Legal

Privacy Policy

Effective date: March 19, 2026

OpenCredits ("we," "us," or "our") values your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and share information, as well as the choices available to you regarding your data.

This Privacy Policy applies to personal data we collect through written, electronic, and oral communications when you access our website and any related pages that link to this Privacy Policy (the "Site"), use applications or services that reference this Privacy Policy, or otherwise use or interact with our services (the "Service").

Before using our Site or Service, please review our Terms of Service together with this Privacy Policy. By accessing or using the Site or Service, you agree to the collection and use of your information as described in this Privacy Policy. If you do not agree with any part of this Privacy Policy or our Terms of Service, you should not use the Site or Service.

We may update this Privacy Policy from time to time. Any changes will apply to both the information we already hold about you and any new information collected after the revised version becomes effective. When we make changes, we will post the revised Privacy Policy on the Site and update the effective date shown above.

If you have provided us with an email address, we may notify you of significant changes to this Privacy Policy. You are responsible for keeping your contact information accurate and up to date. Your continued use of the Site or Service after any updates take effect constitutes your acceptance of the revised Privacy Policy.

We may also provide additional notices or explanations within the Service about specific data practices. Those notices may supplement this Privacy Policy or provide you with additional choices regarding how your information is collected, used, or shared.

1. Information We Collect

We collect information you provide directly to us, information collected automatically when you use the Site or Service, and certain information received from third-party service providers in connection with your use of the Service.

1.1 Information You Provide

• Email address: We collect your email address when you purchase Credits through Stripe checkout, sign in, request verification codes or login links, or otherwise communicate with us.
• Payment information: Payment card details, billing information, and other payment credentials are collected and processed directly by Stripe. OpenCredits does not store your full payment card details. We may receive limited transaction information from Stripe, such as your email address, transaction amount, currency, and payment status.

1.2 Information Collected Automatically

• Usage metadata: For each AI request, we may log metadata such as the model used, token counts (including input, output, cached, and reasoning tokens), provider cost, credits deducted, partner commission, request duration, streaming status, and a unique request ID.
• Browser and device information: When you access the dashboard, checkout, or related pages, we may collect technical information such as your browser type, user agent string, and similar device or session data.
• IP address and network information: Your IP address and related network information may be processed by our hosting and security infrastructure, including Cloudflare, for routing, fraud prevention, abuse detection, and security purposes.

1.3 Information We Do NOT Collect

OpenCredits does not store the content of your prompts, messages, or AI-generated outputs. However, we may log request metadata, including the model used, token counts, cost, and request duration, for purposes such as billing, service operation, analytics, fraud prevention, and debugging.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and operate the Service: To process Credit purchases, authenticate API requests, route requests to third-party AI providers, deduct Credits, and otherwise provide the functionality of the Site and Service.
• Manage accounts and access: To create and maintain accounts, send verification codes or login links, enable account recovery, manage sessions, and provide user support.
• Process transactions and maintain billing records: To confirm payments, maintain transaction records, calculate balances, reconcile billing, and administer partner-related commission tracking.
• Monitor usage and improve the Service: To analyze usage patterns, maintain performance, troubleshoot errors, improve reliability, develop new features, and better understand how the Service is used.
• Protect the Service and prevent abuse: To detect, investigate, and prevent fraud, unauthorized access, abuse, misuse, security incidents, and violations of our Terms of Service or applicable provider policies.
• Communicate with you: To send transactional or service-related communications, including purchase confirmations, verification messages, support responses, account notices, and updates relating to the Service. We do not send marketing emails unless we separately obtain any consent required by applicable law.
• Comply with legal obligations and enforce our rights: To comply with applicable laws, regulations, legal process, and law enforcement requests, and to establish, exercise, or defend legal claims.
• Use aggregated or de-identified information: We may aggregate, anonymize, or de-identify usage information and request metadata to better understand how the Service is used, improve and develop the Service, monitor performance, prevent abuse, and generate analytics or reporting that does not reasonably identify individual users.

3. Information Shared with Third Parties

We share information with third-party service providers only as reasonably necessary to operate the Site and Service, process transactions, route AI requests, communicate with users, and maintain our infrastructure.

