Legal

Terms, policies, and agreements governing your use of OpenGateway.

Privacy Policy

This document explains what OpenGateway collects, how API traffic is handled, and which providers may receive your data.

  • OpenGateway logs API call metadata for billing, debugging, abuse prevention, and operations. Request and response body logging is off by default, but a team admin can enable it for the whole team.
  • Even with body logging off, failed provider calls may retain raw provider error metadata, and those errors can echo prompt fragments or parameter values.
  • OpenGateway does not use prompts, responses, or call metadata to train models. Upstream providers have their own rules: deepseek is training-eligible, kimi and minimax are unclear, and zai and dashscope are treated as Singapore-jurisdiction (dashscope is currently not enabled in production).
  • model:"auto" means OpenGateway may choose the provider, so do not use it if you need to avoid a jurisdiction, provider, or data-handling posture.
  • If a breach affecting your data occurs, we notify affected parties without undue delay and in accordance with applicable law. Users are generally 16+, with extra consent rules for under-16 users and Korean PIPA users under 14.

When to re-read: when enabling body logging, using model:"auto", sending sensitive data, enabling PRC providers, or receiving a material privacy-change notice.

Effective Date: the Effective Date Last Updated: June 13, 2026

1. Introduction

This Privacy Policy describes how Sionic AI Co., Ltd. ("Sionic AI," "we," "us," or "our") collects, uses, shares, and protects personal information through the OpenGateway platform ("Service"). OpenGateway is a developer platform that lets individual developers and teams call multiple large language model (LLM) providers through a single OpenAI-compatible API.

This Policy applies to all users of the Service: individual developers, team members, account administrators, and visitors to our website. By accessing or using OpenGateway, you acknowledge that you have read and understood this Policy.

If you are using the Service as part of a team or on behalf of an organization, you represent that you have authority to accept this Policy for that team or organization. Solo developers may sign up and use the Service in their personal capacity.

2. Information We Collect

2.1 Account Information

We collect the following when you create and maintain an account:

Data TypeSourceDetails
Auth0 subject identifierAuth0Stable identifier issued by our authentication service, used to link your account
Email addressAuth0 (including social identity providers as configured in our authentication service)Used as primary account identifier
Display nameAuth0 / user-providedDisplay name within the platform
Organization nameUser-providedTeam and billing association
Team membershipUser-providedRole and access within an organization

Consent records. When you accept our Terms of Service, this Privacy Policy, or other policies presented for acceptance, we record your user identifier, the timestamp of acceptance, and the version of each accepted document ("consent records"). Consent records are retained for as long as your account exists, plus any additional period required by applicable law, to evidence compliance with consent and notification requirements (see Section 5).

2.2 Payment Information

Payment processing is handled by PayPal, Inc. ("PayPal"). We do not store payment card numbers, bank account numbers, or other underlying funding-instrument data. We retain only:

  • Your PayPal payer email address (used as the display label for your payment method, e.g., "PayPal Account · {email}")
  • A vault token reference to your saved PayPal payment method, where a previously saved payment method exists
  • PayPal order and capture identifiers for each transaction
  • Transaction amounts and payment status

All payment transactions are processed directly by PayPal under its own privacy policy and security standards.

2.3 Usage Data (API Call Metadata)

For every API call routed through OpenGateway, we record operational metadata as reflected in the platform's call-record schema:

  • Internal job identifier and attempt index (for retries and debugging)
  • API key identifier (recorded with call metadata for billing, authentication, rate-limiting, and abuse prevention)
  • Optional userId and sessionId headers if your application supplies them (these are passed through verbatim and stored as you provide them — if you treat these as identifiers, please consider what they reveal)
  • Optional openaiSpecId (an internal routing identifier)
  • LLM provider and model used (e.g., openai, anthropic, vertex-ai)
  • API type (Chat Completions or Responses API)
  • Status (success or failure) and billing status
  • Timestamps (request attempted, response received, first streaming chunk if applicable)
  • Token usage (input/output/total tokens, including reasoning and cached tokens where reported)
  • Estimated cost of the call

This metadata is recorded regardless of whether request body logging is enabled (see Section 2.4). It is required to operate, bill, debug, and audit the Service.

2.4 API Request Content and Provider Responses

Default behavior — body logging disabled. By default, OpenGateway does not store the body of your API requests (prompts) or the body of provider responses. Bodies pass through our infrastructure in transit only and are not retained in call records.

Per-team toggle — body logging enabled. A team administrator can enable request and response body logging for the team via the dashboard. The setting is binary (NONE or ALL) at the team level; there is currently no per-API-key override. When enabled:

  • Request bodies up to 50 KB are recorded; larger bodies are truncated and a flag is recorded indicating truncation occurred
  • Response bodies are recorded in full, including streamed completions and tool/function-call payloads
  • Logged content is retained for the period configured by your team (operationally limited; see Section 5)

You may switch the toggle to NONE at any time; thereafter newly captured bodies will not be stored, and previously captured bodies are deleted according to Section 5.

