Privacy Policy

Last updated: March 17, 2026

This Privacy Policy describes how Cipher & Row LLC ("Cipher & Row," "we," "us," or "our") collects, uses, and discloses information in connection with the CR Gateway API validation service and related website (collectively, the "Service").

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account or sign up for an API key, we collect:

Email address — used for account identification, billing, and critical service communications
Company name — used for tenant identification and billing records
Password — stored as a PBKDF2 hash (100,000 iterations); we never store plaintext passwords

1.2 API Usage Data

When you use the Service, we automatically collect:

API request metadata — endpoint called, timestamp, response status code, and response time
Usage counts — number of requests per day/month, broken down by endpoint
IP addresses — used solely for rate limiting and abuse prevention; not stored long-term

1.3 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not store credit card numbers, bank account details, or other payment instrument data on our servers. Please refer to Stripe's Privacy Policy for details on how they handle payment data.

2. Information We Do Not Collect or Store

Core principle: We validate and forget. When you send LLM responses to /v1/validate, we process the content in memory for validation, then discard it. Your data never touches our disk unless you explicitly opt into storage.

LLM content — Messages sent to /v1/validate, /v1/compress, /v1/relay, /v1/swarm/check, and /v1/context/check are processed in real time and not stored.
Optional storage — If you explicitly use the /v1/store endpoint, message content is stored in our KV storage. This is entirely opt-in and you can delete stored data at any time.
We do not use your API request content to train machine learning models.
We do not log the content of API request or response bodies.

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service
Authenticate your API requests and enforce rate limits
Bill your account accurately based on usage tier
Send critical service notifications (outages, security incidents, breaking changes)
Detect and prevent fraud, abuse, and security threats
Comply with legal obligations

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We share information only in the following circumstances:

4.1 Service Providers

Provider	Purpose	Data Shared
Cloudflare, Inc.	Infrastructure (edge workers, KV storage, DNS)	All requests transit Cloudflare's network
Stripe, Inc.	Payment processing	Email, company name, billing details
Sentry (Functional Software, Inc.)	Error tracking and monitoring	Error metadata, stack traces (no request body content)

4.2 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

If Cipher & Row is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy.

5. Data Retention

Account data — retained for the duration of your account, plus 30 days after deletion to allow for recovery
Usage metrics — retained for 90 days in rolling aggregation, then purged
IP addresses — retained in memory only for active rate limiting; not persisted to disk
Stored messages (via /v1/store) — retained until you delete them or close your account
Error logs — retained by Sentry for 90 days

6. Data Security

We implement commercially reasonable security measures to protect your data, including:

All data in transit is encrypted via TLS 1.2+
API keys are hashed before storage
Passwords are hashed using PBKDF2 with 100,000 iterations
The Service runs on Cloudflare Workers with no persistent server or filesystem — reducing attack surface
SSRF protection, path traversal blocking, and input validation are enforced at the edge

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Your Rights

7.1 All Users

You may at any time:

Access your account data via the Dashboard
Update your email or company name
Delete your account by contacting support@cipherandrow.com
Export your usage data by request

7.2 European Economic Area (GDPR)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation, including the right to access, rectify, erase, restrict processing, data portability, and object to processing. Our legal basis for processing is:

Contract performance — processing necessary to provide the Service you signed up for
Legitimate interest — usage analytics, fraud prevention, and service improvement

To exercise your GDPR rights, contact support@cipherandrow.com. We will respond within 30 days.

7.3 California (CCPA/CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt out of the sale of personal information — we do not sell personal information
Non-discrimination for exercising your privacy rights

To exercise your CCPA rights, contact support@cipherandrow.com.

8. Cookies and Tracking

The CR Gateway Dashboard uses browser localStorage to store your session token for authentication. We do not use third-party tracking cookies, advertising pixels, or analytics scripts that track you across other websites.

9. International Data Transfers

Cipher & Row is based in the United States. The Service runs on Cloudflare's global edge network, meaning your API requests are processed at the nearest Cloudflare data center. Account data is stored in the United States. By using the Service, you consent to the transfer of your information to the United States and other jurisdictions where Cloudflare operates.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us and we will take steps to delete it.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For material changes, we will also send an email notification to the address associated with your account. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Cipher & Row LLC
Email: support@cipherandrow.com
For security-related inquiries: security@cipherandrow.com