Legal · Privacy

Privacy policy.

CloakAPI is a privacy-preserving AI gateway. The architecture means we structurally cannot see prompts, responses, or model output. This page is the legal articulation of that position.

Version 2.1 · Effective 2026-04-01 · Controller: CloakAPI AS, Org no. 933 720 411 (Norway)

1. Summary in plain language

CloakAPI's gateway is a blind token relay. Personal data is tokenised on your own device — for CloakAPI Chat and the browser extension in in-browser WebAssembly, in the desktop app and the local proxy in native Rust — before the request ever reaches us, so the gateway forwards only opaque tokens and cannot see your PII in the clear. The gateway does not inspect, detect, or tokenise content on our servers; it relays what your device sends. If you point a bare SDK straight at the gateway it will blind-relay whatever you send — to keep tokenisation on your own machine with a plain SDK, run the local proxy (see the docs, Quickstart Option C). Responses are de-tokenised on your device with the per-tenant token vault that never leaves it.

This means we do not collect, store, or process the substantive content of your AI traffic. We do collect the metadata required to bill, audit, and operate the service.

Zero-payload logging invariant. Our middleware refuses to write any byte of prompt or response to disk. This is enforced at the middleware layer and verified in CI on every commit. The build will not pass if a logger emits a payload field. See /trust for the technical specification.

2. What we collect

2.1 Account & billing data

2.2 Operational telemetry

2.3 What we never collect

2.4 Website analytics

3. Legal basis (GDPR Art. 6)

ProcessingBasisReference
Operating the gateway under your subscriptionContractArt. 6(1)(b)
Issuing invoices & tax reportingLegal obligationArt. 6(1)(c)
Fraud detection on log-in eventsLegitimate interestArt. 6(1)(f) — LIA on file
Marketing emailsConsent (opt-in)Art. 6(1)(a) — withdraw any time
Security incident responseLegal obligation + legitimate interestNIS2 + Art. 6(1)(c)/(f)

4. Retention windows

These windows are enforced in code by scheduled prune jobs and per-category audit-retention policies. For the full picture of every category we hold, why, and for how long, see our data map & record of processing.

5. Sub-processors

The full live list (21 sub-processors) and 30-day change-notification subscription is at /legal/subprocessors.

6. International transfers

The CloakAPI gateway runs in Hetzner Nuremberg (EU). We use third-country providers (Anthropic, OpenAI, etc.) as sub-processors when a user routes traffic to them; transfers are covered by SCCs (2021/914/EU module 2) and supplementary measures including the gateway tokenisation that strips identifiers before any provider sees the prompt.

7. Data-subject rights

Under GDPR Articles 15–22, you can request access, rectification, erasure, restriction, portability, or object to processing. Registered users can run self-service export (Art. 15) and erasure (Art. 17) — each verified out-of-band and, for erasure, returning a cryptographically signed, independently-verifiable deletion receipt; see how to exercise your rights. You can also email dpo@cloakapi.io. We respond within the 30-day statutory window. The supervisory authority of record is Datatilsynet (Norway).

8. Security

Detailed security controls, key custody, encryption, vulnerability disclosure, and audit attestations are at /legal/security and security.cloakapi.io.

8a. What CloakAPI does NOT protect against

CloakAPI tokenises detected personal data before it reaches the AI provider — a real but bounded guarantee. Being explicit about its limits is part of the product. The following are out of scope; evaluate them against your own threat model. The full technical threat model is public at docs.cloakapi.io/security/threat-model.

9. Changes to this policy

Material changes are announced 30 days in advance to the registered account email and at /changelog. The version history is public.

Related documents