Privacy Policy

Last updated: 14 April 2026

Kraken is an LLM API gateway operated by GammaInfra (sole trader). This policy explains what data we collect, how we use it, and your rights. The short version: we never log your prompts or model responses.

1. What We Collect

Account information

• Email address (required for signup)
• Name (optional)

Provider API keys (BYOK only)

• If you choose to bring your own provider API keys, they are stored encrypted at rest
• If you use Kraken's managed access (default), no provider keys are collected from you

Request metadata

• Timestamps, request ID, customer ID
• Model requested and model dispatched
• Provider name
• Token counts (prompt_tokens, completion_tokens)
• Latency (latency_ms, ttfb_ms)
• Task type classification (e.g. code_gen, chat)
• Cost in USD and Kraken fee
• Whether a fallback provider was used
• Error type (if any)

Payment data

• Handled entirely by Stripe — we do not store card numbers, CVVs, or billing addresses

Rate limiting data

• IP addresses stored temporarily in Redis for rate limiting
• Automatically expires after 1 hour

2. What We Do NOT Collect

3. How We Use Your Data

• Request metadata: billing and cost calculation, routing optimization, service monitoring via Prometheus and Grafana
• Email: account identification, service communications, notification of term changes
• Provider API keys (if BYOK): to authenticate requests on your behalf with LLM providers. Not applicable if you use managed access.

4. Third-Party Data Sharing

LLM providers

Your prompts are sent to the LLM provider your request is routed to (e.g. OpenAI, Anthropic, Google, Mistral, Groq, DeepSeek, xAI). Each provider has their own privacy policy and data handling practices. We do not control how providers use your data once it reaches their API.

Stripe

Payment processing is handled by Stripe. See Stripe's privacy policy.

5. Data Retention

• Request metadata: retained indefinitely for billing audit and routing optimization
• Account data: retained while your account is active; deleted upon request
• Provider API keys (if BYOK): deleted immediately upon key revocation or account deletion
• Rate limit data (IP addresses): automatically expires after 1 hour

6. Data Security

• Provider API keys are encrypted at rest
• All traffic is encrypted in transit via TLS (certificates from Let's Encrypt)
• Kraken API keys are stored as bcrypt hashes — never in plaintext
• Infrastructure runs on a dedicated bare metal server, not shared hosting

7. Your Rights (GDPR)

If you are in the EU/EEA, you have the following rights under the General Data Protection Regulation:

• Right to access: request a copy of your data
• Right to rectification: update your account information
• Right to erasure: request deletion of your account and all associated data
• Right to data portability: export your request logs in a machine-readable format
• Right to object: opt out of non-essential data processing

To exercise any of these rights, contact hello@gammainfra.com.

8. Cookies

We do not use cookies. The API is stateless and authenticated via API keys. The landing page at gammainfra.com does not set any cookies.

9. Children

Kraken is not directed at anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to the address associated with your account at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

Questions or concerns about this privacy policy? Contact us at hello@gammainfra.com.

GammaInfra (sole trader)
https://gammainfra.com