Privacy Policy

Kyrion (“we,” “us,” “our”) is an AI routing platform operated by Daniel Rohac. We are registered in the Czech Republic and subject to the General Data Protection Regulation (GDPR).

If you have any questions about this policy, contact us at privacy@kyrion.dev.

We collect the following categories of personal data:

• Account data: Email address, display name, username, and optional profile picture — collected when you register.
• Payment data: Billing name, last-4 card digits, and billing address — processed and stored by Stripe. We never see or store full card numbers.
• API keys: Your third-party provider API keys (OpenAI, Anthropic, etc.) are encrypted at rest using AES-256-GCM before being stored in our database. We never log or expose the raw keys.
• Usage logs: Request metadata — model used, token counts, latency, cost, and the first 200 characters of each prompt (the “prompt preview”). Full prompt content is never stored.
• Technical data: IP addresses (for rate limiting, not linked to your identity long-term), browser type, and referrer — collected via server logs.

• To provide the Kyrion routing service and your dashboard.
• To process payments and manage your subscription via Stripe.
• To route your API requests to configured AI providers on your behalf.
• To display usage analytics and cost-saving metrics in your dashboard.
• To enforce rate limits and prevent abuse.
• To send transactional emails (account confirmation, subscription receipts).

We do not sell your data. We do not use your prompts to train AI models.

We share data only with the following categories of subprocessors, all bound by GDPR-compliant DPAs:

• Supabase (Ireland): Database and authentication hosting.
• Stripe (Ireland): Payment processing.
• Vercel (USA/EU): Application hosting. Data is processed in EU regions where available.
• AI Providers: When you route a request, the request content is sent to your configured provider (OpenAI, Anthropic, etc.) using your own API key. Each provider’s own privacy policy governs that data.

We use only strictly necessary cookies: session cookies set by Supabase for authentication. We do not use tracking, advertising, or analytics cookies. No cookie consent banner is required.

• Account data: retained until you delete your account.
• Usage logs: retained for 12 months, then automatically purged.
• Payment records: retained for 7 years as required by Czech accounting law.

Under GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Erase your data (“right to be forgotten”) — delete your account in Settings.
• Restrict processing in certain circumstances.
• Port your data in machine-readable format.
• Object to processing based on legitimate interests.

To exercise any right, email privacy@kyrion.dev. We respond within 30 days.

We apply industry-standard security measures: AES-256-GCM encryption for provider keys at rest, HMAC-SHA256 for API key hashing, TLS 1.3 in transit, Content Security Policy headers, and Row Level Security in our database so each user can only access their own data.

We may update this policy. Material changes will be announced via email at least 14 days in advance. Continued use of Kyrion after the effective date constitutes acceptance.