PRIVACY POLICY

This Policy applies to all individuals who access, browse, or use the Services in any capacity, including, without limitation, registered users, visitors, API consumers, and any other person interacting with our platform (collectively, “Users” or “you”). By accessing or using the Services, you expressly acknowledge that you have read, understood, and agree to be bound by this Policy in its entirety. If you do not agree with any part of this Policy, you must immediately cease all access to and use of the Services.

This Policy is incorporated by reference into, and constitutes an integral part of, the frogAPI Terms of Service. In the event of any conflict or inconsistency between this Policy and the Terms of Service, this Policy shall govern with respect to matters relating to the collection, processing, and protection of Personal Data, and the Terms of Service shall govern with respect to all other matters.

2.1 Information You Provide Directly

When you create an account, subscribe to our Services, communicate with our support team, or otherwise interact with the Services, we may collect the following categories of Personal Data:

• Account Registration Data: email address, username, hashed password credentials, and, where applicable, OAuth authentication tokens provided through third-party identity providers (e.g., GitHub).
• Billing and Financial Data: payment method details (processed exclusively through PCI-DSS compliant third-party payment processors; frogAPI does not store full credit card numbers, CVVs, or complete payment card data on its own servers), billing address, transaction history, and invoicing records.
• Communications Data: information contained in correspondence, support tickets, feedback submissions, and any other communications you direct to us.

2.2 Information Collected Automatically

When you access or use the Services, certain technical and usage data is collected automatically through server logs, analytics tools, and similar technologies:

• Log and Device Data: IP address, browser type and version, operating system, device identifiers, referring/exit URLs, date and time of access, pages viewed, and clickstream data.
• API Usage Metrics: API key identifiers (not the keys themselves in plaintext), model identifiers invoked, request and response timestamps, token counts (input and output), HTTP status codes, request latency, and rate limit status.
• Cookie and Tracking Data: cookies, web beacons, pixel tags, and similar tracking technologies as described more fully in Section 7 of this Policy.

2.3 Information We Do NOT Collect

frogAPI is committed to user privacy and explicitly does not collect, log, store, or retain:

• The content of prompts or messages sent through the API (“Prompt Data”). All prompts are transmitted directly to the upstream model provider and are not intercepted, cached, or logged by frogAPI infrastructure.
• The content of model responses (“Response Data”). Responses are streamed or relayed directly from the upstream provider to the User.
• Any biometric information, genetic data, or sensitive categories of Personal Data as defined under applicable data protection laws.

We process your Personal Data on the following legal bases, as applicable under the EU General Data Protection Regulation (“GDPR”), UK GDPR, California Consumer Privacy Act (“CCPA”), and other applicable data protection legislation:

• Performance of a Contract (Article 6(1)(b) GDPR): Processing is necessary for the performance of the contract between you and frogAPI, including but not limited to account creation, authentication, billing, provision of API access, and customer support.
• Legitimate Interests (Article 6(1)(f) GDPR): Processing is necessary for our legitimate interests, including fraud prevention, security monitoring, service improvement, analytics, and enforcement of our Terms of Service, provided that such interests do not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a) GDPR): Where we rely on your consent, you have the right to withdraw such consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
• Legal Obligation (Article 6(1)(c) GDPR): Processing may be necessary to comply with legal obligations to which frogAPI is subject, including tax reporting, regulatory inquiries, and lawful data preservation orders.

We use the information collected for the following purposes:

• To provide, operate, maintain, and improve the Services, including processing API requests, managing user accounts, and processing payments.
• To authenticate users and enforce access controls, including API key validation and rate limit enforcement.
• To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity, including abuse of the Services, credential stuffing, and denial-of-service attacks.
• To communicate with you regarding Service updates, security alerts, technical notices, support-related inquiries, and, where consented, marketing communications.
• To perform internal analytics and statistical analysis to monitor service performance, capacity planning, and business intelligence.
• To comply with applicable law, regulation, legal process, or enforceable governmental request, including, without limitation, responding to subpoenas, court orders, or other legal process.
• To enforce our Terms of Service, Acceptable Use Policy, and other contractual obligations.
• To exercise or defend legal claims, rights, or interests of frogAPI.

We may disclose your Personal Data to the following categories of third parties, under the circumstances described:

• Upstream AI Model Providers: API requests containing model identifiers and token metadata are transmitted to upstream providers (including, but not limited to, OpenAI, DeepSeek, Mistral, and Meta) for the purpose of processing your requests. As stated in Section 2.3, frogAPI does not transmit or disclose the content of your prompts or responses to any third party; such content is routed directly between your client and the upstream provider through our gateway infrastructure.
• Payment Processors: Billing and payment data is processed by PCI-DSS compliant third-party payment processors (e.g., Stripe). frogAPI does not access, store, or retain full payment card details.
• Infrastructure Providers: We use third-party cloud hosting, content delivery, and infrastructure services to operate and maintain the Services. These providers may process data on our behalf pursuant to appropriate data processing agreements.
• Law Enforcement and Regulatory Bodies: We may disclose Personal Data when required by law, subpoena, court order, or regulatory request, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of frogAPI, our users, or the public.
• Business Transfers: In connection with any merger, acquisition, reorganization, asset sale, or similar transaction, Personal Data may be transferred to the acquiring or successor entity, subject to this Policy.
• Professional Advisors: We may share Personal Data with our legal counsel, accountants, auditors, and other professional advisors in connection with the provision of their advisory services.

