Privacy Policy

Last updated: March 17, 2026

1. Overview

OpusMax ("the Service", "we", "us", "our") is an API gateway that provides managed access to AI language models. This Privacy Policy explains what data we collect, what we do not collect, and how we handle information that passes through our Service.

The short version: We do not store your prompts, messages, or AI responses. We only track minimal usage metadata to enforce limits and provide usage dashboards.

2. What We Do NOT Collect

We want to be explicit about what we do not store or log:

  • Prompt content — The text of your messages, instructions, and system prompts is never stored. It passes through our servers in transit and is immediately discarded after forwarding.
  • AI responses — Model outputs (text, code, analysis) are streamed through to you and not retained.
  • Images and files — Any images, documents, or files included in your API requests are forwarded to the upstream model and not stored by us.
  • Conversation history — We do not maintain any record of your conversations or message threads.
  • Personal information — We do not collect names, email addresses, IP addresses, browser fingerprints, or any other personally identifiable information from API users.
  • Cookies or tracking — The API does not set cookies or use any tracking mechanisms. The website uses no analytics or third-party tracking scripts.

3. What We DO Collect

We store the minimum metadata required to enforce usage limits and provide usage dashboards:

  • Token counts — The number of input and output tokens per request. This is used to enforce per-key token budgets.
  • Timestamps — When each request was made. This is used for rolling window calculations and usage history.
  • Model name — Which model was requested (e.g., "claude-sonnet-4-6"). No actual model output is stored.
  • HTTP status code — Whether the request succeeded (200) or failed (400, 500, etc.).
  • Response latency — How long the upstream model took to respond, in milliseconds.
  • API key identifier — Which key made the request, for per-key usage tracking. The full key value is hashed and never stored in plain text in logs.

This metadata is strictly operational. It contains no content from your requests or responses and cannot be used to reconstruct your conversations.

4. How Data Flows Through the Service

When you make an API request:

  1. Your request arrives at our API gateway over HTTPS (encrypted in transit).
  2. We validate your API key and check usage limits.
  3. The request is forwarded to the upstream AI model provider over HTTPS.
  4. The response is streamed back to you in real-time.
  5. We record only the metadata listed in Section 3 (token counts, timestamp, model, status, latency).
  6. The request and response content is discarded — it exists only in memory during transit.

At no point is your request or response content written to disk, logged to a file, or stored in a database.

5. API Key Data

API keys are stored in our database to authenticate requests. Each key has associated configuration (name, rate limits, token budgets, expiration date) set by your administrator. We store a prefix of each key for display purposes (e.g., "sk-ant-...") and the full key in hashed form for authentication. Key usage metadata (total tokens used, window usage, last used timestamp) is updated with each request.

6. Data Retention

  • Request/response content — Not retained. Zero retention period.
  • Usage metadata — Retained for as long as the API key exists. When a key is deleted by an administrator, all associated usage logs are permanently deleted.
  • API key records — Retained until deleted by an administrator.

7. Third-Party Services

Your API requests are forwarded to upstream AI model providers to generate responses. These providers have their own privacy policies and data handling practices. We do not control how upstream providers handle your data once it leaves our servers. We recommend reviewing the privacy policies of the model providers whose services you use through OpusMax.

8. Security

  • All communication with the Service is encrypted using HTTPS/TLS.
  • API keys are validated on every request.
  • Rate limiting and token budgets protect against abuse.
  • No request or response content is written to persistent storage.
  • Database access is restricted and credentials are securely managed.

9. Children's Privacy

The Service is not directed at children under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has used the Service, please contact your administrator.

10. Your Rights

Since we collect minimal data and no personal information from API users:

  • Access — You can view your usage data through the Check Usage page at any time using your API key.
  • Deletion — Contact your administrator to delete your API key and all associated usage data.
  • Portability — Usage data visible on the Check Usage page represents all data we hold about your key.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes take effect when posted on this page. We encourage you to review this page periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or how we handle data, please contact your administrator or the OpusMax team through the appropriate support channels.