EUrouter

Privacy Policy

Last updated: February 2026

1. Introduction

EUrouter ("we", "our", "us") is committed to protecting your privacy and ensuring GDPR compliance. This Privacy Policy explains how we collect, use, and safeguard your personal data when you use our services.

2. Data Controller

EUrouter is the data controller responsible for your personal data. We are based in the Netherlands and operate exclusively within the European Union. For any data protection inquiries, you can reach our Data Protection Officer at privacy@eurouter.ai.

3. Data We Collect

We collect the following categories of data:

  • Account information: Email address, name, and authentication credentials when you create an account.
  • Usage data: API request metadata (timestamps, model selection, token counts) for billing and analytics purposes.
  • Payment information: Processed securely through our payment provider (Mollie). We do not store credit card details.
  • Technical data: IP addresses, browser type, and device information collected automatically for security and abuse prevention purposes.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

  • Contractual necessity (Art. 6(1)(b)): Processing necessary to provide our API service, manage your account, and fulfill billing obligations.
  • Legitimate interest (Art. 6(1)(f)): Processing for security monitoring, fraud prevention, service improvement, and abuse detection.
  • Legal obligation (Art. 6(1)(c)): Processing required to comply with tax, accounting, and other regulatory requirements.
  • Consent (Art. 6(1)(a)): Where applicable, for optional marketing communications. You may withdraw consent at any time.

5. Data Residency

All data is processed and stored exclusively within the European Union. We do not transfer personal data outside the EU/EEA. Our infrastructure is hosted in EU data centers to ensure full compliance with GDPR requirements.

6. Data Retention

By default, we practice zero data retention for API request and response bodies. The content of your AI requests and responses is never stored by EUrouter. We retain only the minimal metadata required for billing and service operation, including timestamps, model identifiers, and token counts.

Account data is retained for the duration of your account and deleted within 30 days of account closure, except where retention is required by law (e.g., billing records for tax purposes). You can control retention and redaction policies per API key in your dashboard.

7. Cookies and Tracking

EUrouter takes a privacy-first approach to analytics. We use Simple Analytics, a privacy-friendly analytics service that does not use cookies and does not track individual users. No personal data is collected through our analytics.

We use only essential cookies required for authentication and session management. These cookies are strictly necessary for the operation of our service and do not require consent under the ePrivacy Directive. We do not use any third-party advertising or tracking cookies.

8. Sub-processors

We use the following sub-processors to deliver our service. All sub-processors are based in the European Union:

  • Scaleway (France, EU): Cloud infrastructure hosting for all EUrouter services and data storage.
  • Mollie (Netherlands, EU): Payment processing for subscriptions and credit purchases.

When you use EUrouter to access AI models, your API request content is routed to the AI model provider you select. EUrouter acts as a gateway and does not retain request or response content. The processing of your request content by the AI model provider is governed by that provider's own terms and privacy policy. You can review which providers are available on our providers page.

9. International Transfers

EUrouter does not transfer personal data outside the European Economic Area (EEA). All our sub-processors operate within the EU. Our commitment to EU-only data processing is a core part of our service and is maintained at all times.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, regular security assessments, and incident response procedures. API keys are stored using one-way cryptographic hashes and cannot be retrieved in plain text.

11. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, as required by Article 34.

12. Your Rights

Under the GDPR, you have the right to:

  • Access (Art. 15): Request a copy of the personal data we hold about you.
  • Rectification (Art. 16): Request correction of inaccurate personal data.
  • Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Restriction (Art. 18): Request restriction of processing of your personal data.
  • Data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Objection (Art. 21): Object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@eurouter.ai. We will respond to your request within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.

13. Children's Privacy

Our service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.

14. Data Processing Agreement

Enterprise customers who require a Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR can request one by contacting us at legal@eurouter.ai.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes via email or through the service. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of our service after changes constitutes acceptance of the updated policy.

16. Contact

For any privacy-related questions or requests, contact our Data Protection Officer at privacy@eurouter.ai. For general legal inquiries, contact legal@eurouter.ai.

Privacy Policy | EUrouter