Privacy Policy
Last updated: 2026-04-23
Privacy Policy
1. Scope
This Privacy Policy describes how l3k ("we", "us") collects, uses, and shares personal data when you use our Service at alloneia.com. For the meaning of "Service", see our Terms of Service.
2. Data we collect
- Account data: email address, authentication identifiers (including Google OAuth tokens if you sign in with Google), chosen display name, language preference.
- API keys: stored as SHA-256 hashes. We retain only a short prefix (for example,
sk-l3k-abc…) for identification in the dashboard. We do not retain the raw key. - Usage events: metadata about your API calls — timestamp, model identifier, request status, latency, input-token count, and output-token count. We do not store the content of your prompts or the content of model outputs.
- Billing data: handled by our payment processor; we receive only confirmation of successful transactions and last-four digits of your payment method.
- Technical data: IP address, user agent, browser fingerprint where legally permissible, collected through standard server logs.
3. How we use it
- Provide the Service and route your requests to downstream model providers.
- Authenticate you and secure your account.
- Meter usage and bill prepaid credits.
- Detect abuse, prevent fraud, and enforce our Acceptable Use policy.
- Send transactional emails (account, security, billing) and, with your consent, product updates.
- Comply with legal obligations.
4. Sub-processors
We share the minimum necessary data with the following sub-processors:
| Sub-processor | Role |
|---|---|
| Supabase | Database, authentication |
| Vercel | Application hosting (EU / US edge) |
| Resend | Transactional email delivery |
| Cloudflare | DNS, private tunnel, email routing |
| Anthropic, Google, OpenAI | Downstream AI model providers (receive the content of your requests to generate responses) |
Additional sub-processors may be added as the Service evolves. Material changes will be communicated.
5. Retention
- Account data: retained for the lifetime of your account and for up to 90 days after deletion, then permanently removed.
- Usage events: retained for up to 13 months for billing, audit, and abuse detection. Aggregated, non-identifying statistics may be retained longer.
- Backups: may persist for up to 35 days beyond live deletion.
6. Your rights
Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise a right, contact privacy@alloneia.com. We will respond within 30 days.
7. Cookies and local storage
We use a minimum set of cookies and local storage items:
- Authentication session (Supabase Auth): required; without it you cannot sign in.
- Language preference (
NEXT_LOCALE): required for the multilingual interface.
We do not use third-party advertising or analytics cookies on the marketing site.
8. International transfers
Your data may be processed in jurisdictions outside your country of residence, including the United States. Where required, we rely on standard contractual clauses and other lawful transfer mechanisms.
9. Security
We encrypt data in transit (TLS 1.2+) and at rest. API keys are never stored in cleartext. Access to production systems is limited to authorised personnel and logged. No system is ever perfectly secure; notify us of suspected vulnerabilities at security@alloneia.com.
10. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.
11. Changes
We may update this Policy. Material changes will be communicated by email or via the dashboard.
12. Contact
Questions about this Policy or our data practices: privacy@alloneia.com.