Legal · Data map & record of processing

Exactly what we hold.

CloakAPI is a blind token relay: on the standard client-side paths, personal data in your AI prompts and responses is tokenised on your device before it reaches us, and the gateway never sees it in the clear. So the honest answer to “what do you hold about me?” is a small, mostly-non-sensitive footprint — account and auth, billing and wallet, token-count metering, receipt metadata (hashes, not content), hashed or short-lived logs, and org/partner records. This page maps every category, and doubles as our GDPR Article 30 record of processing.

Controller: CloakAPI AS, Org no. 933 720 411 (Norway) · DPO: dpo@cloakapi.io · Derived from code (retention windows are enforced by scheduled jobs)

The one-line summary

We are not a data processor for your AI prompt or response content. On the standard client-side paths that content is tokenised before it reaches us and we never hold it in the clear. Zero-payload logging is enforced in code — the structured logger throws before it can write a prompt, message, body or content field. The only content-adjacent state we hold is transient and either client-encrypted or tokenised, auto-purged within 30 days (multi-turn maps) or hourly (buffers).

Legend. no personal data counts / config / crypto material. pseudonymous hashed or opaque reference, re-identifiable only with information held separately. personal data identifies or relates to a person.

1. Account, identity & authentication

CategoryWhat it isWhyRetentionClass
User accountName, email, password hash, company, country codeAccount, login, invoicing identityAccount lifetime; anonymised on erasurepersonal
Password reset tokensEmail + tokenPassword resetShort-lived; deleted on erasurepersonal
SessionsUser id, IP, user-agent, last activityWeb sessionSession lifetime; deleted on erasurepersonal
Dashboard / API tokensHashed personal-access tokensPortal authRevoked after 30 days idle; deleted on erasurepseudonymous
API keysKey hash only (never plaintext), prefix, permissions, rate limits, allow-listsAuthenticate API callsKey lifetime; deleted on erasurepseudonymous
SSO / SCIMSAML/OIDC configs, sessions, provisioning tokensEnterprise SSO/provisioningSession-lived; deleted on erasurepseudonymous
Onboarding & consent stateOnboarding fields, ToS/legal acceptance, privacy tier, localeOnboarding, consent proofAccount lifetimepersonal

2. Billing, wallet & financial (legal-hold class)

CategoryWhat it isWhyRetentionClass
Prepaid walletBalance, billing modelPrepaid balanceAccount lifetimepseudonymous
Prepaid transactions & credits ledgerAmounts, type, Stripe payment ids, balance-after (no payload content)Wallet ledger, credit accountingLegal-hold (retained on erasure)pseudonymous
InvoicesInvoice rows + evidence summary + number sequencesStatutory invoicing7 years; pseudonymised via email tombstone on erasurepseudonymous
Payment methodsCard fingerprint / Stripe payment-method refsCharge walletDeleted on erasure. We do not hold the card number (PAN) — Stripe is the PCI cardholder-data processorpersonal
Billing events / periodsBilling lifecycle eventsBilling reconciliationLegal-holdpseudonymous
Stripe linkageStripe customer idPayment processor linkAccount lifetimepseudonymous

3. Metering — token counts (never content)

CategoryWhat it isWhyRetentionClass
Usage recordsUser/key/provider/model ids, request UUID, input/output token counts, cost, response time. No prompt or response content.Metering + billing90 days, then prunedno personal data

4. Receipts — cryptographic metadata (hashes, not content)

CategoryWhat it isWhyRetentionClass
Signed receiptsCapability, provider, model, token counts, chain id, prev-hash, content_hash (hex of canonical bytes — not content), signed envelope (ECDSA-P256)Tamper-evident audit / OpenReceipt7 years; legal-hold (chain integrity), pseudonymisedpseudonymous
Receipt chains, manifests, keys, local receiptsPer-tenant hash-chain links; ECDSA signing keysChain verification / signingLegal-hold (integrity)no personal data
Erasure receiptsOpaque request id, SHA-256 of the erased user id, counts/booleans, signed envelope. Never stores plaintext PII.Article 17 deletion proof7 years (accountability + audit trail)pseudonymous

5. IP, request & audit logs (hashed or short-lived)

CategoryWhat it isWhyRetentionClass
Application / structured logsStructured JSON. Zero-payload enforced — the logger throws before writing any body / payload / content / prompt / message field.Observability30 days (14 days for the legacy application log)no personal data
Audit logsUser id, action, resource, IP address (plaintext), user-agent, result. Hash-chained + anchored.Security / compliance audit trailPer category: auth / billing / security / privacy / default 7 years (tamper-evident archive); ops 90 days. Meta scrubbed + redacted on erasure, chain preserved.personal
Rate-limit / signup-risk IP useIP used transiently for rate-limit key + signup risk; signup stores a salted SHA-256 hash, never plaintextAbuse preventionCache TTL / hashedpseudonymous
Marketing / campaign analyticsip_hash (salted SHA-256 — never plaintext IP), UA family/OS, UTM; outreach targets (email), suppression hashesCold-outreach + attributionEmail deleted / anonymised on erasure; suppression hashes retained as a lawful-basis recordpersonal (target email); IP hashed