Optional debug output. If you request optional debug output via the API, that debug information is assembled per-request and returned only in the API response to you; it is not persisted by OpenGateway in any logging mode. Conversation content keys are excluded from debug diffs.

Image generation content. Generated image content returned by image-generation models is not persisted by OpenGateway in any logging mode; only call metadata and usage (Section 2.3) are recorded. Image-generation request prompts follow the same body-logging rules as text requests.

Provider error metadata exposure. Even when body logging is set to NONE, when a provider call fails, error records may, in some cases, retain the provider's raw error payload in the call record (error.metadata.raw) so we can support you and reproduce the failure. Provider raw error payloads sometimes echo a fragment of your prompt, a parameter value, or a content moderation reason. Treat failed calls as if a small slice of the request may be retained alongside the metadata in Section 2.3.

If you cannot tolerate any prompt fragment being retained on failure, contact us at privacy@sionic.ai to discuss enterprise data-handling controls.

No training. OpenGateway does not use your prompts, response content, or call metadata to train AI models. Whether the upstream LLM provider trains on your data depends on that provider — see Section 4.1 and the public sub-processors page for a per-provider breakdown.

2.5 Technical Data

We automatically collect:

  • IP addresses
  • Browser type and version
  • Operating system and device information
  • Referring URLs
  • Pages visited on our website
  • Date and time of access

2.6 Cookies and Similar Technologies

See Section 10 (Cookie Policy) below for full details on the cookies and tracking technologies we use.

3. How We Use Your Information

We process personal information for the following purposes:

PurposeData UsedLegal Basis (GDPR)
Provide and operate the ServiceAccount info, usage data, technical dataPerformance of contract
Route API requests to LLM providersAPI request content (in transit)Performance of contract
Billing and invoicingAccount info, payment info, usage dataPerformance of contract; legal obligation
Customer supportAccount info, usage data, technical dataPerformance of contract; legitimate interest
Service improvement and analyticsUsage data, technical data (aggregated)Legitimate interest
Security and fraud preventionTechnical data, usage dataLegitimate interest; legal obligation
Legal complianceAll categories as requiredLegal obligation
Communication about Service updatesAccount infoLegitimate interest; consent (for marketing)

We do not:

  • Sell your personal information to third parties.
  • Use prompt or response content for training AI models.
  • Use your data for automated decision-making that produces legal effects concerning you.

4. Third-Party Data Sharing

4.1 LLM Providers

The core function of OpenGateway is to route your API requests to the LLM provider you select. When you make an API call, the content of your request (prompt) and any associated parameters are transmitted to the selected provider for processing.

Current LLM providers (13):

Provider SlugOperatorPrimary JurisdictionNotes
openaiOpenAIUnited StatesChat Completions and Responses API
anthropicAnthropicUnited StatesClaude Messages API
azureMicrosoftCustomer-selected Azure regionAzure OpenAI Service
vertex-aiGoogle CloudCustomer-selected Vertex regionGemini family models
sionic-aiSionic AI (first-party)Sionic AI-hosted infrastructureFirst-party Sionic AI models on Sionic AI-hosted infrastructure; currently exposes no models; not a third-party transfer
xaixAIUnited States (regional endpoints available)Grok family
minimaxMiniMaxPeople's Republic of Chinaabab family
kimiMoonshot AIPeople's Republic of ChinaKimi family
deepseekDeepSeekPeople's Republic of ChinaDeepSeek family — see warning below
zaiZ.AISingapore (model lineage: GLM/Zhipu, China)API operated from Singapore under separate DPA
dashscopeAlibaba Cloud (Model Studio / DashScope)Singapore (ap-southeast-1)Qwen family; currently not enabled in production deployments — listed for transparency

Important data-handling differences across providers:

  • DeepSeek's published privacy policy permits training and improvement on user input, and we have not been able to confirm a public API opt-out. If you call deepseek models through OpenGateway, treat your prompts as training-eligible by the provider. Do not send sensitive personal data, regulated data, or production secrets to deepseek models without an enterprise agreement directly with DeepSeek.
  • MiniMax and Kimi: public English policy materials are limited. Treat prompts and responses sent to these providers as retained per People's Republic of China law and the providers' Mandarin-language terms.
  • Z.AI (api.z.ai) operates the API from Singapore under a separate DPA, even though the GLM/Zhipu model lineage originates in China. Singapore PDPA and Z.AI's contractual terms govern the API path. The PIPL Supplement in Section 11 does not extend to Z.AI; international transfers to Z.AI rely on Singapore PDPA mechanisms.
  • DashScope (Alibaba Cloud Model Studio) is served from Alibaba Cloud's Singapore (ap-southeast-1) endpoint and is treated as Singapore-jurisdiction. Like Z.AI, the PIPL Supplement in Section 11 does not extend to DashScope; international transfers rely on Singapore PDPA mechanisms. The dashscope provider is currently not enabled in production deployments and is listed for transparency.
  • DeepSeek, MiniMax, Kimi: requests are subject to the People's Republic of China legal framework, including the Personal Information Protection Law (PIPL) and applicable cross-border transfer requirements. See the PIPL Supplement in Section 11.
  • OpenAI, Anthropic, Azure, Vertex AI, xAI: these providers do not train on API/business data by default; abuse-monitoring retention is typically up to 30 days at the provider, with Zero Data Retention available on enterprise terms directly with the provider.
  • Sionic AI first-party models (sionic-ai): hosted on Sionic AI-operated infrastructure; no third-party transfer occurs. This integration currently exposes no models.

