Privacy Policy

1. What We Collect

To operate the Service we collect data about every message. Content is run through an automated best-effort PII scrubber (Microsoft Presidio + spaCy NER with custom recognizers, score threshold 0.7) before it is persisted to our trace store. Best-effort means the scrubber runs on every request but is not guaranteed to catch every piece of identifying information; see §3a.

• Session data: A session cookie keying anonymous and account use; UI preferences; your ToS/Privacy acceptance record (timestamp, ToS version, and IP of acceptance).
• Account data (if registered): Username, password hash (PBKDF2-SHA256), account-level Financial Incentive Program opt-in state, conversation retention preference, age-confirmation timestamp.
• Conversation content (scrubbed at ingest, best-effort): The full text of messages you send and responses you receive, after our automated PII scrubber has run. Pre-scrub raw content exists only transiently in memory while the request is routed to the upstream LLM provider; it is not persisted.
• Network information: IP address and X-Forwarded-For headers. Retained for up to 90 days for security and abuse purposes, then blanked from logs. Not included in any sold dataset — see §3a.
• Client information: User-Agent string and HTTP headers (excluding the Authorization header). Same 90-day retention and same exclusion from sold datasets.
• Request metadata: Timestamps, latency, the model requested, token usage, streaming status, error codes, A/B test assignments.

2. How We Use Your Data

2a. Service operation (always — no opt-out)

• Routing your messages to the appropriate LLM provider
• Service monitoring, analytics, and performance optimization
• Security, fraud detection, and abuse mitigation
• Statistical reporting (aggregated, non-identifying)
• Compliance with legal obligations

Our lawful basis under GDPR is legitimate interest (Article 6(1)(f)). You cannot opt out of service operation while continuing to use the Service — but data used solely for these purposes is never sold or licensed.

2b. Dataset creation, sale, and licensing (opt-in only, account holders only)

Only if you are (a) a logged-in account and (b) have explicitly opted in to the Financial Incentive Program at Settings → Privacy, best-effort anonymized derivatives of your messages may also be used for creating / publishing datasets and commercial sale or licensing to third parties. Our lawful basis is consent (GDPR Art. 6(1)(a); Art. 7(3) withdrawal).

A per-request override (selling_consent: true|false) lets you opt an individual message in or out regardless of the account-level setting. The true override is refused for anonymous sessions — we have no way to honor your downstream rights without an account to tie them to.

3a. Best-Effort Anonymization Before Sale

Before any content is included in a dataset sold or licensed to a third party:

• Removed entirely, unconditionally: IP addresses, X-Forwarded-For headers, every non-content HTTP header, User-Agent strings, account identifiers (username, account ID, session ID, conversation ID where account-linked), error messages that may name internal systems, and timestamps below day-level granularity. These fields are excluded regardless of consent; consent authorizes use of content derivatives only.
• Best-effort PII removal from message content: Microsoft Presidio + spaCy en_core_web_lg NER with custom recognizers for email addresses, phone numbers, postal addresses, government identifiers (SSN, AU TFN, AU Medicare, AU ABN), payment card numbers, API keys and tokens, and URL-embedded credentials. Detected PII is replaced with numbered placeholders (e.g., <PERSON_1>) that preserve conversational coherence. Original values are not retained in any mapping table outside the single request's processing session.
• Aggregation: Where the use case allows, individual prompts are aggregated to further reduce re-identification risk.

3b. Financial Incentive Program (CCPA §1798.125(b))

We offer different levels of service based on whether you consent to the use of your best-effort anonymized content for sale or licensing. This program is structured as a Financial Incentive Program under California Civil Code §1798.125(b). Participation is entirely optional and requires a registered account.

• What we provide if you opt in: Access to the Premium model tier (frontier-class models from major providers) in addition to the Free tier.
• What we provide if you opt out: Full access to the Free tier — a genuinely usable set of models, not a crippled placeholder. This is not a "pay or consent" arrangement.
• How to opt in: Settings → Privacy → toggle "Share anonymized content for Premium access".
• How to opt out: Same toggle, or email [email protected]. Opt-out applies going forward; data already distributed in third-party datasets cannot be recalled.
• Right to withdraw: You may opt back out at any time, free of charge, without losing access to your account or the Free tier.

Good-faith estimate of the value of consumer data and methodology: We estimate the value of an opted-in user's chat data to our business at approximately $0.20 to $2.00 USD per active user per month — higher than the API-side estimate because chat content tends to be longer-form, more conversational, and (after anonymization filtering) more useful for instruction-following dataset construction than developer API traffic. The value of Premium-model access we provide in exchange is in the same range, calibrated to the per-token retail price of equivalent commercial APIs.

3c. Data Sharing

• LLM providers: Your raw (pre-scrub) message is sent to the upstream LLM provider routing your request. This is the only category of recipient that receives un-scrubbed content, and only for the duration of generating a response. Each provider has its own privacy policy.
• Observability: Post-scrub request and response data may be sent to our observability platform (Datadog) for monitoring. Datadog acts as a processor under our instructions and is not a data purchaser under §3a.
• Data purchasers (only if you are Tier C): Best-effort anonymized datasets may be sold or licensed to AI labs, ML researchers, or data brokers under contracts including data-protection terms. These datasets contain only the content derivatives described in §3a; they do not contain IP addresses, User-Agent strings, headers, or account identifiers.
• Researchers (only if you are Tier C): We may publish best-effort anonymized datasets for non-commercial research, subject to the same field exclusions.
• Law enforcement: If required by applicable law or valid legal process. We will challenge overbroad requests where lawful and notify affected users where legally permissible.

