Privacy Policy

Last updated: 2026-05-13 · Effective: 2026-05-13

This Privacy Policy explains what personal data SUB&SUB collects when you use the Service, what we deliberately don't collect, who we share data with, and how you can exercise your rights.

At a glance

Short version We store the minimum needed to run a paid API relay: your email, sign-in method, hashed API keys, and your transaction history. We do not store the prompts you send or the model responses you receive. Your prompts are forwarded directly to an upstream AI provider (currently OpenAI), whose own privacy policy then applies to that content. We use Stripe for payments and never see your card details. We don't run analytics trackers or sell data.

1. Who we are

The Service at www.subnsub.com and api.subnsub.com ("SUB&SUB", "we", "us") is the data controller for the personal data described in this Policy. To contact us about privacy, write to [email protected].

2. What we collect

2.1 Account information

When you create an account we store:

Field	Source	Why we need it
email	You, at signup	Login identifier; receipts; security and account notices.
password_hash	You, at signup	A PBKDF2-SHA256 hash of your password — we cannot recover the plaintext. Null if you signed in with Google only.
google_sub	Google OAuth	Stable Google user identifier, so a re-login finds your existing account.
name	Google OAuth, or you	Display name in the console.
avatar_url	Google OAuth	Profile picture shown in the console.
created_at	System	Account creation timestamp.
email_verified_at	System	Timestamp at which the email was verified (via Google, or via the verification email link).

2.2 API key metadata

For each API key you create we store its display name, a SHA-256 hash of the secret, the visible prefix (e.g. sk-cf-fJk2…), the creation timestamp, the last-used timestamp (touched on every authenticated request), and the revocation timestamp if you revoke it. The plaintext key itself is shown to you only once at creation and is never stored.

2.3 Billing & transactions

For each top-up and each request we record a transaction row: type (topup / settle / refund), amount in microdollars and cents, payment method (stripe for top-ups, usage for per-request debits), an external reference (Stripe Checkout Session ID like cs_…, or a per-request UUID req:<uuid>), and a timestamp. For each Stripe webhook we record the event ID, type, credited user, credited amount, and timestamp — so a webhook retry cannot double-credit your balance.

2.4 Per-request usage metering

When you call /v1/*, we record on our infrastructure: which API key was used, which model was requested, the token counts (prompt_tokens and completion_tokens) reported by the upstream provider, the resulting debit, and a timestamp. We need this to bill you accurately and to detect abuse. We do not retain the content of your prompt or the content of the model's response on SUB&SUB systems — they pass through the relay and are not written to our database.

2.5 Authentication artifacts

Short-lived items live in Cloudflare KV (a key-value store): email verification tokens (≤24h), password-reset tokens (≤1h when applicable), Google OAuth state and nonce values (~10 min), and session tokens that back your login cookie. The session cookie is named cf-session, is set as HttpOnly; Secure; SameSite=Lax, and has a lifetime of around 30 days from creation.

2.6 Server-side logs

Cloudflare, our infrastructure provider, records request-level metadata at the network edge — including your IP address, request path, user-agent, response status, and timing — for a limited period for security, abuse detection, and operational diagnostics. Our application code also writes occasional error log lines (e.g. failed key lookups, upstream errors) to Cloudflare's runtime logs.

2.7 Email content we send you

We send transactional email — verification links, password resets (when applicable), and account or billing notices — from [email protected]. Outbound mail is delivered via Cloudflare's email service.

3. What we don't collect

Prompt or response bodies. When you call /v1/chat/completions we authenticate and meter the request, then stream it through to the upstream provider and stream the response back. We don't write the body to our database, our logs, or any other persistent store on our side.
Card numbers. Payments run entirely on Stripe Checkout. Stripe handles your card details, and we only see the resulting Stripe Checkout Session ID and the paid amount.
Third-party tracking. We do not run Google Analytics, Meta pixels, Mixpanel, Sentry, PostHog, or other behavioural analytics on the marketing or console pages. The only client-side state we set is your theme preferences and a derived theme cache for flash-free reloads (see §11).
Cross-site advertising data. We do not buy, sell, or share data with advertising networks.