Provider-executed tools (e.g., web search). Some providers offer tools, such as web search, that execute on the LLM provider's side within the provider's own infrastructure. When you use these features, the tool runs at the provider; OpenGateway receives only usage counters for billing purposes. No separate search vendor receives your data.

For the up-to-date per-provider matrix (country, default residency, training opt-out, retention, BAA availability, AUP URL), see the public Sub-processors page (referenced in Section 11) and the DPA Annex A.

Important notice regarding model:"auto" routing: When you use the automatic model selection feature, OpenGateway selects the optimal provider based on your request characteristics. This means you cannot predict in advance which provider will receive your data for a given request. If you or your team have data residency or provider-specific requirements (for example, you must avoid PRC-jurisdiction providers, or you require a region-pinned endpoint), specify the provider explicitly rather than using automatic routing.

Regional processing. Each OpenGateway deployment is configured with an allowlist of enabled providers and provider regions. Your requests are processed by the deployment you call; the set of enabled providers and regions may differ between deployments.

Provider data handling: Each LLM provider processes your data under its own privacy policy and terms of service. Provider policies regarding data retention, training, cross-border transfer, and government access may differ materially. We recommend reviewing each provider's privacy policy directly.

4.2 Service Providers

Service ProviderPurposeData Shared
PayPal, Inc.Payment processingPayPal payer email, vault token reference, order and capture identifiers, transaction amounts
Auth0Authentication and identity managementEmail, name, authentication credentials
Amazon Web Services (AWS)Infrastructure hostingAll data processed by the Service (encrypted)
Google Cloud Platform (GCP)Infrastructure hostingAll data processed by the Service (encrypted)

4.3 Other Disclosures

We may disclose personal information:

  • Legal requirements: When required by law, regulation, legal process, or governmental request.
  • Protection of rights: To enforce our terms of service, protect our rights, privacy, safety, or property, or that of our users or the public.
  • Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, in which case the acquiring entity will be bound by this Policy.

5. Data Retention

Data CategoryRetention PeriodNotes
Account dataDuration of active account; on a deletion request, we aim to remove account data within 30 days of the requestIncludes account info and team membership. Deletion is currently handled manually on request
Consent records (user identifier, acceptance timestamp, accepted document version)Duration of active account + any period required by applicable lawRecorded when you accept our terms or policies; retained to evidence compliance
API call metadata (Section 2.3)(to be provided) days from the request timestampConfigurable for paid teams via the Service Agreement; not configurable on free / trial-credit accounts
Provider error metadata (error.metadata.raw, Section 2.4)(to be provided) days from the request timestampStored even when body logging is NONE; deleted on the schedule above
API request and response bodies (only when body logging is enabled per team)thirty (30) days from the request timestamp; when body logging is disabled for a team, we aim to remove previously captured bodies promptly thereafterA team administrator may disable logging at any time. See the operational note below
Payment records5 years after the transactionRequired by Korean tax law (National Tax Service) and similar foreign tax authorities
Technical/access logs90 daysFor security and operational purposes
Cookie dataSee Section 10Varies by cookie type

Operational note: Body-log retention is committed at thirty (30) days (confirmed 2026-06-13) and is reflected in the table above. The retention values shown as (to be provided) and (to be provided) remain pending an operations decision and will be set by Sionic AI operations before publication; until those values are committed, treat each as a placeholder. The platform code does not currently enforce a numeric retention ceiling for the metadata and error-metadata data classes; the ceiling is operational and will be backed by an automated deletion job.

After the retention period expires, we aim to permanently delete or irreversibly anonymize the data within 30 days once an automated deletion process is in place; deletion is currently carried out operationally. For details on destruction procedures, see the Korean PIPA Supplement in Section 11.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

RightDescription
AccessRequest a copy of the personal information we hold about you
RectificationRequest correction of inaccurate or incomplete personal information
DeletionRequest deletion of your personal information, subject to legal retention requirements
PortabilityReceive your personal information in a structured, machine-readable format
RestrictionRequest that we limit the processing of your personal information
ObjectionObject to certain processing activities, including direct marketing
Withdraw consentWhere processing is based on consent, withdraw that consent at any time

How to Exercise Your Rights

Submit requests to: privacy@sionic.ai

We will verify your identity before processing any request. We aim to respond within 30 days of receiving a verified request. If we need additional time (up to 60 additional days for complex requests), we will notify you of the extension and the reasons.