4. Data Retention

• Account data (username, password hash, consent state, retention preference) is retained while your account is active.
• Conversations linked to an account are retained by default until you delete them (individually or via account deletion). You can set an auto-delete window in Settings → Privacy: conversations inactive longer than the chosen window are automatically deleted.
• Anonymous-session conversations are retained while the session cookie is valid (by default ~1 year, refreshed on use). Clearing your cookies orphans the records from any identifier you control; we perform a best-effort sweep of orphaned sessions annually.
• Identifying logs (IP addresses, X-Forwarded-For headers, User-Agent strings) are retained for at most 90 days. After 90 days, an automated job blanks these fields on the corresponding log rows.
• Scrubbed message content may be retained indefinitely for service operation (and, for Tier C users only, for potential inclusion in datasets as described in §3a). "Scrubbed" means it has passed through our best-effort PII pipeline; it does not mean perfectly anonymized.
• On account deletion: Account data, all linked conversations, and all linked identifying logs are deleted within 30 days. Best-effort anonymized historical content that has already been distributed in third-party datasets cannot be recalled — once a dataset is sold or licensed, it is out of our control. Going forward, no new data from your account will be included.
• DSAR audit log (records of access, deletion, and opt-in/opt-out requests) is retained indefinitely, without user content, for compliance audit purposes.

5. Your Rights

Regardless of jurisdiction, you may at any time:

• Access: Request a copy of personal data we hold about you. Account holders: Settings → Privacy → "Download My Data". Anonymous users: email [email protected] with your session cookie value or approximate session timestamps + IP so we can identify the records.
• Deletion: Request deletion of your account and associated data. Account holders: Settings → Privacy → "Delete My Account". Anonymous users: clear your browser cookies (which orphans the session), or email us with identifying details.
• Opt out of sale: Disable the Financial Incentive Program. Settings → Privacy. Your free-tier access is preserved; only Premium models become unavailable. Anonymous users are opted out by default — there is nothing to disable.
• Rectification: Request correction of inaccurate account data. Email us.

We respond to verifiable DSAR requests within 30 days (45 days under CCPA). For account-based requests we may require a signed-in session as verification; for anonymous-session requests we may require additional identifying information.

5a. Additional Rights for EU/EEA/UK Residents (GDPR / UK GDPR)

If you are in the European Economic Area or the United Kingdom, you also have the right to:

• Restriction of processing (Art. 18)
• Data portability — receive your data in a structured, machine-readable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent for processing based on consent, at any time (Art. 7(3))
• Lodge a complaint with your national data protection supervisory authority

Lawful bases: legitimate interest (Art. 6(1)(f)) for service operation and security; consent (Art. 6(1)(a)) for the Financial Incentive Program. International transfers: our infrastructure is hosted outside the EEA; where we transfer EEA personal data internationally, we rely on Standard Contractual Clauses (SCCs) or other adequacy mechanisms recognized by the European Commission.

5b. Additional Rights for California Residents (CCPA / CPRA)

• Right to know: What categories of personal information we have collected, used, sold, or shared in the last 12 months.
• Right to delete (subject to §1798.105(d) exceptions)
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing. We sell personal information as defined under CCPA §1798.140 only for Tier C users. To exercise this right, Settings → Privacy → toggle off, or email [email protected].
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising these rights — except as expressly permitted under §1798.125(b) for our disclosed Financial Incentive Program (§3b above), where opting out reduces access to Premium models only, never to free-tier service.

5c. Additional Rights for Australian Residents (Privacy Act 1988)

• Access personal information we hold about you (APP 12)
• Correct inaccurate or incomplete personal information (APP 13)
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

We process some categories of regulated identifiers (including any TFN, ABN, or Medicare numbers that may appear in messages despite the prohibition at ToS §7). Our PII pipeline includes custom recognizers for these on a best-effort basis; detected matches are removed before any content is included in a sold dataset. We do not warrant perfect detection, and you should not submit such data in the first place.

6. Security

We implement reasonable technical and organizational measures to secure stored data, including PBKDF2-SHA256 password hashing, TLS in transit, and access controls on the trace store. No system is perfectly secure; use the Service at your own risk.

7. Children

The Service is available only to individuals aged 18 or older (16 or older in the EEA with parental consent). Each user confirms eligibility before first use — explicitly at account creation, and by continuing past the first-use banner for anonymous use. We do not knowingly collect data from individuals under these ages; if we identify a session or account in violation, we terminate it and delete associated data.

If you are a parent or guardian who believes a minor has used the Service, contact [email protected] for immediate deletion.

8. International Users

Data collected through the Service may be stored and processed in any country where we or our service providers operate. By using the Service, you consent to the transfer of your data subject to the safeguards described in §5a.

9. Cross-Property Notice

Logfare Chat (chat.logfare.ai) and the Logfare inference API (logfare.ai) are both operated by Logorhythms. They use the same consent model: anonymous use is free-tier, never-sold; account use is free-tier, never-sold by default; account + Financial Incentive opt-in unlocks Premium models in exchange for eligibility of anonymized content for sale. If you hold accounts on both properties, each account's consent state is independent — you can be opted in on one and opted out on the other.

10. Changes to This Policy

We may update this Privacy Policy. For material changes — for example, expanding the categories of data collected, adding new categories of data recipients, or changing the Financial Incentive Program structure — we will provide at least 30 days' advance notice via in-product banner and, for account holders, by email, and we will not retroactively apply the new terms to data collected before the change.

11. Contact

For privacy-related questions, DSAR requests, or any other data-related matters, contact [email protected] or reach out via the Logorhythms Discord.