Privacy Policy
Last updated: 1 July 2026
This Privacy Policy explains how Ourcelium (“we”, “us”) collects, uses, and shares personal data when you use our website, VS Code extension, CLI, and API gateway (the “Service”). The data controller is the provider identified in the Impressum. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable law.
1. Data we collect
- Account data — your email address and authentication identifiers, provided by you or by your chosen sign-in provider (email, GitHub, or Google).
- API key — we generate an API key linked to your account; we store only a cryptographic hash of it.
- Usage metadata — per request we record token counts, the model used, timestamps, and status. We do not store the content of your prompts, code, or the AI’s responses.
- Billing data — if you subscribe or buy tokens, our payment processor (Stripe) handles your payment details. We receive your customer and subscription identifiers and billing status, not your full card number.
- Technical data — IP address and basic request metadata processed transiently for security, rate limiting, and operating the Service.
2. How your prompts and code are handled
To generate responses, the content you submit (“Input”) is transmitted through our gateway to a third-party model provider (currently Together.ai) for processing. We do not retain the content of your Input or the generated Output on our systems — only the usage metadata described above. The model provider processes your Input under its own terms and privacy policy.
3. Why we process your data and legal bases
- To provide the Service (account creation, authentication, inference, usage tracking) — performance of a contract (Art. 6(1)(b) GDPR).
- To process payments and prevent fraud — contract and legal obligation (Art. 6(1)(b), (c) GDPR).
- To secure and improve the Service (rate limiting, abuse detection, aggregate metrics) — our legitimate interests (Art. 6(1)(f) GDPR).
- To comply with legal obligations such as tax and accounting record-keeping — legal obligation (Art. 6(1)(c) GDPR).
4. Sub-processors and third parties
We share personal data only with service providers that process it on our behalf:
- Supabase — authentication and database hosting.
- Together.ai — large language model inference (processes your Input).
- Stripe — payment processing.
- Railway — gateway/API hosting.
- Netlify — website hosting.
- GitHub / Google — optional sign-in providers, if you choose them.
We do not sell your personal data. Some providers are located outside the European Economic Area; where that is the case, transfers are safeguarded by mechanisms such as the EU Standard Contractual Clauses or an adequacy decision.
5. Retention
We keep account and usage metadata for as long as your account is active and as needed to operate the Service. Billing records are retained as required by applicable tax and accounting law. When you delete your account, we delete or anonymise your personal data except where we must retain it to meet a legal obligation.
6. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request erasure (“right to be forgotten”);
- restrict or object to certain processing;
- data portability;
- withdraw consent where processing is based on consent;
- lodge a complaint with your local data protection authority.
To exercise any of these rights, contact privacy@ourcelium.dev.
7. Cookies
We use only strictly necessary cookies to keep you signed in and to operate the Service. We do not use advertising or third-party tracking cookies.
8. Security
We use industry-standard measures to protect your data, including hashing of API keys and encrypted transport (HTTPS). No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
9. Children
The Service is not directed to children and is intended for users 18 and older.
10. Changes
We may update this Policy from time to time. Material changes will be reflected by the “Last updated” date above and, where appropriate, communicated to you.
11. Contact
Data protection enquiries: privacy@ourcelium.dev. Full provider details are in the Impressum.