CloakAPI is a blind token relay: on the standard client-side paths, personal data in your AI prompts and responses is tokenised on your device before it reaches us, and the gateway never sees it in the clear. So the honest answer to “what do you hold about me?” is a small, mostly-non-sensitive footprint — account and auth, billing and wallet, token-count metering, receipt metadata (hashes, not content), hashed or short-lived logs, and org/partner records. This page maps every category, and doubles as our GDPR Article 30 record of processing.
We are not a data processor for your AI prompt or response content. On the standard client-side paths that content is tokenised before it reaches us and we never hold it in the clear. Zero-payload logging is enforced in code — the structured logger throws before it can write a prompt, message, body or content field. The only content-adjacent state we hold is transient and either client-encrypted or tokenised, auto-purged within 30 days (multi-turn maps) or hourly (buffers).
Legend. no personal data counts / config / crypto material. pseudonymous hashed or opaque reference, re-identifiable only with information held separately. personal data identifies or relates to a person.
| Category | What it is | Why | Retention | Class |
|---|---|---|---|---|
| User account | Name, email, password hash, company, country code | Account, login, invoicing identity | Account lifetime; anonymised on erasure | personal |
| Password reset tokens | Email + token | Password reset | Short-lived; deleted on erasure | personal |
| Sessions | User id, IP, user-agent, last activity | Web session | Session lifetime; deleted on erasure | personal |
| Dashboard / API tokens | Hashed personal-access tokens | Portal auth | Revoked after 30 days idle; deleted on erasure | pseudonymous |
| API keys | Key hash only (never plaintext), prefix, permissions, rate limits, allow-lists | Authenticate API calls | Key lifetime; deleted on erasure | pseudonymous |
| SSO / SCIM | SAML/OIDC configs, sessions, provisioning tokens | Enterprise SSO/provisioning | Session-lived; deleted on erasure | pseudonymous |
| Onboarding & consent state | Onboarding fields, ToS/legal acceptance, privacy tier, locale | Onboarding, consent proof | Account lifetime | personal |
| Category | What it is | Why | Retention | Class |
|---|---|---|---|---|
| Prepaid wallet | Balance, billing model | Prepaid balance | Account lifetime | pseudonymous |
| Prepaid transactions & credits ledger | Amounts, type, Stripe payment ids, balance-after (no payload content) | Wallet ledger, credit accounting | Legal-hold (retained on erasure) | pseudonymous |
| Invoices | Invoice rows + evidence summary + number sequences | Statutory invoicing | 7 years; pseudonymised via email tombstone on erasure | pseudonymous |
| Payment methods | Card fingerprint / Stripe payment-method refs | Charge wallet | Deleted on erasure. We do not hold the card number (PAN) — Stripe is the PCI cardholder-data processor | personal |
| Billing events / periods | Billing lifecycle events | Billing reconciliation | Legal-hold | pseudonymous |
| Stripe linkage | Stripe customer id | Payment processor link | Account lifetime | pseudonymous |
| Category | What it is | Why | Retention | Class |
|---|---|---|---|---|
| Usage records | User/key/provider/model ids, request UUID, input/output token counts, cost, response time. No prompt or response content. | Metering + billing | 90 days, then pruned | no personal data |
| Category | What it is | Why | Retention | Class |
|---|---|---|---|---|
| Signed receipts | Capability, provider, model, token counts, chain id, prev-hash, content_hash (hex of canonical bytes — not content), signed envelope (ECDSA-P256) | Tamper-evident audit / OpenReceipt | 7 years; legal-hold (chain integrity), pseudonymised | pseudonymous |
| Receipt chains, manifests, keys, local receipts | Per-tenant hash-chain links; ECDSA signing keys | Chain verification / signing | Legal-hold (integrity) | no personal data |
| Erasure receipts | Opaque request id, SHA-256 of the erased user id, counts/booleans, signed envelope. Never stores plaintext PII. | Article 17 deletion proof | 7 years (accountability + audit trail) | pseudonymous |
| Category | What it is | Why | Retention | Class |
|---|---|---|---|---|
| Application / structured logs | Structured JSON. Zero-payload enforced — the logger throws before writing any body / payload / content / prompt / message field. | Observability | 30 days (14 days for the legacy application log) | no personal data |
| Audit logs | User id, action, resource, IP address (plaintext), user-agent, result. Hash-chained + anchored. | Security / compliance audit trail | Per category: auth / billing / security / privacy / default 7 years (tamper-evident archive); ops 90 days. Meta scrubbed + redacted on erasure, chain preserved. | personal |
| Rate-limit / signup-risk IP use | IP used transiently for rate-limit key + signup risk; signup stores a salted SHA-256 hash, never plaintext | Abuse prevention | Cache TTL / hashed | pseudonymous |
| Marketing / campaign analytics | ip_hash (salted SHA-256 — never plaintext IP), UA family/OS, UTM; outreach targets (email), suppression hashes | Cold-outreach + attribution | Email deleted / anonymised on erasure; suppression hashes retained as a lawful-basis record | personal (target email); IP hashed |
| Category | What it is | Why | Retention | Class |
|---|---|---|---|---|
| Organisations & membership | Org name/slug/plan/settings; members, role assignments, invitations (email), permissions | Multi-tenant / team access | Org lifetime; self-service deletion + grace; invitations deleted on erasure | personal (invite emails) |
