind == "sell-data":
return "no"
if request.kind == "train-on-traffic":
return "no"
if request.kind == "rent-data":
return "no"
How long we keep things.
- Prompts & responses — zero retention by default. Content is never persisted; only salted SHA-256 commitments are stored. Optional 24-hour diagnostic retention available per workspace opt-in.
- Inference metadata — indefinite. The audit is the product.
- Account & billing — duration of the account + 24 months for tax/audit compliance after closure
- Audit log hashes — forever. We cannot remove them. By design.
prompts.content = 0d (never persisted)
prompts.commitment = salted SHA-256 # verifiable, not reversible
diagnostic.retention = 24h opt-in # per workspace, off by default
inference.metadata = indefinite
account.billing = tenure + 24mo
chain.hashes = forever # audit log, by design
Your rights.
Wherever you live, you can email privacy@ainfera.ai and ask us to: show you the data we hold on you, correct it, delete it, export it, or stop processing it. We respond in <30 days, usually within a week.
Deletion is irreversible for everything except audit log hashes (which can never be deleted by anyone, including us — that's the point).
If you're in the EU, UK, California, or Brazil.
EU/UK (GDPR/UK-GDPR). Ainfera Inc. is the data controller for account data and the data processor for inference content. Lawful basis: contract (operating the service), legitimate interest (security and fraud), consent (optional analytics). Cross-border transfers under EU SCCs; UK transfers under the UK Addendum. DPA on request →
California (CCPA/CPRA). We do not sell or share your personal information as those terms are defined under California law. You may request access, correction, deletion, or portability via the address above. We honor the Global Privacy Control signal.
Brazil (LGPD). Ainfera processes Brazilian personal data under contract and legitimate interest. Brazil-located requests routed through the same privacy@ address.
Children.
Ainfera is a developer infrastructure product. We do not knowingly collect data from users under 18. If you believe we have, write to privacy@ainfera.ai and we will delete it on confirmation.
How this policy changes.
Material changes get 30 days' notice, in this feed and by email to all account holders. Non-material changes (typos, link updates) are reflected immediately and noted in the version history. Every version is signed by the founder and posted on the audit log — see the meta column above for the diff link.
v4 (2026-07-12).Retention default flipped from 30-day hot + 365-day archive to zero content retention. Prompt/response content is no longer persisted by default; only salted SHA-256 commitments are stored. Optional 24-hour diagnostic retention available per workspace opt-in. Claim language updated to match runtime behavior. Audit log language updated from overstated anchoring language to "Ed25519-signed append-only audit log."
Talk to us.
Privacy questions, data requests, DPA needs, anything else:
- privacy@ainfera.ai — primary
- hello@ainfera.ai — general
- /contact — form