Legal

Privacy Policy

Last updated: April 26, 2026

Summary. We collect the minimum data needed to operate VIPCloud: account identity (email + OAuth subject), API request metadata (timestamps, model, token counts, IP), and billing records. We do not log prompt or completion content by default. We retain logs for 30 days. We do not sell your data. We comply with GDPR and CCPA.

1. Who We Are

VIPCloud ("we", "us") operates the API gateway service available at vipcloud.ai. For privacy questions or data requests, contact [email protected].

2. What We Collect

Category	Examples	Purpose
Account identity	Email, OAuth subject ID (GitHub or Google), display name, avatar URL	Authentication, account management
Authentication	Session tokens (server-side), OAuth refresh tokens (encrypted at rest)	Maintaining your login session
API request metadata	Request timestamp, model name, input/output token counts, status code, IP address (truncated)	Billing, abuse prevention, troubleshooting
Billing records	Credit pack purchased, amount, currency, payment processor transaction ID	Tax compliance, refund handling
Abuse signals	Provider refusal events, rate-limit triggers, manual abuse reports	Enforcing our AUP

What we do NOT collect by default:

Prompt content or completion text — these stream through our gateway but are not persisted beyond transient request memory.
Browser fingerprints, third-party tracking identifiers, advertising IDs.
Your contacts, location, or device sensors.

When we may collect prompt content: Only if you explicitly opt-in to debugging mode for a specific request, or if a request triggers an abuse signal that requires manual review. In the latter case, we retain the minimum content necessary for investigation and delete it after the case is closed (typically < 30 days).

3. How We Use Your Data

Operate the service: route requests, deduct credits, return responses.
Bill accurately: compute usage charges and produce billing records.
Prevent abuse: detect anomalies, enforce rate limits, investigate AUP violations.
Provide support: respond to your support requests and account inquiries.
Comply with law: respond to lawful requests from competent authorities.

We do not use your data to train AI models. We do not sell your data to third parties.

4. Sharing With Third Parties

We share only the minimum necessary data with the following service providers:

Upstream LLM providers (DeepSeek, Moonshot, Zhipu, MiniMax, etc.): We forward your prompt to fulfill the request. Each provider has its own privacy policy. We do not pass your email or account ID to upstream providers.
Payment processor / merchant of record: receives email + billing transaction. They are independently responsible as a controller for the payment data they hold.
OAuth providers (GitHub, Google): when you sign in we receive your email and basic profile per the scopes you granted.
Cloudflare: serves as our edge CDN and DDoS protection layer.
Hosting providers: backend infrastructure operated on Tencent Cloud (Hong Kong region).
Law enforcement: only when compelled by valid legal process or where we believe disclosure is necessary to prevent imminent harm.

5. Data Retention

API request metadata logs: 30 days, then deleted.
Billing records: retained for 7 years for tax compliance.
Account profile: retained while your account is active. Deleted within 30 days of account closure (excluding billing records above).
Abuse investigation files: retained for the duration of the case, plus 90 days, then deleted.

6. Your Rights

Subject to applicable law (GDPR for EU/UK residents, CCPA for California residents, similar rights in other jurisdictions), you have the right to:

Access a copy of the personal data we hold about you.
Correct inaccurate data.
Delete your account and associated personal data (subject to legal retention requirements for billing records).
Export your data in a portable format.
Object to certain processing.
Withdraw consent at any time where processing is based on consent.
Lodge a complaint with your local data protection authority.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

7. International Data Transfers

VIPCloud's primary infrastructure is hosted in Hong Kong SAR. By using the service from outside Hong Kong, you understand that your data will be transferred to and processed there. Where we transfer personal data of EU/UK residents outside the EEA/UK, we rely on appropriate safeguards including Standard Contractual Clauses.

8. Security

We protect your data with industry-standard measures:

TLS 1.2+ in transit; HSTS enforced on all customer-facing endpoints.
OAuth tokens and API keys hashed at rest.
Principle of least privilege for internal staff access.
Regular security audits of our authentication and billing flows.

No system is perfectly secure. If you discover a vulnerability, please report it responsibly to [email protected].

9. Children's Privacy

VIPCloud is not intended for users under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has registered with us, contact [email protected] and we will delete the account.

10. Cookies

We use only essential cookies needed for authentication (session token) and language preference (your selected UI language). We do not use advertising or analytics cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email to active users and on this page.

12. Contact

Privacy / data requests: [email protected]
Security disclosures: [email protected]
General support: [email protected]