| Partner / reseller | Partner accounts, sub-orgs, commission ledger, settlements, tax forms, agreement-signed IP | Partner programme | Commission / settlement + tax = financial legal-hold class | personal |
| Webhooks, devices, provider keys | Webhook endpoints + secrets; device pairings; pooled + customer (BYOK) provider keys | Event delivery, pairing, upstream relay | Config / delivery lifetime; BYOK keys + devices deleted on erasure | pseudonymous / secrets |
| Compliance / GRC config | Compliance flags, pack assignments, breach notifications, BAA templates, GRC connector configs | Enterprise compliance features | Feature / config lifetime | no personal data / config |
We would rather over-disclose than let “we hold no content” read as an absolute it is not. Two gateway-side stores can touch content, and both are strictly transient with hard TTLs:
| Store | What it holds | Retention | Class |
|---|---|---|---|
| Multi-turn tokenisation maps | Token↔value maps for multi-turn tokenisation. In client_held mode only an opaque client-encrypted ciphertext is stored. In the opt-in gateway_managed mode the value is stored AES-256-GCM encrypted (not in the clear at rest). | 30-day hard TTL, then purged | Encrypted (gateway-managed) / opaque (client-held) |
| Buffered responses | Tokenised response text held for async retrieval — the gateway never sees decrypted PII | Purged hourly at expiry; deleted on erasure | Tokenised (no clear PII) |
Neither is populated with clear PII on the standard pure-relay paths. The gateway_managed mode is opt-in only; unless you choose it, multi-turn maps stay client-encrypted and we cannot read them.
The public transparency log stores a SHA-256 of the tenant id (never the tenant id in the clear), seed HMACs, and chain material. No personal data.
| Data class | Retention | Basis |
|---|---|---|
| Usage records (token counts) & raw request rows | 90 days | Data minimisation + billing-dispute window |
| Application / structured logs | 30 days (14 days legacy log) | Observability minimisation |
| Idle dashboard / API tokens | Revoked after 30 days idle | Credential hygiene |
| Multi-turn tokenisation maps | 30-day hard TTL, purged | Transient tokenisation only |
| Buffered responses | Purged hourly at expiry | Ephemeral |
| Audit logs — ops category | 90 days, hard-delete | Transient operations |
| Audit logs — auth / billing / security / privacy / default | 7 years, tamper-evident archive | Security / financial accountability |
| Invoices & financial records | 7 years, pseudonymised on erasure | Statutory invoicing + legal-hold |
| Prepaid txns / credits / billing events | Legal-hold (retained on erasure) | Financial records |
| Receipts + chains + keys + local receipts | Legal-hold (retained on erasure) | Chain integrity / audit |
| Signed erasure receipts | 7 years | GDPR Art. 5 accountability + audit trail |
| Account (user row) | Account lifetime → anonymised on erasure | Service provision |
You can export everything we hold about you (Article 15) or have it erased (Article 17) — registered users can do both self-service, verified out-of-band. Erasure completes within the 30-day statutory window and produces a cryptographically signed, independently-verifiable deletion receipt. Financial and audit records are retained under legal-hold (7 years) in pseudonymised form; everything else is deleted or anonymised. See how to exercise your rights.
This section is CloakAPI's Article 30 record for the processing it carries out as a controller of the operational data above. (For customer AI content, CloakAPI is not a processor on the standard paths — that content is tokenised client-side and never reaches us in the clear.)
| Art. 30 element | Record |
|---|---|
| Controller | CloakAPI AS, Org no. 933 720 411, Norway |
| Data protection contact | dpo@cloakapi.io |
| Purposes of processing | Providing the AI gateway under contract; authentication and account management; metering and billing; issuing statutory invoices; tamper-evident audit and receipts; security incident response and abuse prevention; consent-based marketing; enterprise compliance features |
| Categories of data subjects | Registered users; organisation members; partners/resellers; outreach contacts |
| Categories of personal data | Identity/contact (name, email, company); authentication material (hashes, tokens); billing/wallet records + Stripe refs + card fingerprint; token-count metering (no content); receipt and audit metadata (hashes); IP addresses (plaintext in the security audit trail, hashed elsewhere); org/partner records incl. signed-agreement IP and tax identity. No special-category data is required; AI prompt/response content is tokenised client-side and out of scope on the standard paths. |
| Categories of recipients | Sub-processors on the published list (payment processor Stripe; hosting; email; GRC evidence tools). See sub-processors. |
| Third-country transfers | Gateway hosted in Hetzner Nuremberg (EU). AI providers act as sub-processors only when a user routes traffic to them; transfers covered by EU SCCs (2021/914 Module 2) + UK IDTA, with tokenisation as a supplementary measure. See EU regulatory applicability. |
| Retention periods | As per the retention schedule in section 9. |
| Technical & organisational measures | Client-side tokenisation before the gateway; code-enforced zero-payload logging; hashed/short-lived IP handling; encryption at rest for the opt-in gateway-managed map; hash-chained tamper-evident audit logs and receipts (ECDSA-P256); Sanctum-authenticated portal; per-category retention with scheduled prune jobs; signed erasure receipts. Full detail in the security overview. |