Privacy Policy
Last updated: February 5, 2026
Version: 3.0
138data (“we,” “our,” or “us”) establishes this Privacy Policy (“Policy”) regarding how we handle personal information in connection with the AI API gateway service “qzira” (“Service”). Please read this Policy carefully before using the Service.
Article 1 (Information We Collect)
1-1. Account Information
When you register for the Service, we obtain the following information via Google OAuth:
- Email address
- Display name (from your Google account)
- Profile picture URL
* Your Google account password is never shared with us.
1-2. Service Usage Data
To operate and improve the Service, we record the following metadata:
- API request timestamps
- AI model name used
- Request/response token counts
- Response time
- Status codes (success/error)
- Subscription plan and billing information
1-3. Access Information
For security management purposes, we may record:
- IP address (for rate limiting and fraud detection)
- User agent (browser/client type)
- Login/logout timestamps
1-4. Information We Do NOT Collect
The following information is NOT persistently stored on our servers:
- Prompts (input content): Relayed to AI providers only
- AI response content: Relayed to users only
- BYOK key plaintext: Stored encrypted; plaintext is never retained
Article 2 (Purposes of Use)
Collected information is used solely for the following purposes:
- Providing, operating, and maintaining the Service
- Authenticating and managing user accounts
- Measuring usage and processing billing
- Operating safety features such as budget alerts and auto-stop
- Improving the Service and developing new features
- Investigating and responding to security incidents
- Sending important notices to users (service changes, security alerts, etc.)
- No machine learning use: We do not use collected data for training AI models. We do not operate any AI models, and our architecture makes such use technically impossible.
Article 3 (Sharing with Third Parties)
We do not share your personal information with third parties except in the following cases:
- Payment processing: We share information necessary for billing with Stripe, Inc.
- Authentication: Supabase processes information required for authentication.
- Data transfer to AI providers: Your API requests (metadata) are sent to the AI provider you specify. Each AI provider's privacy policy also applies.
- OpenAI: https://openai.com/policies/privacy-policy
- Anthropic: https://www.anthropic.com/privacy
- Google AI: https://policies.google.com/privacy
- Legal requirements: When disclosure is required by applicable law.
- With your consent: When you have explicitly consented.
Article 4 (International Data Transfers)
- The Service uses Cloudflare's global infrastructure, and your data may be processed or stored on servers outside Japan.
- We endeavor to implement appropriate security measures for international data transfers.
- Data transferred to AI providers is processed at each provider's server locations (primarily the United States).
Article 5 (Data Storage & Security)
- User data is stored on Cloudflare's global infrastructure.
- BYOK keys are stored encrypted; plaintext is never retained.
- All communications are encrypted via HTTPS/TLS.
- We implement appropriate security measures including access control and audit logging.
Article 6 (Security Incident Notification)
- In the event of a security incident such as leakage, loss, or damage of personal information, we will promptly confirm the facts and endeavor to notify affected users without delay.
- In the event of a serious security incident, we will report to the relevant supervisory authority in accordance with the Act on the Protection of Personal Information and other applicable laws.
Article 7 (Data Retention Periods)
| Data Type | Retention Period |
|---|---|
| Account information | Deleted within 30 days of account deletion request |
| Usage data | During account lifetime and 90 days after cancellation |
| Billing history | As required by law (up to 7 years) |
| Security logs | 90 days |
| Access logs (IP addresses, etc.) | 30 days |
Article 8 (Your Rights)
You have the following rights:
- Right of access: You may request disclosure of the data we hold about you.
- Right of rectification: You may request correction of inaccurate data.
- Right of erasure: You may request account deletion and data erasure.
- Right to object: You may object to how your data is used.
- Right to portability: You may request your data in a machine-readable format.
To exercise these rights, please contact us at https://138io.com/contact.
Article 9 (Use of Cookies)
The Service uses cookies necessary to maintain authentication sessions. We do not use marketing or tracking cookies.
Article 10 (Minors)
The Service is not intended for users under 18 years of age. If we become aware that a user under 18 has registered, we will delete that account.
Article 11 (Users Outside Japan)
- The Service complies with Japan's Act on the Protection of Personal Information (APPI).
- Users in the EU or UK may have rights under the GDPR (right of access, erasure, portability, etc.). Please contact us if this applies to you.
- Users in California may have rights under the CCPA (California Consumer Privacy Act).
Article 12 (Changes to This Policy)
We may update this Policy from time to time. Changes will be published on the Service, and we will provide advance notice of material changes. Continued use of the Service after changes take effect constitutes your acceptance of the revised Policy.
Article 13 (Contact)
For inquiries regarding this Policy, please contact us at:
- Business name: 138data
- Contact: https://138io.com/contact
- Website: https://qzira.com
This Policy is effective as of February 5, 2026.