CloakAPI Create Account

Privacy Policy

Last updated: May 1, 2026

1. Who We Are

CloakAPI ("we", "us", "our") operates a privacy-first AI API gateway. Our service routes your AI requests to third-party providers (Anthropic, OpenAI, xAI) while ensuring that personally identifiable information (PII) never reaches our infrastructure in unencrypted form.

2. What Data We Collect

  • Account data: name, email address, company name (optional), country code (optional)
  • Billing data: transaction amounts, Stripe customer ID, prepaid balance — no card numbers stored by us
  • Usage metadata: token counts, model names, provider slugs, response times, request IDs — no request or response content
  • API key data: SHA-256 hashes only — plaintext keys are never stored
  • Device data: device names, X25519 public keys, last-seen timestamps for backup devices

3. What We Do Not Collect

CloakAPI does not log, store, or process the content of your AI requests or responses. Your prompt text, response text, and any PII tokenized by the desktop application are never written to our databases or logs.

4. GDPR Compliance

CloakAPI is designed to operate as a data processor gateway — not a data controller for AI request content. We process account and billing data under the following legal bases:

  • Contractual necessity: account management, billing, API key authentication
  • Legitimate interest: usage analytics for service improvement (aggregated, anonymised)
  • Legal obligation: fraud prevention, tax record-keeping

You have the right to access, correct, export, and delete your data. To exercise these rights, contact us at privacy@cloakapi.io.

5. Data Retention

Account data is retained until you delete your account. Usage records are retained for 12 months for billing and dispute purposes, then deleted. Buffered responses are automatically purged after 24 hours.

6. Third-Party Services

  • Stripe: payment processing — subject to Stripe's Privacy Policy
  • AI Providers: Anthropic, OpenAI, xAI receive tokenized (PII-anonymised) request text only

7. Security

All data is transmitted over TLS 1.3. API keys are stored as SHA-256 hashes only. Provider keys you add (BYOK) are encrypted at rest using AES-256. Buffered responses are encrypted and purged automatically.

8. Contact

For privacy enquiries: privacy@cloakapi.io