4. How we use data

We use the data described above to:

Operate the Service — authenticate your requests, route them to an upstream provider, return the response.
Bill you accurately and provide an itemised usage history.
Send transactional email (verification, security alerts, billing receipts, material changes to these policies).
Protect the Service, our users, and upstream providers from fraud, abuse, and security incidents — including responding to suspected violations of the Terms of Service.
Comply with legal obligations, respond to lawful requests, and enforce our agreements.

We do not use your data to train AI models, and we do not allow the data we hold about you to be used by third parties to train AI models on our behalf.

We share personal data only with the providers we genuinely need to deliver the Service, and only the minimum needed. They process data on our behalf or as independent controllers, as noted.

Recipient	What they receive	Why
Cloudflare (Pages, Workers, D1, KV, Email)	All Service traffic and the data stored in D1/KV; outbound email metadata.	Hosts and runs the Service. Cloudflare Privacy Policy.
Upstream AI providers (currently OpenAI — ChatGPT & Codex)	Each `/v1/*` request body you send: prompts, messages, parameters. Plus the upstream account identity we use to authenticate.	Fulfils your API request. The upstream provider's own privacy policy applies to that content — for OpenAI, see OpenAI Privacy Policy and Usage Policies.
Stripe	Email, top-up amount, currency, your IP at checkout time, your card / Link / Alipay / WeChat Pay credentials (handled by Stripe, never by us).	Processes payments and returns a webhook so we can credit your balance. Stripe Privacy Policy.
Google (only if you sign in with Google)	OAuth handshake; we receive Google's claim about your email, name, sub, and picture.	Lets you sign in without a password. Google Privacy Policy.
Law enforcement / authorities	Only what we are legally required to produce.	Compliance with valid legal process.

We do not sell personal data, and we do not "share" personal data for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act.

6. Legal bases for processing (EU/UK users)

If you are in the EU, UK, or another jurisdiction where the GDPR or an equivalent regime applies, our legal bases for processing your personal data are:

Performance of a contract (Art. 6(1)(b) GDPR) — for processing necessary to provide the Service to you: account, keys, billing, per-request metering.
Legitimate interests (Art. 6(1)(f) GDPR) — for security, abuse prevention, fraud detection, troubleshooting, and operating the Service efficiently. We balance these interests against your rights and freedoms.
Compliance with legal obligations (Art. 6(1)(c) GDPR) — for tax, accounting, and lawful requests.
Consent (Art. 6(1)(a) GDPR) — for any processing we ask you to opt into; you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

7. International transfers

SUB&SUB's infrastructure runs on Cloudflare's global edge network and Stripe's global payments network, both of which operate from multiple countries. Upstream AI providers we forward requests to (currently OpenAI) are primarily based in the United States. As a result, your personal data may be transferred to and processed in countries other than the one you live in.

Where transfers are made out of the EU/UK to a country without an adequacy decision, our sub-processors rely on appropriate safeguards (such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum) published in their own public terms.

8. Retention

Data	How long we keep it
Account record (email, name, hashes, etc.)	While your account is active, then up to 24 months after closure, or longer if law requires.
Transactions & Stripe event ledger	7 years after the transaction, to meet typical tax and accounting requirements.
API keys (hashed)	While the key exists; revoked keys are kept for up to 12 months for audit, then purged.
Email verification / password reset / OAuth state in KV	Auto-expires within 10 minutes – 24 hours depending on the token type.
Session tokens (KV)	Auto-expire 30 days after creation, or sooner on sign-out.
Cloudflare edge access logs	Retained by Cloudflare for its own short period (typically days), per Cloudflare's privacy practices.

When you ask us to delete your account, we delete or anonymise account fields on a reasonable schedule; we may retain pseudonymised transaction records for the tax/accounting period above.