6. Org, partner & tenant data

CategoryWhat it isWhyRetentionClass
Organisations & membershipOrg name/slug/plan/settings; members, role assignments, invitations (email), permissionsMulti-tenant / team accessOrg lifetime; self-service deletion + grace; invitations deleted on erasurepersonal (invite emails)
Partner / resellerPartner accounts, sub-orgs, commission ledger, settlements, tax forms, agreement-signed IPPartner programmeCommission / settlement + tax = financial legal-hold classpersonal
Webhooks, devices, provider keysWebhook endpoints + secrets; device pairings; pooled + customer (BYOK) provider keysEvent delivery, pairing, upstream relayConfig / delivery lifetime; BYOK keys + devices deleted on erasurepseudonymous / secrets
Compliance / GRC configCompliance flags, pack assignments, breach notifications, BAA templates, GRC connector configsEnterprise compliance featuresFeature / config lifetimeno personal data / config

7. The two content-adjacent exceptions (in full)

We would rather over-disclose than let “we hold no content” read as an absolute it is not. Two gateway-side stores can touch content, and both are strictly transient with hard TTLs:

StoreWhat it holdsRetentionClass
Multi-turn tokenisation mapsToken↔value maps for multi-turn tokenisation. In client_held mode only an opaque client-encrypted ciphertext is stored. In the opt-in gateway_managed mode the value is stored AES-256-GCM encrypted (not in the clear at rest).30-day hard TTL, then purgedEncrypted (gateway-managed) / opaque (client-held)
Buffered responsesTokenised response text held for async retrieval — the gateway never sees decrypted PIIPurged hourly at expiry; deleted on erasureTokenised (no clear PII)

Neither is populated with clear PII on the standard pure-relay paths. The gateway_managed mode is opt-in only; unless you choose it, multi-turn maps stay client-encrypted and we cannot read them.

8. Public transparency log (hashes only)

The public transparency log stores a SHA-256 of the tenant id (never the tenant id in the clear), seed HMACs, and chain material. No personal data.

9. Retention schedule (enforced in code)

Data classRetentionBasis
Usage records (token counts) & raw request rows90 daysData minimisation + billing-dispute window
Application / structured logs30 days (14 days legacy log)Observability minimisation
Idle dashboard / API tokensRevoked after 30 days idleCredential hygiene
Multi-turn tokenisation maps30-day hard TTL, purgedTransient tokenisation only
Buffered responsesPurged hourly at expiryEphemeral
Audit logs — ops category90 days, hard-deleteTransient operations
Audit logs — auth / billing / security / privacy / default7 years, tamper-evident archiveSecurity / financial accountability
Invoices & financial records7 years, pseudonymised on erasureStatutory invoicing + legal-hold
Prepaid txns / credits / billing eventsLegal-hold (retained on erasure)Financial records
Receipts + chains + keys + local receiptsLegal-hold (retained on erasure)Chain integrity / audit
Signed erasure receipts7 yearsGDPR Art. 5 accountability + audit trail
Account (user row)Account lifetime → anonymised on erasureService provision

10. Your rights — export & erasure

You can export everything we hold about you (Article 15) or have it erased (Article 17) — registered users can do both self-service, verified out-of-band. Erasure completes within the 30-day statutory window and produces a cryptographically signed, independently-verifiable deletion receipt. Financial and audit records are retained under legal-hold (7 years) in pseudonymised form; everything else is deleted or anonymised. See how to exercise your rights.

11. GDPR Article 30 — record of processing activities

This section is CloakAPI's Article 30 record for the processing it carries out as a controller of the operational data above. (For customer AI content, CloakAPI is not a processor on the standard paths — that content is tokenised client-side and never reaches us in the clear.)

Art. 30 elementRecord
ControllerCloakAPI AS, Org no. 933 720 411, Norway
Data protection contactdpo@cloakapi.io
Purposes of processingProviding the AI gateway under contract; authentication and account management; metering and billing; issuing statutory invoices; tamper-evident audit and receipts; security incident response and abuse prevention; consent-based marketing; enterprise compliance features
Categories of data subjectsRegistered users; organisation members; partners/resellers; outreach contacts
Categories of personal dataIdentity/contact (name, email, company); authentication material (hashes, tokens); billing/wallet records + Stripe refs + card fingerprint; token-count metering (no content); receipt and audit metadata (hashes); IP addresses (plaintext in the security audit trail, hashed elsewhere); org/partner records incl. signed-agreement IP and tax identity. No special-category data is required; AI prompt/response content is tokenised client-side and out of scope on the standard paths.
Categories of recipientsSub-processors on the published list (payment processor Stripe; hosting; email; GRC evidence tools). See sub-processors.
Third-country transfersGateway hosted in Hetzner Nuremberg (EU). AI providers act as sub-processors only when a user routes traffic to them; transfers covered by EU SCCs (2021/914 Module 2) + UK IDTA, with tokenisation as a supplementary measure. See EU regulatory applicability.
Retention periodsAs per the retention schedule in section 9.
Technical & organisational measuresClient-side tokenisation before the gateway; code-enforced zero-payload logging; hashed/short-lived IP handling; encryption at rest for the opt-in gateway-managed map; hash-chained tamper-evident audit logs and receipts (ECDSA-P256); Sanctum-authenticated portal; per-category retention with scheduled prune jobs; signed erasure receipts. Full detail in the security overview.

Related documents