Privacy Policy
1. Definitions
In this Privacy Policy, unless the context requires otherwise, the following terms shall have the meanings set out below:
- "Company", "we", "us", "our" refers to IonArc LLC and its subsidiaries, including the related AugeoConflux and TalosAura services.
- "Services" refers collectively to our websites (ionarc.net, augeoconflux.com, talosaura.com), application programming interfaces ("APIs"), software products, and any other services provided by the Company.
- "Inference Data" refers to the content of prompts (input tokens), completions (output tokens), and generated media submitted to or produced by our models through the Services.
- "Usage Metadata" refers to non-content technical and operational data generated in connection with API requests, including but not limited to token counts, model identifiers, timestamps, latency measurements, and HTTP status codes.
- "Personal Data" has the meaning ascribed to it under applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the California Consumer Privacy Act ("CCPA"), as amended.
- "Downstream Platform" refers to any third-party service, including but not limited to OpenRouter, that routes API requests to the Company's infrastructure on behalf of end users.
2. Scope & Applicability
This Privacy Policy applies to all persons and entities ("you", "your") that access or use the Services, whether directly or through a Downstream Platform. It governs the collection, processing, storage, and disclosure of Personal Data and other information by the Company in connection with the Services.
Where the Company acts as a data processor on behalf of a Downstream Platform, the terms of the applicable data processing agreement between the Company and that platform shall govern the processing relationship. This policy describes the Company's own data handling practices and commitments regardless of the routing path by which requests reach our infrastructure.
By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. If you do not agree, you must discontinue use of the Services.
3. Inference Data Processing
This section sets forth the Company's commitments with respect to the handling of Inference Data transmitted through its APIs, including requests originating from Downstream Platforms.
The Company does not persistently store Inference Data. Prompts, completions, and generated media are processed transiently in volatile memory for the sole purpose of fulfilling the inference request. No Inference Data is written to persistent storage, logged, cached beyond the lifetime of the request, or retained in any form following the completion of the response stream.
3.1 Prohibition on Training Use
The Company does not use Inference Data — in whole or in part — to train, fine-tune, distil, or otherwise improve any machine learning model. This prohibition applies irrespective of the source or routing path of the request.
3.2 No Content Logging
The Company does not log, record, or persist the textual, visual, or other content of API request or response payloads. No system within the Company's infrastructure writes Inference Data to disk, object storage, database, message queue, or any other durable medium.
3.3 Transient Processing Lifecycle
Inference Data exists exclusively in volatile memory (RAM/VRAM) for the minimum duration necessary to process the request and transmit the response. Upon completion of the response — or upon premature termination of the connection by the client — all Inference Data associated with that request is released from memory through standard memory management processes. There is no deferred write, background archival, or asynchronous replication of Inference Data.
3.4 Usage Metadata
Notwithstanding the foregoing, the Company does collect and retain Usage Metadata in connection with each API request. This metadata is necessary for billing, rate enforcement, capacity planning, and abuse detection, and includes:
- Token counts (input tokens, output tokens, and, where applicable, cached tokens)
- Model identifier and sampling parameters
- Request and response timestamps, latency measurements
- HTTP status codes and error classifications
- A cryptographic hash of the API key used to authenticate the request
- Originating IP address (subject to the retention schedule in Section 8)
Usage Metadata does not include the content of prompts, completions, or generated media.
3.5 Data Handling Summary
| Data Category | Persisted | Used for Model Training | Retention Period |
|---|---|---|---|
| Prompts (input tokens) | No | No | None — transient only |
| Completions (output tokens) | No | No | None — transient only |
| Generated media | No | No | None — transient only |
| Usage Metadata | Yes | No | Up to 12 months |
| Originating IP addresses | Yes | No | Up to 30 days |
4. Categories of Information Collected
In addition to the Usage Metadata described in Section 3.4, the Company may collect the following categories of information in connection with the Services:
4.1 Account & Registration Data
When you create an account or register for access to any Service, we collect identifying and contact information, which may include your name, email address, organisation name, and role or title. Where you establish a billing relationship with the Company, we additionally collect billing contact details and payment instrument information (processed and stored by our third-party payment processor; the Company does not store full payment card numbers or bank account details).