For payment processing and checkout, we share limited information with Stripe, including your email address, transaction amount, currency, and partner ID as metadata. Stripe processes payment information directly in accordance with its own terms and privacy practices.

To generate AI responses to your requests, we share relevant request data with AI model providers, including Anthropic, OpenAI, Google, xAI, and others. This may include message content, model selection, inference parameters, and tool definitions to the extent necessary for the provider to process the request and return an output.

To send verification codes and email verification links, we share your email address with Resend or other email delivery providers we may use from time to time.

We also rely on Cloudflare as part of our hosting and infrastructure stack. Cloudflare may process operational data in connection with hosting, database storage, caching, routing, security, and content delivery.

3.1 Information We Do Not Send to AI Providers

When we forward your AI requests to model providers, we do not include:

• Your email address or user ID
• Your API key or authentication credentials
• Your payment information
• Partner metadata or commission details

Although OpenCredits may sanitize or normalize supported request fields before forwarding a request, the content of your prompts, messages, and other submitted inputs may be transmitted to the relevant provider for processing and response generation. Only the fields required for the AI model to generate a response are sent, such as messages, model selection, inference parameters, and tool definitions.

3.2 Third-Party AI Provider Data Practices

The Service routes AI requests to third-party model providers, including Anthropic, OpenAI, Google, and others, through OpenCredits' upstream routing infrastructure. OpenCredits does not create, control, or guarantee the availability, accuracy, completeness, legality, or appropriateness of any AI model, output, or related service provided by a third-party provider. Your use of third-party AI models through the Service may also be subject to the applicable provider's terms of service, usage policies, and privacy practices. We encourage you to review the policies of the providers whose models you use.

4. Partner Applications

When you access or use OpenCredits through a partner application, that partner may collect, use, or disclose your information under its own privacy policy and practices. OpenCredits is responsible only for the personal data that we collect and process as described in this Privacy Policy. We encourage you to review the privacy policy of any partner application you use, as OpenCredits does not control the partner's handling of your information.

OpenCredits may provide partners with limited information relating to use of their application, such as aggregated usage data, referral or commission tracking information, and operational reporting. Partners do not receive your email address, payment information, or credit balance held by OpenCredits unless otherwise disclosed to you or required by applicable law.

5. Data Storage and Security

OpenCredits stores data using Cloudflare's infrastructure. User accounts, partner configurations, API keys, transactions, and usage logs are stored in Cloudflare D1. API keys are stored as SHA-256 hashes and not in plaintext. Cloudflare KV is used for temporary caches, including model pricing data, API key lookups, and verification codes, and that information is automatically deleted after its applicable time-to-live expires. Per-user credit balances are maintained in Cloudflare Durable Objects with atomic consistency guarantees.

We use reasonable administrative, technical, and organizational safeguards designed to protect your information. For example, API keys and related secrets are stored as SHA-256 hashes, Stripe webhook signatures are verified using HMAC-SHA256, verification codes are single-use and expire after 5 minutes, email verification magic links are signed using HMAC-SHA256 and expire after 24 hours, timing-safe string comparison is used for secret validation, rate limiting is applied to login and verification attempts, and data at rest is encrypted by Cloudflare.

You are also responsible for helping to protect your information. You should keep your password, login links, API keys, and any other credentials confidential, use appropriate security precautions when accessing the Service, and notify us promptly if you believe your account or credentials have been compromised.

Although we take steps designed to safeguard personal data and maintain the security of the Service, no method of transmission over the internet, electronic storage system, or security control is completely secure or error-free. For that reason, we cannot guarantee absolute security, and you use the Site and Service with that understanding.

6. Cookies and Tracking

OpenCredits does not use cookies in connection with its API. Certain parts of the Site, including the dashboard and checkout pages, may use browser local storage or similar client-side technologies to maintain session state and support core functionality, such as authentication. OpenCredits does not use third-party advertising cookies, analytics cookies, or tracking scripts on the Site.

7. Data Retention

We retain personal data for as long as reasonably necessary to provide the Service, comply with our legal, accounting, regulatory, and operational obligations, resolve disputes, enforce our agreements, and protect our legitimate business interests.

