Privacy Policy

1. Overview

CachePilot is operated by CLC Labs ("we," "us," or "our"). This Privacy Policy explains what data we collect, how we use it, and your rights. CachePilot is designed with a privacy-first architecture — we never store, log, or inspect your prompt content or model responses.

2. What We Collect

Account information:

• Email address (used for authentication and account recovery).
• Authentication tokens managed by Supabase Auth.

Content-free telemetry:

• Token counts (input, output, cached, uncached, reasoning tokens).
• Latency metrics (end-to-end, upstream API, proxy overhead).
• Model identifier (e.g., "gpt-4o", "o3-mini").
• HTTP status codes and error codes.
• Policy governance metadata (policy version, policy hash, skills hash).
• Cryptographic hashes of system prompts, tool schemas, and tool configurations (SHA-256, truncated). These are one-way hashes — the original content cannot be recovered.
• Drift detection events (hash comparisons only, no content).
• Cache source indicators ("upstream," "proxy," or "engine").

3. What We Do NOT Collect

• Prompt text, completion text, or any user-generated content.
• Tool call arguments or tool outputs.
• File contents, images, or attachments.
• Your OpenAI API key (passed through in-memory only, never stored).
• IP addresses or device fingerprints beyond standard server logs.

4. How We Use Your Data

• Authentication: To verify your identity and manage account access.
• Dashboard analytics: To display usage metrics, cache performance, and governance data.
• Policy enforcement: To apply your configured policies to proxied requests.
• Drift detection: To compare live request hashes against your pinned golden runs.
• Billing: To track usage for paid plan features (via Stripe).

5. API Key Handling (BYOK)

CachePilot uses a Bring Your Own Key model. Your OpenAI API key is included in each request's Authorization header and forwarded directly to OpenAI. The key exists only in memory during request processing and is never written to disk, logged, or stored. Your CachePilot project key is stored as a one-way SHA-256 hash — the raw key is shown once at creation and cannot be retrieved afterward.

6. Third-Party Services

• OpenAI: Your requests are forwarded to OpenAI's API. OpenAI's own privacy policy governs their handling of your data.
• Supabase: Authentication and session management.
• Stripe: Payment processing for paid plans. We do not store credit card details.
• Neon (Postgres): Database hosting for telemetry and account data.
• Vercel: Dashboard hosting and serverless function execution.

7. Data Retention

Telemetry data is retained for the duration of your account. You may request deletion of your account and associated data by contacting us. Upon deletion, all telemetry records, project configurations, and policy history are permanently removed.

8. Data Security

We use industry-standard security measures including encrypted connections (TLS), hashed API keys, role-based access controls, and audit logging of administrative actions. Our proxy infrastructure is hosted on DigitalOcean behind Caddy with automatic HTTPS. The dashboard is deployed on Vercel.

9. Your Rights

• Access: Request a copy of the data we hold about you.
• Deletion: Request deletion of your account and associated data.
• Correction: Request correction of inaccurate account information.
• Portability: Request your telemetry data in a machine-readable format.

To exercise any of these rights, contact us at support@clclabs.ai.

10. Cookies

We use essential cookies only — specifically, a Supabase session cookie for authentication. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the dashboard. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related questions or requests, contact us at support@clclabs.ai.