Privacy Policy

Last updated: March 12, 2026

This Privacy Policy describes how Korad.AI ("Korad," "we," "us," or "our") collects, uses, and shares information when you use our website at korad.ai, the application at app.korad.ai, the API at api.korad.ai, and all related services (collectively, the "Service"). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect information through our authentication provider, Clerk. This may include:

• Email address
• Name (if provided)
• Profile picture (if provided via OAuth)
• Authentication identifiers
• Organization membership and role information

1.2 Billing Information

Payment processing is handled entirely by Stripe. We do not store your credit card numbers, bank account details, or other payment instrument data on our servers. Stripe may collect and process your payment information in accordance with Stripe's Privacy Policy. We receive from Stripe only a customer identifier, transaction amounts, and payment status.

1.3 Usage Metadata

For each API request processed through the Service, we collect non-content metadata necessary for billing, analytics, and service operation:

• Token counts (input tokens and output tokens)
• Model identifier used for the request
• Request and response latency
• Timestamps
• HTTP status codes and error categories
• API key identifier (a reference ID, not the key itself)
• Optimization metrics (tokens saved, cache hit/miss)

1.4 What We Do NOT Collect: Prompt Content (Zero Data Retention)

Korad enforces a strict Zero Data Retention ("ZDR") policy for all prompt and response content. We do not store, log, cache to disk, or otherwise persist the content of your inputs (prompts, messages, files, system instructions) or outputs (model completions, tool results) at any stage of our processing pipeline. Prompt content exists in memory only for the duration of request processing and is discarded immediately upon completion.

This is a core architectural guarantee of the Service, not merely a policy choice. Our optimization pipeline processes content in-memory and streams results directly to and from upstream providers without writing content to any persistent storage.

2. Automatically Collected Information

When you visit our website or use the dashboard, we may automatically collect:

• IP address
• Browser type and version
• Operating system
• Device type
• Pages visited and time spent
• Referring URL

This information is collected through standard web server logs and may be supplemented by analytics services. We use this data in aggregate to improve the Service and do not use it to identify individual users beyond what is necessary for security purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: To authenticate your requests, route them to upstream providers, apply optimizations, and return responses.
• Billing: To calculate charges based on token usage, process payments, issue receipts, and maintain credit balances.
• Security: To detect and prevent fraud, abuse, unauthorized access, and other security threats. This includes rate limiting, anomaly detection, and API key validation.
• Service improvement: To analyze aggregated, anonymized usage patterns in order to improve optimization algorithms, reliability, and performance. We never use prompt content for this purpose.
• Communication: To send you transactional notifications (e.g., low credit alerts, service incidents) and, with your consent, product updates.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

4. Information Sharing and Third Parties

We share information with third parties only as described below:

4.1 Authentication Provider (Clerk)

Clerk processes your authentication data (email, OAuth tokens, session information) to provide sign-in and account management. See Clerk's Privacy Policy.

4.2 Payment Processor (Stripe)

Stripe processes your payment information to facilitate credit purchases. We do not have access to your full payment card details. See Stripe's Privacy Policy.

4.3 Upstream LLM Providers

When you submit an API request, the content of that request (after optimization) is forwarded to the selected upstream LLM provider for processing. Korad routes requests through intermediary services including OpenRouter and Vercel AI Gateway. While Korad enforces Zero Data Retention on our end, the data handling practices of upstream providers are governed by their own privacy policies and terms of service. We encourage you to review the privacy policies of providers whose models you use. Korad requests zero-data-retention routing from intermediaries where supported, but cannot guarantee the data practices of third-party providers.

4.4 Analytics

We may use third-party analytics services to help understand website usage patterns. These services collect information sent by your browser as part of standard web requests. Analytics data is aggregated and does not include prompt content or API request payloads.

4.5 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a lawful request.

5. Data Retention

• Prompt and response content: Never retained. Discarded immediately after each request completes (Zero Data Retention).
• Usage metadata: Retained for a configurable period (default 90 days) for billing reconciliation and analytics, after which it is automatically purged or anonymized.
• Account information: Retained for the duration of your account and for a reasonable period thereafter to comply with legal obligations and resolve disputes.
• Billing records: Retained as required by applicable tax and financial regulations (typically 7 years).
• Server logs: Retained for up to 30 days for security and debugging purposes.

6. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. We honor the following rights for all users, regardless of location:

6.1 Access and Portability

You may request a copy of the personal information we hold about you. Your usage data and billing history are available in the dashboard at any time. For a complete data export, contact [email protected].

6.2 Correction

You may update your account information at any time through the dashboard or by contacting us. If any information held by our third-party processors (Clerk, Stripe) is inaccurate, we will assist you in correcting it.

6.3 Deletion

You may request deletion of your account and associated personal data by contacting [email protected]. Upon receiving a verified deletion request, we will delete your personal information within 30 days, except where retention is required by law (e.g., billing records for tax compliance). Because we enforce Zero Data Retention, there is no prompt content to delete.

6.4 Opt-Out of Communications

You may opt out of non-transactional communications at any time by using the unsubscribe link in any email or by contacting us. Transactional notifications (billing alerts, security notices) cannot be opted out of while your account is active.

6.5 California Residents (CCPA)

If you are a California resident, you have the right to: (a) know what personal information we collect, use, and disclose; (b) request deletion of your personal information; (c) opt out of the sale of your personal information. We do not sell your personal information. To exercise your rights, contact [email protected].

6.6 European Economic Area and UK Residents (GDPR)

If you are located in the EEA or UK, our legal bases for processing your personal data are: (a) performance of our contract with you (service delivery and billing); (b) legitimate interests (security, fraud prevention, service improvement); and (c) your consent (where applicable). You have the right to access, rectify, erase, restrict processing, data portability, and object to processing. You also have the right to lodge a complaint with your local data protection authority. To exercise your rights, contact [email protected].

7. Security

We implement industry-standard security measures to protect your information:

• Encryption in transit: All data transmitted between your systems and the Service is encrypted using TLS 1.2 or higher.
• Encryption at rest: Account data and usage metadata stored in our databases are encrypted at rest.
• Zero Data Retention: Prompt content is never written to persistent storage, eliminating the risk of content data breaches.
• API key security: API keys are hashed before storage. Full key values are shown only once at creation time.
• Access controls: Internal access to production systems is restricted to authorized personnel with multi-factor authentication.

While we take reasonable measures to protect your information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

8. Cookies and Similar Technologies

We use a minimal set of cookies necessary for the operation of the Service:

• Authentication cookies: Set by Clerk to maintain your session and authentication state. These are strictly necessary for the Service to function.
• Preference cookies: To store your display preferences (e.g., light/dark theme).

We do not use advertising cookies or cross-site tracking cookies. If we introduce analytics cookies in the future, we will update this policy and provide appropriate notice and consent mechanisms.

9. International Data Transfers

The Service is operated from the United States. If you are accessing the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other jurisdictions where our service providers operate. By using the Service, you consent to the transfer of your information to jurisdictions that may have different data protection laws than your jurisdiction. Where required by applicable law, we use appropriate safeguards (such as standard contractual clauses) for international data transfers.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe that a child under 18 has provided us with personal information, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the revised policy on the Service and updating the "Last updated" date. For significant changes that affect your rights, we may also notify you via email. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

12. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

• Privacy inquiries: [email protected]
• General support: [email protected]
• Website: korad.ai