9. Your rights

Subject to your local law, you have the right to:

Access — get a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — ask us to delete your account and the personal data tied to it (subject to legal retention).
Restriction — ask us to restrict processing while a complaint or correction is pending.
Portability — receive your account and transaction data in a structured, machine-readable format.
Object — object to processing based on legitimate interests.
Withdraw consent — where we processed your data based on consent.
Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. We do not currently make such decisions.
Lodge a complaint with your local data-protection supervisory authority (for EEA/UK users) or your state Attorney General (for U.S. users with applicable rights).

To exercise any of these rights, write to [email protected] from the email address on your account. We will respond within 30 days (extendable by 60 days for complex requests, in which case we will tell you). We will verify your identity before acting on requests that would disclose or change account data.

California residents: you may also designate an authorised agent. We will not discriminate against you for exercising any privacy right.

10. Security

We design the Service to keep blast radius small:

Passwords are stored as PBKDF2-SHA256 hashes; we never see your plaintext password. API keys are stored as SHA-256 hashes; we never see the plaintext key after creation.
Session cookies are HttpOnly, Secure, and SameSite=Lax.
All traffic is served over TLS, terminated at Cloudflare.
Stripe webhooks are verified by HMAC against a secret stored as an encrypted Cloudflare Pages secret; signatures older than 5 minutes are rejected.
The internal relay endpoint to our upstream backend is reachable only through a Cloudflare Tunnel with a path filter (^/v1/) — it is not publicly addressable.
Secrets (Stripe keys, OAuth client secret, internal relay key) are kept as encrypted Cloudflare Pages secrets and are never committed to source control.

No system is perfectly secure. If you believe you've found a vulnerability, please email [email protected] with the subject line "Security report". Please do not publicly disclose until we've had a reasonable chance to fix the issue.

11. Cookies & local storage

We use a small number of first-party cookies and a few localStorage entries — all functional, none used for tracking or analytics. No third-party cookies are set by us.

Name	Where	Purpose	Lifetime
cf-session	Cookie (HttpOnly, Secure, SameSite=Lax)	Identifies your logged-in session. Strictly necessary to operate the console.	~30 days
lang_pref	Cookie (Secure, SameSite=Lax; HttpOnly when set by the edge)	Records your standing display-language preference (set by the IP-based first-visit redirect, by the language picker, or implicitly by viewing a localized page). On later visits to the bare root URL `/` we redirect you to `/<lang>/` matching this value, so the locale stays sticky as you navigate (including round-trips through sister sites such as `tools.subnsub.com`). Opt out by setting `lang_pref=en` from your browser, or by picking English in the language picker.	~1 year
cf-mode	localStorage	Remembers your light / auto / dark choice across visits.	Until you clear it
cf-anim	localStorage	Remembers whether you have animations forced on, off, or following your OS reduce-motion preference.	Until you clear it
cf-themecache	localStorage	A cached snapshot of the resolved CSS variables for your current mode, replayed before first paint to prevent a colour flash on page load. Recomputed on every theme change.	Until you clear it

All of these are strictly necessary or functional and do not require a consent banner under EU rules. Language selection works as follows: every explicit page URL is authoritative for its own language (e.g. /zh-CN/ is always Chinese, /de/ is always German). For the bare root URL /, the first time you visit without a lang_pref cookie, the edge may redirect you to a locale matching the country of your IP address (as reported by Cloudflare's cf-ipcountry header) and write lang_pref recording the chosen language. On subsequent visits to /, we redirect to /<lang>/ if lang_pref names a language other than English; if it is en, you stay on English. Setting lang_pref=en in your browser, or picking English in the language picker, opts out of the localized redirect.

Third parties involved in payment or sign-in (Stripe Checkout, Google sign-in) may set their own cookies on their domains during those flows; their cookies are governed by their own policies.

12. Children

The Service is not directed to children under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.

13. Changes to this Policy

We may update this Policy from time to time. The updated version will be posted at www.subnsub.com/privacy with a new "Last updated" date. For material changes, we will give you reasonable notice — by a banner on the Service, by email, or both — before they take effect. Your continued use of the Service after the effective date constitutes acceptance.

14. Contact

For any privacy question or to exercise a right described above, please write to:

[email protected]