There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive. If we cannot fulfill a request, we will explain the reasons and inform you of your right to lodge a complaint with the relevant supervisory authority.

For jurisdiction-specific details, see the Regional Supplements in Section 11.

7. International Data Transfers

Sionic AI is headquartered in the Republic of Korea. Your personal information may be transferred to, stored in, and processed in countries other than your country of residence, including:

  • Republic of Korea (Sionic AI headquarters; first-party sionic-ai infrastructure)
  • United States (AWS, GCP, OpenAI, Anthropic, Auth0, PayPal, xAI)
  • European Union / customer-selected EU regions (Azure OpenAI, Vertex AI when an EU region is selected)
  • Japan (GCP data centers, depending on configuration)
  • Singapore (Z.AI API endpoint; Alibaba Cloud DashScope endpoint (ap-southeast-1), currently not enabled in production; AWS Singapore region where applicable)
  • People's Republic of China (DeepSeek, Kimi, MiniMax — only when expressly enabled by your team)
  • Other jurisdictions where our LLM providers or infrastructure providers operate

Safeguards for International Transfers

  • EU/EEA, UK, and Swiss transfers: We rely on the EU Standard Contractual Clauses (SCCs) in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 — specifically Module 2 (Controller to Processor) for the typical case where the customer is the Controller and Sionic AI/OpenGateway is the Processor, and Module 3 (Processor to Processor) for onward transfers to LLM provider sub-processors that themselves act as Processors under their own DPAs with Sionic AI. The SCCs are populated with the parties (Annex I.A), the description of transfer (Annex I.B), the competent authority (Annex I.C), the technical and organizational measures in DPA Section 7 (Annex II), and the sub-processor list in DPA Section 6 (Annex III). The Clause 7 docking option, Clause 11 redress option, and Clause 17/18 governing law of the Republic of Ireland apply unless otherwise agreed in a signed Service Agreement.
  • United Kingdom transfers: We rely on the UK International Data Transfer Addendum (UK IDTA), version B1.0 effective 21 March 2022, issued by the UK Information Commissioner's Office (ICO). The IDTA is appended to and applies in addition to (or, where applicable, in lieu of) the EU SCCs above for transfers from the United Kingdom under the UK GDPR / Data Protection Act 2018. Tables 1–4 of the IDTA Part 1 are populated by reference to the SCCs and DPA Annex.
  • Swiss transfers (revFADP): The EU SCCs are adapted for Switzerland in accordance with guidance from the Federal Data Protection and Information Commissioner (FDPIC), including treating references to the GDPR as references to the revFADP and to EU supervisory authorities as references to the FDPIC, where applicable.
  • Korean PIPA compliance: Cross-border transfers are conducted with the data subject's consent or under statutory exceptions, with safeguards equivalent to those required by PIPA.
  • Japan (APPI): Transfers to countries recognized under APPI's adequacy framework proceed under that framework. For transfers to other countries, we ensure the receiving party maintains standards equivalent to those required by the APPI, as detailed in the APPI Supplement in Section 11.
  • Mainland China (PIPL): Cross-border transfers to and from mainland China are governed by the PIPL Supplement in Section 11.4. For PRC-jurisdiction sub-processors (DeepSeek, Kimi, MiniMax), Sionic AI obtains separate consent under PIPL Art. 39 before enabling routing. Outbound transfers from users located in mainland China rely on the PIPL transfer mechanism described in Section 11.4.2 and are subject to the restrictions stated there.
  • Singapore (Z.AI and Alibaba Cloud DashScope): Transfers to Z.AI rely on Singapore's Personal Data Protection Act cross-border transfer requirements, as governed by the separate DPA in place between Sionic AI and Z.AI. Transfers to Alibaba Cloud DashScope are made to Alibaba Cloud's Singapore (ap-southeast-1) endpoint under the same PDPA cross-border transfer requirements; the dashscope provider is currently not enabled in production deployments. Neither Z.AI nor DashScope is within PIPL scope.

8. Data Security

We implement the following technical and organizational measures to protect your information:

Encryption:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Data at rest is encrypted at rest using AES-256 via our cloud infrastructure providers.

Access Controls:

  • Role-based access control (RBAC) for all internal systems.
  • Multi-factor authentication used for administrative access.
  • API keys are credentials transmitted over TLS and protected by access controls; treat them as secrets. You can revoke and delete an API key at any time from the dashboard.

Infrastructure Security. Our infrastructure security measures include:

  • Hosting on AWS and GCP with SOC 2-compliant infrastructure.
  • Network segmentation and firewall rules to restrict access to production systems.
  • Vulnerability management and periodic security assessments.

