Privacy Policy

Last updated: January 2026

1. Overview

Crawfish Technologies LLC (Crawfish API, we, us) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI routing and gateway services.

This policy complies with:

  • General Data Protection Regulation (GDPR) - EU/EEA users
  • California Consumer Privacy Act (CCPA) - California residents
  • Other applicable data protection laws

2. Data We Collect

Account Information:

  • Email address
  • Account preferences and settings
  • Billing information (processed by payment providers)

Usage Data (for billing and service improvement):

  • API call counts and timestamps
  • Token usage (input and output)
  • Model selection and routing decisions
  • IP addresses
  • HTTP headers and user agent information

✅ What We Do NOT Collect:

  • The content of your prompts or requests
  • The content of model responses
  • Your application data or business logic

3. How We Use Your Data

We use collected data for the following purposes:

  • Providing Services: Processing API requests, routing to LLM providers, and delivering responses
  • Billing: Calculating usage, generating invoices, and processing payments
  • Account Management: Account creation, authentication, and communication
  • Service Improvement: Analyzing aggregate usage patterns to improve reliability and performance
  • Security: Detecting and preventing fraud, abuse, and security threats
  • Legal Compliance: Meeting our legal and regulatory obligations

4. Data Storage & Security

Your data is stored securely using industry-standard measures:

  • Storage Location: Singapore (Tencent Cloud)
  • Encryption at Rest: AES-256 encryption for all stored data
  • Encryption in Transit: TLS 1.3 for all data transmission
  • Access Controls: Role-based access control (RBAC) with audit logging
  • Regular Audits: Periodic security reviews and penetration testing

5. API Key Security

API keys are treated with the highest security measures:

  • API keys are encrypted at rest using AES-256
  • Keys are never displayed in full after initial creation
  • We cannot recover or reveal your full API key
  • Keys can be regenerated at any time from your dashboard
  • We do not share API keys with third parties
  • Keys are transmitted only over encrypted connections

⚠️ Important: You are responsible for keeping your API keys confidential. If you believe a key has been compromised, regenerate it immediately.

6. Third-Party Services

We work with third-party services to provide our functionality:

LLM Providers:

Your requests are forwarded directly to model providers (OpenAI, Anthropic, Google, DeepSeek, etc.). These providers process your prompts according to their own privacy policies.

Note: We do not cache, store, or review the content of your prompts or responses. Data is passed through our servers for routing purposes only.

Payment Processing:

Payments are processed by Stripe. We do not store credit card information on our servers. Stripe's privacy policy applies to payment data.

Infrastructure:

Our service runs on Tencent Cloud infrastructure in Singapore. Tencent Cloud's security practices apply to the underlying infrastructure.

7. Cookies & Tracking

We use minimal, functional cookies:

Necessary Cookies:

  • Authentication cookies (to keep you logged in)
  • Session management cookies
  • Security cookies (CSRF protection)

We do not use advertising cookies, analytics cookies that track you across sites, or any form of cross-site tracking.

8. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data (right to be forgotten)
  • Portability: Request your data in a machine-readable format
  • Restriction: Request limited processing of your data
  • Objection: Object to certain types of processing
  • Withdraw Consent: Where processing is based on consent, withdraw that consent

To exercise any of these rights, contact us at admin@crawfish.top.

9. Data Retention

We retain your data for the following periods:

Data Type Retention Period
Account dataUntil account deletion + 30 days
API usage logs (billing)3 years (tax/legal compliance)
Security logs1 year
Prompts/responsesNot stored

10. Children's Privacy

Our services are not directed to individuals under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. International Data Transfers

Our servers are located in Singapore. If you are located outside Singapore:

  • Data may be transferred to and processed in Singapore
  • Singapore has adequate data protection laws
  • We use Standard Contractual Clauses (SCCs) where required for EU transfers
  • Your data may be subject to access requests from Singapore authorities

12. GDPR Compliance (EU/EEA)

For users in the European Union or European Economic Area:

Legal Basis for Processing:

  • Contract: Processing necessary to provide services
  • Legitimate Interests: Security, fraud prevention, service improvement
  • Consent: Marketing communications (where applicable)

As a data processor under GDPR, we assist data controllers (you, the user) in fulfilling data subject rights requests and maintaining records of processing activities.

13. CCPA Compliance (California)

If you are a California resident, you have additional rights under the CCPA:

  • Right to Know: Request disclosure of personal information collected, used, or shared
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt out of sale of personal information (we do not sell data)
  • Non-Discrimination: We will not discriminate for exercising your rights

We do not sell personal information. We share data only with third-party service providers as described in this policy.

14. Data Processing Agreement (DPA)

For enterprise customers requiring a formal DPA:

We offer Data Processing Agreements for customers who need to comply with GDPR Article 28 or similar requirements.

A standard DPA is available upon request and includes:

  • Processor/controller designations
  • Processing instructions and scope
  • Security measures and certifications
  • Sub-processor list
  • Data breach notification procedures
  • Audit rights

Contact admin@crawfish.top to request a DPA.

15. Contact Us

For privacy-related questions or to exercise your rights:

Company: Crawfish Technologies LLC

Email: admin@crawfish.top

Response Time: We aim to respond within 30 days