Privacy Policy

Effective: April 18, 2026 · Last updated: April 18, 2026

This Privacy Policy explains how CONTINUUM AI PTE. LTD. (“OrcaRouter”, “we”, “us”) collects, uses, shares, and protects information when you use the OrcaRouter platform and related services (the “Service”). This Policy applies to the Service only; it does not cover third-party websites or services.

    Our core promise: we do not log, store, or retain the content of
    your prompts or model outputs. We route your requests to the provider you selected
    and return the provider’s response to you — no copy is kept on our side.
    We do not use your content to train any model.
  

Contents

Scope
Information we collect
How we use information
Subprocessors and disclosures
International data transfers
Data retention
Your rights (GDPR, UK GDPR, CCPA)
Children
Security
Cookies and similar technologies
Changes to this Policy
Contact

1.Scope

This Policy applies to personal information we process in our role as data controller when you create an account, browse our website, use our API, or otherwise interact with the Service. When we act as a data processor on behalf of a business customer (for example, under a Data Processing Addendum), the customer’s own privacy notice governs how end-user data is handled, and this Policy describes how we handle that data as a processor.

2.Information we collect

2.1 Account information

When you register or sign in, we collect:

your email address;
your display name (if provided);
a password, stored only as a cryptographic hash (we never store or transmit it in clear);
your single-sign-on provider identifier when you authenticate via Google, Microsoft, GitHub, or a supported OIDC provider.

2.2 Usage metadata

Each API request generates a small metadata record that we retain to operate, secure, and bill the Service. This record contains:

a timestamp;
the requesting API key’s identifier (not its secret value);
the model requested and the provider to which it was routed;
token counts (input and output);
latency and HTTP status code;
a truncated error message, if the upstream provider returned one;
the source IP address of the request, used for rate-limiting and abuse prevention.

      What we do NOT collect: the content of prompts, the content of
      model outputs, files you upload to providers, or embeddings you generate. These
      are processed in-transit and discarded immediately after forwarding.
    

2.3 Billing information

Payments are processed by Stripe, Inc. We do not receive or store complete card numbers. From Stripe we receive and retain only: a customer identifier, card brand, the last four digits of the card, country, and invoice metadata. Refer to Stripe’s Privacy Policy for how Stripe processes your payment data.

2.4 Communications

If you email us or fill out a form, we receive the content of that communication and your contact details. Transactional emails (sign-in codes, password resets, invoices, security notices) are delivered through Mailgun.

3.How we use information

We use the information described above to:

provide, operate, and maintain the Service — including routing requests to the provider you selected and returning responses to you;
authenticate users and maintain account security;
calculate and bill charges and manage subscriptions;
detect, investigate, and prevent abuse, fraud, and violations of our Terms of Service;
diagnose, troubleshoot, and improve performance and reliability (using metadata only, never prompt or output content);
communicate with you about the Service, including security, legal, and service-change notices;
comply with legal obligations and respond to lawful requests.

Under GDPR, our lawful bases are (i) the performance of our contract with you (Article 6(1)(b)); (ii) our legitimate interests in operating and securing the Service (Article 6(1)(f)); and (iii) compliance with a legal obligation (Article 6(1)(c)).

4.Subprocessors and disclosures

We rely on a small number of service providers to operate the Service. They access only the data they need to perform their function and are contractually bound to protect it.

Subprocessor	Purpose	Location
Upstream LLM providers OpenAI, Anthropic, Google, Together AI, Groq, and others	Processing prompts you route to them	US / EU / per provider
Stripe, Inc.	Payment processing, subscription management	United States
Mailgun Technologies, Inc.	Transactional email delivery	United States
Cloudflare, Inc.	DDoS protection, bot mitigation, Turnstile CAPTCHA	Global edge
Cloud infrastructure provider e.g., AWS, GCP	Compute, storage, and network for the Service	Singapore / United States

Disclosure for legal reasons. We may disclose information if we reasonably believe disclosure is required by law, legal process, or regulatory authority, or is necessary to protect the rights, property, or safety of OrcaRouter, our users, or the public.

Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to the acquiring party honoring the commitments in this Policy.

We do not sell your personal information within the meaning of the California Consumer Privacy Act (“CCPA”) or equivalent laws, and we do not share it for cross-context behavioral advertising.

5.International data transfers

The Service is operated from Singapore and relies on service providers in the United States, the European Union, and other jurisdictions. When personal data is transferred out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards including the European Commission’s Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, or equivalent mechanisms.

6.Data retention

We retain information only as long as we need it:

Category	Retention
Account information	For the life of the account, plus 30 days after deletion
Usage metadata (timestamps, model, tokens, latency)	13 months rolling
Billing and invoice records	7 years (tax and accounting compliance)
Prompt and output content	Not retained (in-transit only)
Server and security logs	90 days
Support correspondence	24 months after last contact

We may retain information longer when required by law, when needed to resolve a dispute, or to enforce our agreements.

7.Your rights (GDPR, UK GDPR, CCPA)

Depending on where you live, you may have the right to:

Access the personal information we hold about you;
Rectify inaccurate or incomplete information;
Delete your personal information (right to be forgotten);
Port your data in a structured, machine-readable format;
Restrict or object to certain processing, including processing based on legitimate interests;
Withdraw consent where processing is based on consent (without affecting prior processing);
Opt out of any sale or sharing of personal information (we do not sell or share).

To exercise any of these rights, email privacy@orcarouter.ai. We will respond within the timeframe required by applicable law (generally 30 days under GDPR and 45 days under CCPA, extendable where permitted). We may need to verify your identity before fulfilling a request.

You also have the right to lodge a complaint with a supervisory authority in your country. For EU residents, that is your local Data Protection Authority; for UK residents, the Information Commissioner’s Office (ICO).

8.Children

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will delete it promptly. Parents or guardians who believe their child has provided us personal information may contact us at privacy@orcarouter.ai.

9.Security

We protect your information with administrative, technical, and physical safeguards appropriate to the risk, including:

TLS 1.2+ for all data in transit;
encryption at rest for databases containing personal data;
principle-of-least-privilege access controls and audit logging for production systems;
hashed credential storage, multi-factor authentication for operators, and regular rotation of secrets;
periodic security reviews and third-party penetration testing.

No system is perfectly secure. If we learn of a security incident that affects your personal information, we will notify you and, where required, the relevant supervisory authority, in accordance with applicable law.

10.Cookies and similar technologies

We use only the cookies and local-storage items we need to operate the Service:

a session / authentication token after you sign in;
your selected language preference;
a CSRF token for form submissions;
theme preference (light / dark).

We do not use advertising cookies, third-party analytics cookies, or cross-site tracking pixels on the product surface. A future, strictly optional, analytics integration will be disclosed in this Policy and will require your consent where required by law.

11.Changes to this Policy

We may update this Policy from time to time. If a change is material (for example, a new category of data collected or a new subprocessor that expands the scope of processing), we will notify you by email, via an in-product notice, or both, at least thirty (30) days before the change takes effect. Non-material changes take effect upon posting. The date at the top of this Policy shows when it was last updated.

12.Contact

Privacy questions and rights requests: privacy@orcarouter.ai
Data Protection Officer: dpo@orcarouter.ai
Legal and contract matters: legal@orcarouter.ai

CONTINUUM AI PTE. LTD.
Singapore