Privacy Policy
Last updated: February 18, 2026
What We Collect
- Account information: Email address and display name (via Google or GitHub OAuth).
- Payment information: Processed by Stripe. We never store card numbers, CVVs, or bank details.
- Usage metadata: Model identifier, input and output token counts, request timestamp, credit cost, latency, and stream status — for billing and usage reporting. We do not log, store, or retain any part of request or response content. Body logging is disabled by default at the infrastructure level.
- Session data: Hashed session tokens for authentication. No tracking cookies.
Request Content
OneKey operates as a stateless API proxy. The content of your API requests — prompts, messages, system instructions, function calls, images, and file attachments — and responses (model outputs) passes through our routing layer in memory only, for the sole purpose of forwarding to the selected AI provider.
Request and response content is never written to disk, database, log file, or any persistent storage in normal operation. Body logging is disabled by default at the infrastructure level. The metadata logging schema stores only billing metadata (model identifiers, token ratios, cost calculations) — not request or response payloads.
Data Flow Specifics
Usage metadata retained for up to 90 days for billing verification includes:
- Timestamp of the request
- Model identifier (e.g.,
claude-sonnet-4-5-20250929) - Input token count
- Output token count
- Credit cost
- User ID
- Request latency
- Whether the request was streamed
This metadata does not include any part of the request or response payload. It exists solely for billing accuracy and usage reporting.
How We Use Your Data
- Authenticate your account and manage sessions.
- Process payments and maintain your credit balance.
- Route API requests to the appropriate AI provider.
- Track usage for billing accuracy.
- Send transactional emails (magic links, payment receipts).
What We Don't Do
- We do not sell, rent, or share your personal data with third parties for marketing.
- We do not read, store, or log the content of your API requests or responses.
- We do not use your data to train AI models.
Third-Party Services (Subprocessors)
We use the following third-party services to operate OneKey:
| Service | Purpose | Data Shared | Policy |
|---|---|---|---|
| Stripe | Payment processing | Email, payment amount, card details (handled by Stripe, never stored by OneKey) | Privacy |
| Cloudflare | CDN, DDoS protection, tunnel routing | IP address, request metadata (standard CDN operation) | Privacy |
| MongoDB Atlas | Account data storage | User accounts, billing transactions, usage metadata (no request content) | Privacy |
| Resend | Transactional email delivery | Email address (for magic links and payment receipts only) | Privacy |
| Google Analytics | Website analytics (consent-based) | Anonymous usage data, page views, events (only with cookie consent) | Privacy |
| Cookiebot | Cookie consent management | Consent preferences, anonymized IP | Privacy |
| OpenAI | AI model provider | Request content (forwarded as-is for processing) | Privacy |
| Anthropic | AI model provider, dashboard assistant | Request content (forwarded as-is); assistant conversations (sent for processing) | Privacy |
| Google (Gemini) | AI model provider | Request content (forwarded as-is for processing) | Terms |
| xAI | AI model provider | Request content (forwarded as-is for processing) | Terms |
| Basescan | Blockchain verification (Base network) | Transaction hash, wallet address (for USDC/USDT payment verification) | Privacy |
| Etherscan | Blockchain verification (Ethereum network) | Transaction hash, wallet address (for USDC/USDT payment verification) | Privacy |
Data Retention
- Account data is retained while your account is active.
- Transaction records are retained for accounting and legal compliance.
- Session tokens expire automatically (7 days) and are purged via TTL indexes.
- Usage logs are retained for up to 90 days for billing verification.
Free Request Data
Free requests (20 per new account) are subject to the same no-content-logging policy as paid requests. Free request usage generates the same metadata records (model, tokens, cost, timestamp) and nothing more. Free request accounts receive no additional tracking or monitoring.
Cryptocurrency Payments
OneKey accepts USDC and USDT payments on the Base and Ethereum networks. Cryptocurrency payment data includes: wallet address, transaction hash, chain, token type, and payment amount. Transactions are verified via Basescan (Base network) or Etherscan (Ethereum network). This data is retained alongside billing transactions for payment verification. We do not have access to your wallet private keys or any other on-chain activity beyond the specific payment transaction.
Your Rights
You may request a copy of your data, correction of inaccurate data, or deletion of your account by contacting us. We will respond within 30 days. Account deletion will remove your personal data, though anonymized transaction records may be retained for legal compliance.
Incident Notification
In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of confirming the breach. Notification will be sent to your registered email address and will include: a description of the incident, the types of data involved, and steps we are taking in response.
Analytics & Cookies
OneKey uses Google Analytics 4 (via Google Tag Manager) to understand how visitors use the website — page views, sign-up methods, and payment completions. Analytics scripts load only after you grant consent through our cookie banner (powered by Cookiebot). If you decline, no analytics cookies are set and no data is sent to Google.
Analytics data is aggregated and does not include API request content, prompts, or model responses. You can withdraw consent at any time by clicking the cookie settings link in the page footer.
Cookies
- Essential: Session authentication cookie (httpOnly, Secure, SameSite=Lax). Required for sign-in.
- Analytics (optional): Google Analytics cookies (
_ga,_ga_*) set only with your consent. Used for anonymous usage statistics. - Consent: Cookiebot cookie (
CookieConsent) to remember your cookie preferences.
Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or a notice on the website. Continued use of OneKey after changes constitutes acceptance of the updated policy.
Contact
For privacy-related inquiries, contact us at [email protected].