1. Identity of the Controller
NemoRouter (nemorouter.ai) is a product of CloudAct Inc. (“we”, “us”, “our”). We operate the NemoRouter platform at nemorouter.ai. We act as the Data Controller for account, billing, and operational data, and as a Data Processor for LLM request content submitted through our API.
CloudAct Inc.
100 S Murphy Ave
STE 200 PMB4013
Sunnyvale, CA 94086
United States
Phone: +1 (850) 988-7471
For privacy inquiries, contact our Data Protection Officer at privacy@nemorouter.ai.
2. Data We Collect
Account Data (Controller)
- Identity: email address, full name, avatar URL
- Signup metadata: phone number, country code
- Organization: organization name, slug, type (individual/organization)
- Billing: Stripe customer ID, subscription ID, plan tier, platform fee percentage
- Financial: credit amounts, transaction types, timestamps (no payment card data stored — Stripe handles PCI)
- Invitations: invitee email, inviter reference, expiration
LLM Request Data (Processor)
- Request content: prompts and completions sent through our API
- Request metadata: model, token counts, cost, latency, timestamps
- Guardrail logs: evaluation results, redacted content snippets
- Prompt logs: template usage, variant selection for A/B tests
Data We Do NOT Collect
- Payment card numbers (Stripe tokenization only)
- Provider API keys (we manage all provider keys; users never supply them)
- Browser analytics or third-party tracking scripts (no GA, Mixpanel, etc.)
3. Legal Basis for Processing
| Data Category | Legal Basis | GDPR Article |
|---|---|---|
| Identity & account | Performance of contract | Art. 6(1)(b) |
| Billing & financial | Performance of contract | Art. 6(1)(b) |
| Credit transactions | Legal obligation (tax/audit) | Art. 6(1)(c) |
| LLM request content | Performance of contract (DPA) | Art. 6(1)(b) / Art. 28 |
| Signup phone/country | Consent | Art. 6(1)(a) |
| Team invitations | Legitimate interest | Art. 6(1)(f) |
| Guardrail/prompt logs | Legitimate interest (security) | Art. 6(1)(f) |
4. How We Use Your Data
- Authenticate and authorize access to your organization
- Route LLM requests to providers and track usage costs
- Enforce guardrails (PII redaction, content filtering, prompt injection detection)
- Process payments and manage credit balances via Stripe
- Send transactional emails (verification, key creation, team invites)
- Provide analytics dashboards showing your organization's usage
- Maintain audit logs for security and compliance (SOC 2 Type II)
We do not use your LLM request content to train models, serve advertisements, or share with third parties beyond the sub-processors listed below.
5. Data Sharing & Sub-Processors
| Sub-Processor | Data Shared | Location | Purpose |
|---|---|---|---|
| Supabase | All account/org data | US (Oregon) | Database & authentication |
| Stripe | Email, org UUID, amounts | US | Payment processing |
| OpenAI | Prompts & completions | US | LLM inference |
| Anthropic | Prompts & completions | US | LLM inference |
| Google (Vertex AI) | Prompts & completions | US/EU | LLM inference |
| SendGrid | Email addresses | US | Transactional email |
We maintain Data Processing Agreements (DPAs) with each sub-processor. The current sub-processor register is available upon request at privacy@nemorouter.ai.
6. International Data Transfers
Our infrastructure is hosted in the US (AWS us-west-2 via Supabase). For transfers of personal data from the EEA/UK to the US, we rely on:
- The EU-US Data Privacy Framework (DPF) for certified sub-processors
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914)
- Supplementary technical measures including encryption in transit (TLS 1.2+) and at rest
EU data residency options (Frankfurt, Stockholm) are available for organizations that require data to remain within the EEA. Contact sales@nemorouter.ai to discuss regional deployment.
7. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Until account deletion + 30-day grace | Contract |
| Guardrail & prompt logs | 90 days (auto-purged daily) | Legitimate interest |
| Credit transactions | 7 years | Legal obligation (tax) |
| LLM request content | 90 days (configurable per-org data policy) | Contract / DPA |
| LLM request metadata (cost, tokens) | Duration of account | Contract |
| Invitations | 30 days after expiration (auto-purged) | Legitimate interest |
| Inactive accounts | Anonymized after 2 years of inactivity | Storage limitation |
Organizations can configure their data policy (zero logging, metadata only, full logging, or PII-redacted logging) from the organization settings page.
8. Your Rights Under GDPR
If you are located in the EEA/UK, you have the following rights under the General Data Protection Regulation:
- Right of access (Art. 15): Request a copy of all personal data we hold about you. Available via Organization Settings > Privacy > Download My Data or by emailing privacy@nemorouter.ai.
- Right to rectification (Art. 16): Update your name, email, or other account details from your profile settings.
- Right to erasure (Art. 17): Request deletion of your account and all associated data. Available via Organization Settings > Danger Zone > Delete Organization. A 30-day grace period applies before permanent deletion.
- Right to data portability (Art. 20): Export your data in a structured, machine-readable format (JSON). Available via the data access endpoint.
- Right to restrict processing (Art. 18): Request that we limit how we process your data while a dispute is resolved.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right to lodge a complaint: You may file a complaint with your local supervisory authority (e.g., the Irish Data Protection Commission for EU-wide complaints).
We will respond to all data subject requests within 30 days. Requests can be submitted via email to privacy@nemorouter.ai or through the self-service options in your dashboard.
9. Consent & Withdrawal
Where we process data based on consent (e.g., optional phone number, marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
To withdraw consent, visit Organization Settings > Privacy or email privacy@nemorouter.ai.
10. Cookies & Tracking
NemoRouter uses only strictly necessary cookies for authentication and session management (Supabase auth tokens). We do not use:
- Analytics cookies (no Google Analytics, Mixpanel, Amplitude, etc.)
- Advertising or remarketing cookies
- Third-party tracking pixels
- Social media tracking scripts
Because we use only strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.
11. Children's Privacy
NemoRouter is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.
12. Security Measures
We implement technical and organizational measures appropriate to the risk, including:
- Encryption in transit (TLS 1.2+ / HSTS) and at rest (AES-256)
- Row-Level Security (RLS) on all database tables for tenant isolation
- JWT-based authentication with Supabase Auth
- API key hashing (SHA-256) — full keys shown once at creation, never stored in plaintext
- Content Security Policy (CSP) and X-Frame-Options headers
- SOC 2 Type II annual audit
- PII redaction guardrails (Presidio integration) for LLM request content
- Advisory locks for atomic credit operations (no race conditions)
13. Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33)
- We will notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Art. 34)
- Notifications will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed
Our incident response team can be reached at security@nemorouter.ai.
14. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email and/or a prominent notice on the platform at least 30 daysbefore they take effect. The “Last updated” date at the top of this page reflects the most recent revision.
Continued use of NemoRouter after the effective date of an updated policy constitutes acceptance of the changes. If you do not agree, you may delete your account before the changes take effect.
15. Contact & DPO
CloudAct Inc.
100 S Murphy Ave
STE 200 PMB4013
Sunnyvale, CA 94086
United States
Phone: +1 (850) 988-7471
Data Protection Officer
Email: privacy@nemorouter.ai
Security Team
Email: security@nemorouter.ai
General Support
Email: support@nemorouter.ai
Data Processing Agreement (DPA)
A pre-signed DPA is available for organizations that require one under GDPR Art. 28. Request a copy at legal@nemorouter.ai or download from nemorouter.ai/legal/dpa.