• Account data (email, user ID): Retained for as long as your account exists.
• Transaction records: Retained for as long as necessary for financial record-keeping, compliance, and legitimate business purposes.
• Usage logs (request metadata): Retained for as long as necessary for billing reconciliation, usage history, compliance, and legitimate business purposes.
• Temporary data (verification codes, cached keys): Automatically deleted after their time-to-live expires (5 minutes to 1 hour depending on type).
• AI request/response content: Not retained. OpenCredits does not store the content of your prompts, messages, or AI-generated outputs.

When personal data is no longer reasonably necessary for these purposes, we will delete, anonymize, or otherwise dispose of it in accordance with applicable law. In some cases, our service providers may retain or process certain information on our behalf for limited periods consistent with their services and legal obligations.

8. Your Rights

Depending on your jurisdiction and subject to applicable law, you may have certain rights regarding your personal data. These rights may include the right to know whether we process your personal data and to access the personal data we hold about you, to request that we correct inaccurate or incomplete personal data, to request deletion of your personal data subject to applicable legal and operational retention requirements, to request a copy of certain personal data in a structured, commonly used, and machine-readable format where required by applicable law, and to object to or request restriction of certain processing activities where permitted by applicable law.

To exercise any of these rights, you may contact us using the email address listed below. We may need to verify your identity before processing your request. We will respond within the timeframe required by applicable law. We may deny or limit a request where permitted by applicable law, including where we are unable to verify your identity or where an applicable exception applies.

9. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your personal data only where we have a valid legal basis to do so under applicable data protection law. Depending on the circumstances, the legal bases on which we rely may include the following:

• Contract performance: We process personal data where necessary to provide the Site or Service to you, including processing Credit purchases, managing accounts, authenticating access, routing AI requests, maintaining balances, and performing related customer support and operational functions.
• Legitimate interests: We process personal data where necessary for our legitimate interests, such as fraud prevention, abuse detection, security, service improvement, troubleshooting, analytics, and maintaining the reliability and integrity of the Service, provided that those interests are not overridden by your rights and freedoms.
• Legal obligations: We process personal data where necessary to comply with applicable legal or regulatory obligations, including obligations relating to financial record-keeping, tax, accounting, legal process, law enforcement requests, and compliance requirements.
• Consent: We process personal data based on your consent where consent is required or otherwise relied upon under applicable law, such as where you choose to receive certain communications. Where we rely on consent, you may withdraw it at any time, although doing so will not affect the lawfulness of processing carried out before your withdrawal.

10. International Data Transfers

Your personal data may be processed, stored, or accessed in countries other than your country of residence, including through OpenCredits' use of Cloudflare and other service providers with global operations. These countries may have data protection laws that differ from those of your jurisdiction, including in some cases countries outside the European Economic Area and the United Kingdom.

Where required by applicable law, OpenCredits will use appropriate safeguards or lawful transfer mechanisms for cross-border transfers of personal data. These mechanisms may include adequacy decisions recognized by relevant authorities, standard contractual clauses, or other lawful means of transfer recognized under applicable law. By using the Site or Service, you understand that your personal data may be transferred to and processed in countries outside your country of residence, subject to applicable law.

11. Age Requirements

The Site and Service are not directed to individuals under 16 years of age, and we do not knowingly collect personal data from individuals under 16. By using the Site or Service, you represent and warrant that you are at least 16 years old and, if you are under 18, that your parent or legal guardian has granted you permission to use the Site and Service. If you do not satisfy these requirements, you must not access or use the Site or Service.

If you believe that a person under 16 has provided personal data to OpenCredits, please contact us using the information provided below so that we can investigate and, where appropriate, delete the relevant information in accordance with applicable law.

12. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of Portugal, without regard to its conflict of laws principles, except to the extent that applicable privacy or data protection laws require otherwise. Where local privacy laws provide additional rights or protections, those rights and protections will apply in addition to this Privacy Policy to the extent required by applicable law.

13. Contact

If you have any questions about this Privacy Policy, would like to exercise your privacy or data protection rights, or wish to contact us regarding our handling of personal data, you may contact OpenCredits at:

Email: privacy@opencredits.ai