← AI Root

Privacy Policy

Last updated: July 2026

Who we are

AI Root is an AI gateway operated from Australia. It routes requests from your applications to AI model providers, and provides tools for redacting, metering and allocating AI usage. Questions or requests about this policy: contact the operator at the email on your invoice.

What we collect

  • Account data: email address, account name, hashed credentials. API keys are stored as bcrypt hashes — we cannot recover a lost key.
  • Usage metadata: per-request records of model, token counts, cost, latency, status, timestamps, and the API key used. This is the basis of billing and your usage exports.
  • Billing data: payments are processed by Stripe; we store transaction references and amounts, not card details.

What happens to your prompts and documents

  • Prompt and response content is not written to our logs or database. Usage records contain counts and metadata only.
  • The free demo tools (redactor, localizer) never persist your document content — no caching, no storage. Redaction pattern-matching (TFNs, ABNs, emails, phone and account numbers) runs on our gateway and that content does not leave it.
  • Content sent to an AI model necessarily transits to the upstream provider serving that model (e.g. Groq, Alibaba Cloud, Google). Which provider serves which model is shown in your usage records. Providers have their own data policies; we do not permit them to train on API traffic where the provider offers that control.
  • Responses to deterministic, cacheable requests on the main API may be cached (default 1 hour) to avoid re-billing you for identical calls. Redaction endpoints are never cached. Caching can be disabled per request with the X-AIRoot-Cache: no-store header.
  • Re-identification maps produced by the redactor are returned to you and not retained by us.

Where data lives

Account and usage records are stored in Australia (Sydney region). Model traffic transits to the provider serving the requested model, which may be outside Australia — the models page identifies each provider. Production plans can restrict routing to specific regions or providers.

What we don't do

  • We do not sell or share your data with third parties for marketing.
  • We do not train models on your content.
  • We do not read your traffic except as required to debug an issue you report, with your consent.

Retention & deletion

Usage and billing records are retained while your account is active and as required for tax and accounting purposes. Ask us to close your account and we will delete account data and revoke all keys within 30 days, retaining only what bookkeeping law requires.

Australian Privacy Principles

We handle personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. If you believe we have mishandled your information, contact us first; you may also complain to the OAIC.