Monitoring and Incident Response. Our monitoring and incident-response measures include:

  • Infrastructure-level access logging provided by our cloud providers.
  • Automated alerting for anomalous activity.
  • A documented incident response plan with defined escalation procedures.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected parties without undue delay and in accordance with applicable law. The corresponding notification SLA for paid customers under the Data Processing Agreement is set out in DPA Section 8.

9. Children's Privacy

OpenGateway is a developer platform intended for use by individuals aged 16 or older.

  • If you are 16 or older, you may sign up and use the Service in your personal capacity, subject to the eligibility terms in the Terms of Service.
  • If you are under 16, you may use the Service only with the verifiable consent of a parent, legal guardian, or — within an organization or team account — a team administrator who is at least 18 years old and is authorized to accept this Policy on your behalf.
  • Korea's Personal Information Protection Act (PIPA) requires the consent of a legal representative for the personal information processing of users under 14 years old; in those cases, that legal representative's consent is required in addition to the team administrator authorization above.
  • We do not knowingly collect personal information from individuals under the applicable minimum age without the required parental, guardian, or legal-representative consent.

If we become aware that we have collected personal information from a person below the applicable minimum age without the required consent, we will take steps to delete that information promptly. If you believe we have collected information from a minor without the required consent, please contact us at privacy@sionic.ai.

10. Cookie Policy

10.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. They serve various functions, such as remembering your preferences, maintaining your session, and helping us understand how our Service is used.

10.2 Cookies We Use

Cookie TypePurposeDurationRequired
Essential / AuthenticationMaintain your login session, CSRF protection, security tokens provided by Auth0Session or up to 24 hoursYes
PreferenceRemember your language, theme, and dashboard settingsUp to 1 yearNo
AnalyticsUnderstand how users interact with the Service (page views, feature usage, navigation patterns)Up to 2 yearsNo

10.3 Essential Cookies

These cookies are strictly necessary for the Service to function. They include:

  • Session cookies: Maintain your authenticated session after login via Auth0.
  • Security cookies: CSRF tokens and other security-related cookies that protect against cross-site request forgery and session hijacking.

You cannot opt out of essential cookies while using the Service, as they are required for basic functionality.

10.4 Analytics Cookies

We use analytics cookies to collect aggregated, anonymized data about how the Service is used. This helps us improve the platform. Analytics cookies are optional and are only set with your consent (except where a jurisdiction allows them without consent).

10.5 Managing Cookies

You can control cookies through:

  • Browser settings: Most browsers allow you to block or delete cookies. Consult your browser's help documentation for instructions.
  • Our cookie banner: When you first visit the Service, you will be presented with a cookie consent banner where you can accept or reject non-essential cookies.
  • Opt-out links: For specific analytics providers, you may use their individual opt-out mechanisms.

Note that disabling essential cookies may prevent you from using the Service.

11. Regional Supplements

11.1 GDPR Supplement (European Economic Area, United Kingdom, and Switzerland)

This supplement applies if you are located in the EEA, UK, or Switzerland.

Data Controller: Sionic AI Co., Ltd. 29, Nambusunhwan-ro 359-gil, Gangnam-gu, Seoul, Republic of Korea privacy@sionic.ai

Legal Bases for Processing:

Processing ActivityLegal BasisGDPR Article
Providing the Service and routing API requestsPerformance of contractArt. 6(1)(b)
Billing and payment processingPerformance of contractArt. 6(1)(b)
Security and fraud preventionLegitimate interestArt. 6(1)(f)
Service improvement (aggregated analytics)Legitimate interestArt. 6(1)(f)
Tax and financial record-keepingLegal obligationArt. 6(1)(c)
Marketing communicationsConsentArt. 6(1)(a)
Analytics cookiesConsentArt. 6(1)(a)

Legitimate Interest Assessment: Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

Data Protection Officer: (to be provided) privacy@sionic.ai

Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

International Transfers: See Section 7. We use Standard Contractual Clauses (Module 2: Controller to Processor, and Module 3: Processor to Processor) for transfers to countries without an adequacy decision from the European Commission.

11.2 Korean PIPA Supplement

This supplement applies to the processing of personal information of individuals in the Republic of Korea.

Personal Information Processor: Sionic AI Co., Ltd. 29, Nambusunhwan-ro 359-gil, Gangnam-gu, Seoul, Republic of Korea

Chief Privacy Officer / CPO: Name: (to be provided) Title: (to be provided) Email: privacy@sionic.ai Phone: (to be provided)

Purpose of Processing:

  1. Service provision and account management
  2. Billing, payment processing, and tax compliance
  3. Customer support
  4. Security monitoring and fraud prevention
  5. Service improvement (using anonymized or aggregated data)

Provision to Third Parties: See Section 4 for the full list of third-party recipients, the purpose of provision, and the categories of data provided.

