Privacy Policy

§ 01Who we are

The data controller is DLabs SpA, a Chilean Sociedad por Acciones, operating the Kataleptic inference API at api.kataleptic.com and the website at kataleptic.com. Payments are handled by Dodo Payments acting as Merchant of Record; Dodo is an independent data controller for payment-card data and billing information. Contact us: [email protected].

§ 02What we collect

At signup

Email address. Optional name and use-case description if you provide them.

Per API request

For each call to the API we record:

• your API key ID (so we can bill you and identify abuse)
• the model you used and the timestamp
• prompt token count and completion token count
• request duration and HTTP status code
• your IP address (briefly, for rate-limiting and DDoS protection)

We do not record the text of your prompts or the model's responses by default. Content is held in transient memory only as long as needed to serve the request.

Operational logs

Web traffic is logged at the edge by Cloudflare (our CDN) and at our origin. These logs include IP address, user-agent, URL path, and HTTP status. They are retained for 14 days for security and operational debugging, then deleted.

§ 03Why we use it

We use the data above to:

• provide the service (route your request, return a response);
• bill correctly (deduct credit, show usage in your account);
• detect and stop abuse, fraud, or attacks on the service;
• send you transactional email (welcome message with your API key, billing receipts, security notices);
• comply with our legal obligations.

Legal bases under GDPR: performance of the contract you entered into with us (Art. 6(1)(b)), our legitimate interests in operating a secure service (Art. 6(1)(f)), and legal obligation where applicable (Art. 6(1)(c)). We do not rely on consent for these basic purposes; you provide the data when you sign up and use the API.

§ 04Training, retention, and deletion

We do not train any AI model on your traffic. Not on prompts, not on completions, not on embeddings, not on metadata.

Upstream providers (Microsoft Azure AI Foundry, Microsoft Azure OpenAI) are bound by enterprise-tier contracts that contractually exclude training on customer data. Their data-processing terms apply to traffic routed through them.

Retention:

• Account email and metadata: kept while your account is active and for 90 days after deletion (for billing and refund disputes), then erased.
• Per-request usage events (model, tokens, timestamp): kept for 12 months for billing and tax compliance, then erased.
• Prompt and completion content: not retained.
• Edge access logs: 14 days, then erased.

You can delete your account by emailing [email protected]. We will confirm deletion within 30 days.

§ 05Who we share it with

We share the minimum data necessary with these processors, each under a Data Processing Agreement:

• Microsoft Corporation (Azure AI Foundry, Azure OpenAI) — receives your prompt and returns a completion. EU/US, governed by Microsoft's Online Services Terms and Data Processing Addendum. We use enterprise tiers with no-training contractual terms.
• Cloudflare, Inc. — TLS termination, CDN, DDoS protection. EU/US, governed by Cloudflare's DPA.
• Zoho Corporation (ZeptoMail) — sends transactional email. EU servers (zeptomail.eu) by default.
• Dodo Payments — Merchant of Record for billing and payments. Receives your name, email, billing address, and payment-card details when you top up. Dodo handles VAT/sales-tax compliance globally.

Future processors will be added here with at least 14 days' notice before they receive any data.

We do not sell, rent, or share your data with advertisers, data brokers, or analytics providers.

§ 06Cookies and local storage

The marketing site (kataleptic.com) sets no cookies of its own. Cloudflare may set a single security cookie (__cf_bm) to distinguish humans from bots — this is strictly necessary for the service to function and does not require consent under EU law.

The Playground and Account pages use browser localStorage (not cookies) to remember your API key on the same device. This is local to your browser and never transmitted to our servers as a cookie. You can clear it by clicking "Forget key" or by clearing your browser storage.

§ 07Your GDPR rights

If you are in the EU, EEA, UK, or Switzerland, you have the right to:

• Access the data we hold about you;
• Rectify incorrect data;
• Erase your data ("right to be forgotten");
• Restrict or object to processing;
• Port your data to another provider in machine-readable form;
• Withdraw consent where consent was the legal basis;
• Lodge a complaint with your data-protection authority. EU/EEA users may complain to their national DPA. Chilean users may contact the Consejo para la Transparencia or the relevant authority.

Email [email protected] with your request. We respond within 30 days.

§ 08Security

Connections are encrypted with TLS 1.2 or higher. API keys are stored hashed (Argon2id) — we cannot recover a lost key, only issue a new one. Operational secrets (database passwords, upstream API tokens) are kept in encrypted secret stores and never committed to source control.

If we ever discover a breach affecting your data, we will notify you within 72 hours of becoming aware, as required by GDPR.

§ 09Children

The service is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, write to us and we will delete the account.

§ 10Changes to this policy

We will email you about material changes at least 14 days before they take effect. The effective date at the top of this page is updated whenever the policy changes.

Effective 2026-04-22 · Version 1.0 · [email protected]