frogAPI does not sell, rent, lease, or otherwise commercially distribute your Personal Data to third parties for their independent marketing purposes.

frogAPI operates globally and may transfer and process Personal Data in jurisdictions other than the country in which you reside. Where Personal Data is transferred from the European Economic Area (“EEA”), United Kingdom, or Switzerland to a country that does not provide an adequate level of data protection as determined by the European Commission, we will implement appropriate safeguards, including but not limited to:

• Standard Contractual Clauses (“SCCs”) approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
• Binding Corporate Rules where applicable.
• Derogations for specific situations under Article 49 GDPR where no other safeguard is available.

By using the Services, you acknowledge and consent to the transfer and processing of your Personal Data in jurisdictions outside your country of residence, subject to the safeguards described herein.

frogAPI uses cookies and similar tracking technologies to operate the Services. Cookies are small text files stored on your device by your web browser. We use the following categories of cookies:

• Strictly Necessary Cookies: Essential for the operation of the Services, including user authentication, session management, and security protections. These cookies cannot be disabled without impairing core functionality.
• Analytical/Performance Cookies: Used to collect anonymized and aggregated data about how Users interact with the Services, allowing us to improve user experience and service performance.

We do not use advertising, targeting, or behavioral tracking cookies. You may manage cookie preferences through your browser settings; however, disabling strictly necessary cookies may result in degraded functionality or inability to access certain features of the Services.

We retain Personal Data only for as long as is necessary to fulfill the purposes for which it was collected, as described in this Policy, unless a longer retention period is required or permitted by applicable law. Specific retention periods are as follows:

• Account Data: Retained for the duration of your active account and for a period of thirty (30) days following account deletion to facilitate account recovery, after which it is permanently deleted.
• Billing and Transaction Records: Retained for a minimum of seven (7) years to comply with tax, accounting, and financial reporting obligations under applicable law.
• API Usage Logs: Retained for a period of ninety (90) days for operational monitoring and debugging purposes, after which they are aggregated and anonymized.
• Server Logs: Retained for a maximum of thirty (30) days and automatically purged thereafter.

Upon the expiration of the applicable retention period, Personal Data is securely deleted or irreversibly anonymized such that it can no longer be used to identify an individual.

frogAPI implements commercially reasonable and industry-standard technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of sensitive data at rest using AES-256 or equivalent.
• Secure hashing of passwords using bcrypt with appropriate salt rounds.
• Regular security audits, vulnerability assessments, and penetration testing.
• Role-based access controls and least-privilege access principles for internal systems.
• Automated monitoring, intrusion detection, and anomaly alerting systems.

Notwithstanding the foregoing, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security and shall not be liable for any unauthorized access or breach resulting from circumstances beyond our reasonable control.

Depending on your jurisdiction, you may have the following rights with respect to your Personal Data:

• Right of Access: You may request confirmation of whether we process your Personal Data and access to a copy thereof.
• Right of Rectification: You may request correction of inaccurate or incomplete Personal Data.
• Right of Erasure (“Right to Be Forgotten”): You may request deletion of your Personal Data, subject to certain exceptions (e.g., legal retention obligations).
• Right to Restrict Processing: You may request that we restrict the processing of your Personal Data under certain circumstances.
• Right to Data Portability: You may request to receive your Personal Data in a structured, commonly used, and machine-readable format.
• Right to Object: You may object to the processing of your Personal Data based on legitimate interests or direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.
• Right to Non-Discrimination (CCPA): We will not discriminate against you for exercising your privacy rights.

To exercise any of the above rights, please contact us at ch@vnsh.in. We will respond to verifiable requests within the timeframes required by applicable law (typically thirty (30) calendar days, subject to extension where permitted).

The Services are not directed to individuals under the age of sixteen (16) years, or the applicable age of digital consent in your jurisdiction. We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected Personal Data from a child without appropriate parental consent, we will take immediate steps to delete such information. If you believe that a child has provided us with Personal Data, please contact us at ch@vnsh.in.

frogAPI reserves the right to modify, amend, or update this Policy at any time in its sole discretion. Any material changes will be communicated by posting the revised Policy on the Services with an updated “Last Updated” date. Where required by applicable law, we will notify you of material changes via email or through a prominent notice on the Services. Your continued use of the Services following the posting of the revised Policy constitutes your acceptance of and agreement to be bound by the revised Policy. If you do not agree to the revised Policy, you must discontinue your use of the Services.

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you are a resident of the European Economic Area and believe that we have not adequately resolved any privacy concerns, you have the right to lodge a complaint with your local supervisory authority.