Cross-Border Transfers: Personal information may be transferred overseas as described in Section 7. Transfers are conducted with consent or under statutory exceptions permitted by PIPA, and recipients are contractually required to protect personal information to standards equivalent to those of PIPA.

Destruction of Personal Information: When personal information is no longer needed or the retention period has expired:

  • Electronic files: Permanently deleted using methods that render recovery impossible (e.g., secure erasure, cryptographic key destruction).
  • Physical records: Shredded or incinerated.
  • Timeline: We aim to complete destruction within a reasonable period after the retention period expires once an automated deletion process is in place, unless retention is required by other laws; destruction is currently carried out operationally on request or on review.

When the purpose of processing has been achieved but retention is required by law (e.g., tax records), the information is stored separately from active databases with restricted access.

Exercising Your Rights: You may exercise your rights under PIPA (access, rectification, deletion, suspension of processing) by contacting the Chief Privacy Officer at the email or phone number listed above. We will process your request within 10 days.

Automatic Collection Devices: See Section 10 (Cookie Policy). You may refuse cookies through your browser settings.

11.3 APPI Supplement

This supplement applies to the processing of personal information of individuals in Japan under the Act on the Protection of Personal Information (APPI).

Business Operator Handling Personal Information: Sionic AI Co., Ltd. 29, Nambusunhwan-ro 359-gil, Gangnam-gu, Seoul, Republic of Korea

Purpose of Use:

  1. Provision and operation of the OpenGateway service
  2. Account creation, authentication, and management
  3. Billing and payment processing
  4. Customer support and communication
  5. Security monitoring and fraud prevention
  6. Service improvement through aggregated usage analytics

Provision to Third Parties: We provide personal data to the third parties listed in Section 4 for the purposes described therein. Where required by the APPI, we obtain your consent prior to provision or rely on statutory exceptions (e.g., where provision is necessary for the performance of a contract).

Joint Use: We do not engage in joint use of personal information as defined under the APPI. Each third-party provider listed in Section 4 operates as an independent data handler under its own privacy policy.

Cross-Border Transfer:

RecipientCountryPurposeSafeguard
OpenAIUnited StatesLLM processingContractual measures equivalent to APPI
AnthropicUnited StatesLLM processingContractual measures equivalent to APPI
Google (Vertex AI)United States / customer-selected regionLLM processing and infrastructureAPPI adequacy framework (where applicable)
Microsoft (Azure OpenAI)Customer-selected Azure regionLLM processingContractual measures equivalent to APPI
xAIUnited States (regional endpoints available)LLM processingContractual measures equivalent to APPI
MiniMaxPeople's Republic of ChinaLLM processingContractual measures (provider's English policy materials are limited)
Moonshot AI (Kimi)People's Republic of ChinaLLM processingContractual measures (provider's English policy materials are limited)
DeepSeekPeople's Republic of ChinaLLM processing — provider's policy permits training on user inputContractual measures; user is advised not to send sensitive personal data
Z.AISingaporeLLM processingSingapore PDPA cross-border transfer requirements
Alibaba Cloud (DashScope / Model Studio)Singapore (ap-southeast-1)LLM processing — currently not enabled in production deploymentsSingapore PDPA cross-border transfer requirements
Sionic AI (first-party sionic-ai models)Sionic AI cloud infrastructure regionLLM inferenceOperated directly by the Sionic AI group; not a third-party transfer
PayPalUnited States (with global affiliates)Payment processingContractual measures equivalent to APPI
Auth0United StatesAuthenticationContractual measures equivalent to APPI
AWSUnited States / customer-selected regionInfrastructure hostingContractual measures equivalent to APPI
GCPUnited States / customer-selected regionInfrastructure hostingAPPI adequacy framework (where applicable)

We provide information on the personal information protection systems of the countries to which data is transferred upon request.

Requests for Disclosure: You may request disclosure, correction, deletion, or cessation of use of your personal information by contacting us at privacy@sionic.ai. We will respond within a reasonable period as required by the APPI. We may charge a reasonable fee for disclosure requests as permitted by law.

11.4 PIPL Supplement

This Supplement applies where the Personal Information Protection Law of the People's Republic of China, effective November 1, 2021 ("PIPL") applies to OpenGateway processing.

11.4.1 Direction 1 — Personal information sent to PRC-jurisdiction sub-processors (DeepSeek, Kimi, MiniMax)

OpenGateway may route requests to DeepSeek, Kimi, or MiniMax. For OpenGateway risk-classification purposes, these are treated as PRC-jurisdiction provider integrations involving data flows to China. Before enabling these providers, Sionic AI obtains separate, affirmative consent consistent with the disclosure standard reflected in PIPL Art. 39: recipient identity, contact details where available, processing purposes and methods, categories of personal information shared, and rights-exercise procedures.