4.2 Automatically Collected Technical Data
When you access our websites or APIs, we automatically collect certain technical information, including browser type and version, operating system, device type, screen resolution, referring URL, pages or endpoints accessed, access timestamps, and approximate geographic location as derived from IP address. This data is collected through server logs and, where applicable, analytics technologies.
4.3 Communications
When you communicate with us via email, contact forms, or other channels, we collect and retain the content and metadata of those communications for the purpose of responding to your enquiry and maintaining records of our correspondence.
4.4 Information from Downstream Platforms
Where API requests are routed through a Downstream Platform, the Company may receive certain information transmitted by that platform in connection with the request, including authentication credentials, routing metadata, and Usage Metadata. The Company does not receive or access end-user account information held by the Downstream Platform unless explicitly provided in the API request headers.
5. Purposes of Processing
The Company processes Personal Data and other information for the following purposes:
- Provision, operation, and maintenance of the Services, including inference processing, API delivery, and software functionality;
- Billing, invoicing, and financial reconciliation;
- Authentication, access control, and enforcement of rate limits and usage quotas;
- Detection, investigation, and prevention of fraud, abuse, and violations of our terms of service;
- Monitoring of system performance, uptime, and service reliability;
- Responding to support requests, enquiries, and communications;
- Compliance with applicable legal, regulatory, and tax obligations;
- Enforcement of our legal rights, including the defence of claims.
The Company does not process Personal Data for the purpose of direct marketing, behavioural advertising, or sale to third parties.
6. Legal Bases for Processing
Where the GDPR or equivalent legislation applies, the Company relies on the following legal bases for the processing of Personal Data:
- Performance of a contract (Art. 6(1)(b) GDPR): processing necessary to provide the Services you have requested, including inference processing, account management, and billing.
- Legitimate interests (Art. 6(1)(f) GDPR): processing necessary for the Company's legitimate interests in maintaining the security and integrity of its systems, preventing abuse, improving service reliability, and conducting internal analytics, provided that such interests are not overridden by your fundamental rights and freedoms.
- Legal obligation (Art. 6(1)(c) GDPR): processing necessary for compliance with applicable legal or regulatory obligations, including tax reporting and law enforcement cooperation.
- Consent (Art. 6(1)(a) GDPR): where specifically indicated at the point of collection, and subject to your right to withdraw consent at any time without affecting the lawfulness of prior processing.
7. Disclosure to Third Parties
The Company may disclose information to third parties in the following limited circumstances:
- Service providers and sub-processors: the Company engages third-party service providers for payment processing, infrastructure hosting, and analytics. Such providers process data solely on the Company's behalf and are bound by contractual obligations to maintain confidentiality and implement appropriate security measures.
- Legal compulsion: where required to do so by applicable law, regulation, court order, subpoena, or binding order of a governmental or regulatory authority.
- Protection of rights and safety: where the Company reasonably believes disclosure is necessary to protect its rights, property, or safety, or the rights, property, or safety of its users or the public.
- Corporate transactions: in connection with a proposed or completed merger, acquisition, reorganisation, asset sale, or similar corporate transaction, in which case affected data subjects will be notified as required by applicable law.
The Company does not and cannot disclose Inference Data to any third party, as it does not retain such data.
The Company does not sell Personal Data within the meaning of the CCPA or equivalent legislation.
8. Data Retention & Deletion
The Company retains Personal Data and other information only for so long as is reasonably necessary to fulfil the purposes for which it was collected, subject to the following specific retention periods:
- Inference Data: not retained. Processing is transient as described in Section 3.
