Privacy Policy

This policy describes how AIPower (aipower.me, api.aipower.me) collects, uses, retains, and shares data. It applies to registered accounts and anonymous visitors. The billing entity is AI POWER LIMITED, a Hong Kong company.

• Account data: email, hashed password (salt + SHA-256), optional display name, optional referral code, signup IP (for fraud detection only, rotating out after 90 days), signup country derived from IP.
• API keys: stored only as SHA-256 hashes; raw keys shown once at creation.
• Usage metadata per API call: timestamp, model, input/output token counts, latency, cost. Not prompt text or completion text.
• Payment records: amount, currency, status, Stripe session ID. Card numbers never touch our servers — Stripe handles all card data directly.
• Cookies / localStorage: your session token (JWT) to keep you logged in, and minimal UI preferences.

• Your prompts sent to any AI model.
• The AI models' responses.
• Your card number.
• Third-party analytics cookies (we use first-party Vercel Analytics for aggregated page views only; no cross-site tracking).

If you use a model whose provider logs requests (e.g. OpenAI retains 30 days for abuse detection), that's the upstream provider's policy, not ours. See docs for per-provider retention notes.

• To provide the API gateway service (route your request to the upstream model, return the response).
• To compute your balance, bill you correctly, and show you accurate usage on the dashboard.
• To detect and prevent fraud / bot abuse (anonymized aggregate patterns + Stripe Radar scores).
• To send transactional emails (verification code, payment receipts, balance-low alerts). We do not send marketing emails by default; if we ever add them, they'll be opt-in.

We share the minimum necessary data with these processors:

• Cloudflare — edge hosting, DNS, bot defense (Turnstile), email routing. Cloudflare privacy
• Stripe — payment processing. Card data goes directly to Stripe, never through us. Stripe privacy
• Resend — transactional email delivery. Resend privacy
• Upstream AI providers (OpenAI, Anthropic, Google, DeepSeek, Alibaba, Zhipu, Moonshot, MiniMax, ByteDance) — we forward your prompt to the provider you selected. Each has their own retention policy.
• Vercel — web hosting + basic aggregated analytics.

We do not sell your data. Ever.

• Account data: until you delete your account.
• Usage logs (per-request metadata): indefinite for billing accuracy. You can export or delete older entries via /dashboard/logs.
• Signup IP: 90 days (fraud detection only).
• Payment records: 7 years (required for Hong Kong accounting compliance).
• Verification codes, rate-limit counters: automatically expire within 1 hour.

• Access: download your usage logs as CSV via /dashboard/logs.
• Correction: update your email / name via dashboard.
• Deletion: email support@aipower.me from your registered address and we'll delete your account within 7 days (note: billing records are kept 7 years per law).
• Opt-out of emails: reply "unsubscribe" to any email. Transactional emails (payment receipts, verification codes) cannot be disabled.
• EU/UK GDPR & California CCPA: we honor all requests under these frameworks. Contact privacy@aipower.me.

AIPower runs on Cloudflare's global edge. Your data may be processed in any Cloudflare data center close to you (currently 280+ cities). Our billing records are held by AI POWER LIMITED in Hong Kong. Payment data is processed by Stripe in accordance with their global infrastructure.

AIPower is not intended for users under 16. If we discover we've collected data from a child, we'll delete it.

We'll update the "Last updated" date at the top when we change anything. For material changes (data sharing, new processors, expanded retention), we'll email registered users 30 days before the change takes effect.

Privacy questions: privacy@aipower.me
Security / vulnerabilities: security@aipower.me
General support: support@aipower.me