The categories of personal information shared with these providers may include prompts, system or developer messages, uploaded files, tool inputs, model outputs returned through provider systems, request identifiers, timestamps, the selected model and provider, token counts, team and account identifiers, abuse-prevention signals, billing and usage metadata, and error data. Even when body logging is set to NONE, failure-path provider error metadata (error.metadata.raw) may retain provider raw error content that can echo prompt fragments, as further described in Section 2.4.

DeepSeek presents the highest training-use risk. DeepSeek's public privacy policy permits the use of user input to improve and train its models, with no public API opt-out identified at the time of writing. Kimi and MiniMax retention and training commitments specific to the OpenGateway routing relationship are treated as UNCLEAR unless and until confirmed in an executed DPA or route-specific policy; the providers' public English materials are service-specific and should not be relied on as a complete enterprise retention guarantee.

PRC government-access posture. PRC-jurisdiction providers may be subject to PRC cybersecurity, data-security, state-security, law-enforcement, and regulatory access obligations. This is a policy-risk disclosure, not legal advice on PRC law. Users should not route confidential, regulated, export-controlled, or sensitive personal information to PRC providers unless their organization has approved that transfer.

Opt-out. OpenGateway does not auto-route a team's traffic to DeepSeek, Kimi, or MiniMax unless that team has expressly enabled the provider or selected a routing policy that permits PRC providers. You may opt out at any time by disabling those providers from your team settings and using non-PRC providers, the Sionic-hosted sionic-ai integration.

11.4.2 Direction 2 — Users physically located in mainland China using OpenGateway to call non-China providers

Where users located in mainland China submit personal information through OpenGateway for routing to providers outside mainland China, OpenGateway may be treated as participating in an outbound PIPL transfer. PIPL Art. 38 requires one of the following transfer mechanisms: (a) Cyberspace Administration of China ("CAC") security assessment; (b) certification by a CAC-accredited body; (c) a PIPL standard contract filed with the CAC; or (d) another legally recognized mechanism.

The CAC Provisions on Promoting and Regulating Cross-Border Data Flows, issued March 22, 2024, apply volume- and category-based triggers. Security assessment is required for critical information infrastructure operators ("CIIOs") exporting personal information or important data, and for non-CIIO processors exporting important data, the personal information of at least 1,000,000 individuals in a calendar year, or the sensitive personal information of at least 10,000 individuals. A PIPL standard contract or certification is required for non-CIIO processors exporting at least 100,000 but fewer than 1,000,000 individuals' non-sensitive personal information, or fewer than 10,000 individuals' sensitive personal information, unless an exemption applies. Non-CIIO transfers below 100,000 individuals' non-sensitive personal information may be exempt from these mechanisms where no sensitive personal information or important data is involved.

Until Sionic AI completes the appropriate PIPL transfer mechanism, OpenGateway is not certified or contracted for outbound PIPL transfers from mainland China. Sionic AI restricts signup and routing from mainland China IP addresses and billing addresses, or — where access is permitted — provides a prominent disclosure that the appropriate PIPL transfer mechanism has not yet been completed.

Sensitive personal information (PIPL Art. 28). Sensitive personal information includes biometrics, religious belief, specific identity, medical health, financial accounts, precise whereabouts, and personal information of minors under 14. Such data requires a specific purpose, demonstrable necessity, strict protection measures, additional consent, and (where required) a personal information protection impact assessment.

Z.AI and DashScope. Z.AI is not within the scope of this PIPL Supplement. Z.AI's API is operated from Singapore under a separate DPA; transfers to Z.AI are addressed under Singapore PDPA cross-border transfer rules described in Section 7. Likewise, Alibaba Cloud DashScope (dashscope) is served from Alibaba Cloud's Singapore (ap-southeast-1) endpoint and is not within the scope of this PIPL Supplement; the dashscope provider is currently not enabled in production deployments.

11.4.3 Data Subject Rights under PIPL

Where PIPL applies, individuals may exercise rights under PIPL Arts. 44–50, including the right to know and decide about processing, restrict or refuse processing, access and copy personal information, request correction or completion, request deletion, withdraw consent, request explanation of processing rules, and request portability where the applicable conditions are met. Close relatives of a deceased individual may exercise relevant rights for legitimate and lawful interests unless the deceased arranged otherwise.

Requests may be submitted to privacy@sionic.ai. We may verify identity and team authority before acting on a request, especially where OpenGateway acts as Processor for a customer Controller.

11.4.4 PIPL contact and complaint mechanism

PIPL requests and complaints may be sent to privacy@sionic.ai or to the request form at PIPL request form. If Sionic AI is required to appoint a mainland China representative under PIPL Art. 53, the designated representative will be: (to be provided), (to be provided), (to be provided).

11.5 CCPA / CPRA Supplement (California Consumer Privacy Act + California Privacy Rights Act)

This Supplement applies to California residents whose personal information is processed by OpenGateway, in addition to the rest of this Policy. It is provided under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), Cal. Civ. Code §§ 1798.100 et seq.