- Account and registration data: retained for the duration of the account relationship and for a period of up to 12 months following account closure, unless a longer retention period is required by law.
- Billing and transaction records: retained for the period required by applicable tax, accounting, and financial reporting obligations.
- Usage Metadata: retained for up to 12 months from the date of the request.
- IP addresses associated with API requests: retained for no more than 30 days from the date of the request.
- Communications: retained for so long as reasonably necessary to resolve the matter and maintain records, and in any event no longer than 24 months following the last communication.
Upon expiry of the applicable retention period, data is deleted or irreversibly anonymised in accordance with the Company's internal data lifecycle procedures.
9. Technical & Organisational Measures
The Company implements and maintains technical and organisational security measures appropriate to the nature, scope, and purposes of the processing, including:
- Encryption of all data in transit using TLS 1.2 or higher;
- Cryptographic hashing of API keys at rest; API keys are never stored in plaintext;
- Role-based access controls and the principle of least privilege for internal systems;
- Network segmentation and perimeter controls on infrastructure;
- Regular security assessments and vulnerability remediation;
- Documented incident response procedures.
No method of electronic transmission or storage is completely secure. While the Company takes commercially reasonable steps to protect information, it cannot guarantee and does not warrant absolute security.
10. International Data Transfers
The Company's inference infrastructure is located in the jurisdictions disclosed in its API documentation and provider listings. Where you access the Services from a jurisdiction other than the one in which infrastructure is located, your information — including Personal Data — may be transferred to, stored in, and processed in that jurisdiction.
Where such transfers involve Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland, the Company ensures that adequate safeguards are in place, which may include Standard Contractual Clauses approved by the European Commission, an adequacy determination, or other mechanisms recognised under applicable data protection law.
11. Data Subject Rights
Subject to applicable law and the exceptions and limitations set forth therein, you may have the following rights in relation to your Personal Data:
- Right of access: the right to obtain confirmation as to whether the Company processes your Personal Data, and to obtain a copy of such data.
- Right to rectification: the right to request correction of inaccurate or incomplete Personal Data.
- Right to erasure: the right to request deletion of your Personal Data, subject to applicable legal retention obligations.
- Right to restriction: the right to request that the Company restrict processing of your Personal Data in certain circumstances.
- Right to data portability: the right to receive your Personal Data in a structured, commonly used, and machine-readable format.
- Right to object: the right to object to processing based on legitimate interests, including profiling.
- Right to withdraw consent: where processing is based on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
To exercise any of these rights, please submit a written request to [email protected]. The Company will respond within 30 days, or within such other period as required by applicable law. The Company may request verification of your identity before processing a request.
Please note that the Company is unable to provide copies of Inference Data in response to access requests, as it does not retain such data (see Section 3).
If you believe that the Company's processing of your Personal Data violates applicable data protection law, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.
12. Restrictions Regarding Minors
The Services are not directed at, and are not intended for use by, individuals under the age of eighteen (18). The Company does not knowingly collect, solicit, or process Personal Data from minors. If the Company becomes aware that it has collected Personal Data from an individual under the age of 18 without verified parental or guardian consent, it will take reasonable steps to delete such data promptly. If you believe that a minor has provided Personal Data to the Company, please contact us at [email protected].
13. Amendments to This Policy
The Company reserves the right to modify or update this Privacy Policy at any time. Material changes may be indicated by updating the "Last revised" date at the top of this document and, where appropriate, by providing notice through the Services or by email to registered account holders.
Your continued use of the Services following the posting of a revised Privacy Policy constitutes your acknowledgement of and agreement to the revised terms. If you do not agree to a revised policy, you must discontinue use of the Services.
14. Contact & Data Protection Enquiries
For questions, concerns, or requests relating to this Privacy Policy or the Company's data protection practices, please contact:
IonArc — Data Protection
Email: [email protected]
For general corporate, partnership, or press enquiries, see ionarc.net — Contact.