Skip to main content

Privacy Policy

Last updated: February 25, 2026

Data Controller

The data controller responsible for processing your personal data is the operator of OpenLimits. For questions about data processing or to exercise your rights, please contact us through the dashboard or reach out directly.

1. What Information Do We Collect?

In Short: We collect minimal information necessary to operate the Service — primarily account identifiers and usage metadata.

Information You Provide

When you register for an account, the following information is collected:

  • A username or label you choose for your account
  • An API key generated by us for authenticating your requests
  • Dashboard login credentials (session-based authentication)

Information Collected Automatically

When you interact with the Service, we automatically collect:

  • Request metadata: AI model used, token counts (input tokens, output tokens, cache read tokens, cache write tokens), timestamps, HTTP status codes
  • IP addresses — used solely for rate limiting and abuse prevention; not stored in long-term databases
  • Aggregated daily usage statistics per account
  • Browser and device information when accessing the dashboard (via standard HTTP headers)

Information We Do NOT Collect

  • We do not log, store, read, or inspect the content of your API requests or responses (your prompts, messages, completions, or any conversation content)
  • We do not collect personal information beyond what is described above
  • We do not use tracking cookies, advertising pixels, or analytics services that profile individual users. Session cookies are used exclusively for dashboard authentication
  • We do not sell, rent, or trade your personal information to any third party

All personal information you provide must be truthful and accurate. Please inform us of any changes to your information.

2. How Do We Process Your Information?

In Short: We process your data to deliver and maintain the Service, secure your account, and comply with legal requirements.

We use the information we collect for the following purposes:

  • Authenticating and authorizing your API requests via your API key
  • Displaying usage analytics and statistics in your dashboard
  • Detecting and preventing abuse, fraud, and unauthorized access
  • Monitoring Service health, performance, and uptime
  • Communicating with you regarding your account or Service-related matters
  • Complying with applicable legal obligations

3. When and With Whom Do We Share Your Information?

In Short: We share data only with the infrastructure providers necessary to deliver the Service.

Your data may be processed by the following third parties:

  • Anthropic: Your API requests are proxied directly to Anthropic's API. The content of your requests is transmitted to Anthropic and governed by Anthropic's Privacy Policy. We act as a pass-through and do not inspect request content.
  • Cloudflare: Our infrastructure runs on Cloudflare Workers, D1 (database), and KV (key-value storage). Cloudflare processes HTTP requests as part of delivering the Service, including IP addresses and HTTP headers. See Cloudflare's Privacy Policy.

We do not share your data with advertising networks, data brokers, or any parties not listed above. We may disclose information if required by law, legal process, or to protect the rights, property, or safety of OpenLimits, its users, or the public.

4. Data Retention

In Short: We retain data only as long as necessary for the purposes described in this policy.

  • Account data: Retained for the lifetime of your account. Upon account deletion, data is removed within 30 days.
  • Request event metadata: Retained for analytics and billing purposes for as long as your account is active.
  • Aggregated daily statistics: Retained indefinitely in anonymized form.
  • Session cookies: Expire after 24 hours.
  • IP addresses: Used transiently for rate limiting; not written to persistent storage.

When retention is no longer necessary, data is securely deleted or anonymized. If immediate deletion is not feasible (e.g., data in backup archives), the data is isolated from further processing until deletion is possible.

5. Data Storage and Security

In Short: We employ industry-standard measures to protect your data, but no system is perfectly secure.

We implement the following technical and organizational safeguards:

  • All data in transit is encrypted via TLS/HTTPS
  • Dashboard sessions use HMAC-signed, HttpOnly, Secure, SameSite=Strict cookies with 24-hour expiry
  • API keys are stored securely and transmitted only over encrypted connections
  • Access to production infrastructure is restricted to authorized personnel
  • Data is stored on Cloudflare's globally distributed infrastructure with built-in redundancy

Despite these protections, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security against unauthorized access, alteration, or disclosure. You transmit data to and from the Service at your own risk and should access the Service only within a secure environment.

6. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases as defined by the General Data Protection Regulation:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with the Service, manage your account, authenticate requests, and track usage.
  • Legitimate Interests (Art. 6(1)(f)): Processing necessary for fraud prevention, security monitoring, infrastructure optimization, and Service improvement — provided these interests do not override your fundamental rights.
  • Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable tax, accounting, or regulatory requirements.
  • Consent (Art. 6(1)(a)): Where applicable, processing based on your explicit consent. You may withdraw consent at any time by contacting us.

7. Your Rights Under GDPR

If you are located in the EEA or United Kingdom, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data under certain circumstances.
  • Right to Restriction: Request that we restrict processing of your data in specific situations.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us through the dashboard or reach out directly. We will respond within one month as required by law.

8. Right to Lodge a Complaint

If you believe our processing of your personal data violates applicable data protection law, you have the right to file a complaint with your local data protection supervisory authority.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell your personal information. No opt-out is necessary.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us through the dashboard or reach out directly.

10. International Data Transfers

Our primary infrastructure operates on Cloudflare's global network. Depending on your location, your data may be processed in regions outside your country of residence, including the United States and Europe. Where data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a user under 18 has provided us with personal data, we will take steps to delete that information promptly. If you believe a minor has provided us with personal data, please contact us immediately.

12. Updates to This Policy

We may revise this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated version will be indicated by a revised “Last updated” date. If we make material changes, we may notify you by prominently posting a notice or through other appropriate channels. We encourage you to review this policy periodically.

13. How to Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please reach out through our dashboard or contact us directly.

14. Managing Your Data

You can view your usage data at any time through the dashboard. To request a full export or deletion of your data, contact us directly. We will process your request in accordance with applicable law and respond within the timeframes required by regulation.