11.5.1 Categories of personal information collected (CCPA categories)

CCPA categoryExamples in OpenGatewaySourcePurposeDisclosed to third parties?
IdentifiersEmail, account ID, API key identifier, optional userId/sessionId you supplyYou; Auth0Account, billing, authentication, rate-limit, abuseSub-processors only (Section 4)
Commercial informationCredit purchases, usage, billing recordsYou; PayPalBilling, tax recordkeepingPayPal; tax authorities
Internet or other electronic activityIP address, browser, referring URL, dashboard pages visitedBrowser/HTTPSecurity, fraud prevention, analyticsSub-processors only
Geolocation data (approximate)Inferred from IPBrowser/HTTPSecurity, sanctions screeningSub-processors only
Professional / employment-related informationOptional team/role metadata you supplyYouTeam managementSub-processors only
InferencesAggregated usage patternsInternalService improvementAggregated/de-identified only
Sensitive personal informationAPI key (treated as a credential, not an SPI category; protected by access controls)YouAuthenticationNot shared as SPI

OpenGateway does not knowingly collect Social Security numbers, driver's license numbers, financial account numbers other than as needed for PayPal payment processing, biometric or genetic data, racial or ethnic origin, religious or philosophical beliefs, union membership, or precise geolocation (within 1,850 feet) as defined by CPRA. If you choose to send such data through OpenGateway as part of an API prompt, that content is governed by Section 2.4 (request body handling) and Section 4.1 (LLM provider routing).

11.5.2 Sale and Sharing of personal information

OpenGateway does not "sell" or "share" your personal information as those terms are defined under CCPA/CPRA. We do not exchange personal information for monetary or other valuable consideration, and we do not engage in cross-context behavioral advertising. The only third-party disclosures we make are to the sub-processors listed in Section 4 (LLM providers, payment processor, authentication provider, infrastructure providers), each of whom acts as a service provider under a written contract that limits their use of personal information to providing services on our behalf.

We honor the Global Privacy Control (GPC) signal as a valid opt-out preference signal. You may also submit an opt-out request via the link at Do Not Sell or Share My Personal Information page or by contacting privacy@sionic.ai.

11.5.3 Right to limit use of sensitive personal information

CPRA gives California consumers the right to limit a business's use of sensitive personal information to specified purposes. Because OpenGateway does not use sensitive personal information for any purpose other than providing the Service to you, this right does not currently affect our processing. If our processing changes, we will publish a corresponding "Limit the Use of My Sensitive Personal Information" link.

11.5.4 Consumer rights and how to exercise them

California residents have the following rights, exercisable by contacting us at privacy@sionic.ai:

  1. Right to know — request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share.
  2. Right to delete — request deletion of personal information we have collected from you, subject to statutory exceptions (e.g., legal obligations, security, completion of a transaction).
  3. Right to correct — request correction of inaccurate personal information.
  4. Right to opt-out of sale or sharing — see Section 11.5.2.
  5. Right to limit use of sensitive personal information — see Section 11.5.3.
  6. Right to non-discrimination — we will not deny services, charge different prices, or provide different quality of services because you exercised your CCPA rights.
  7. Right to data portability — we will provide your personal information in a portable, readily usable format where technically feasible.
  8. Right to opt-out of automated decision-making — OpenGateway does not currently make automated decisions that produce legal or similarly significant effects about you. If that changes, an opt-out will be provided.

We will respond to verifiable requests within 45 days, with one 45-day extension if reasonably necessary and upon notice to you.

Authorized agents. You may designate an authorized agent to make a request on your behalf by providing the agent with written permission and verifying your identity directly with us, in accordance with 11 C.C.R. § 7063.

"Shine the Light" (Cal. Civ. Code § 1798.83). OpenGateway does not share personal information with third parties for those third parties' direct marketing purposes.

Notice at collection. This Privacy Policy, together with this Supplement, constitutes the notice at collection required by CCPA/CPRA.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make changes:

  • Material changes: We will notify you by email (to the address associated with your account) and by posting a prominent notice on the Service at least 30 days before the changes take effect.
  • Non-material changes: We will update the "Last Updated" date at the top of this Policy.

If you continue to use the Service after a material change takes effect, you acknowledge the updated Policy. If you do not agree with the changes, you may close your account before the effective date.

We encourage you to review this Policy periodically.

13. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Sionic AI Co., Ltd. 29, Nambusunhwan-ro 359-gil, Gangnam-gu, Seoul, Republic of Korea

Privacy Inquiries: privacy@sionic.ai

Chief Privacy Officer: (to be provided) (to be provided) privacy@sionic.ai (to be provided)

Data Protection Officer (GDPR): (to be provided) privacy@sionic.ai

This Privacy Policy is provided in English. In the event of a conflict between translated versions, the English version shall prevail, except where local law requires that the local-language version takes precedence.