Summary
Iudex Route is an OpenAI-compatible API that routes each request to a third-party large-language-model (LLM) provider chosen by our scoring system. To do that, three kinds of data move through our systems:
- Account data — email, password (hashed), optional OAuth profile — so you can sign in and we can bill you.
- Request metadata — model used, tier, token counts, cost, latency, country, IP — so you can see your usage and we can run the service.
- Prompt and response content — passed through to the selected LLM provider in real time. We do not store prompt or response bodies in our database.
Who we are
“Iudex Route,” “we,” “our,” and “us” refer to the operator of the website at iudexroute.com and the API at api.acbm.ai (internal identifier preserved for backwards compatibility). For questions about this policy or to exercise any of the rights below, write to iudexroute@gmail.com.
Information we collect
Account information
When you create an account we collect:
- Email address
- Password (hashed by Supabase Auth — we never see the plaintext)
- If you sign in with Google or another OAuth provider: the basic profile fields that provider returns (name, avatar, email)
- API keys you generate (stored as a SHA-256 hash; the full key is shown to you once at creation)
Per-request telemetry
Each call to our API writes one row to a usage_events table. The row contains:
- Your user ID and the ID of the API key used
- The model you requested and the model we actually routed to
- Tier, difficulty score, token counts in/out, estimated USD cost, latency
- HTTP status of the upstream call
- Country (derived from request headers) and the originating IP address
- An optional
domain_tagyou can pass to help calibrate the router
Billing information
If you upgrade to a paid plan, payment is handled by our payment processor (Stripe). We receive transaction metadata (amount, status, last four digits of the card) but never the full card number or CVC.
Communications
If you email us, we keep the email so we can reply and so we have a record of the conversation.
Your prompts and the model's outputs
When you call /v1/chat/completions, the messages array in your request body is forwarded to the LLM provider we route to (e.g. OpenAI, Anthropic, Google, xAI, DeepSeek, Groq, Together). The provider's response is returned to you.
We do not store the prompt or the response in our database. They exist in our function memory for the duration of the request and in the hosting provider's ephemeral request logs for a short period before being rotated.
The third-party LLM provider receives your prompt and generates the response. Their handling of that data (retention, training, fine-tuning) is governed by their terms of service and privacy policy, not ours. Links to each provider's policies are in the Sub-processors table.
How we use the information
- Operate the service — authenticate you, route requests, return responses, enforce quotas.
- Bill you — calculate usage against your plan and process payment.
- Show you analytics — render the per-request charts and totals in your dashboard.
- Improve the router — analyse aggregate, non-prompt telemetry (tiers picked, latency, cost) to tune the difficulty model.
- Prevent abuse — detect and respond to fraud, unauthorised access, scraping, or violations of our Terms.
- Comply with law — respond to lawful requests, tax records, and regulatory obligations.
We do not sell your personal information, and we do not train our own AI models on your prompts or responses.
Legal bases (GDPR)
If you are in the EEA, UK, or Switzerland, we rely on the following legal bases:
| Activity | Basis |
|---|---|
| Creating and operating your account | Performance of a contract |
| Routing your API requests | Performance of a contract |
| Billing and payment | Performance of a contract; legal obligation |
| Security, fraud prevention, service improvement | Legitimate interests |
| Marketing emails (only if you opt in) | Consent |
| Cookies and analytics (where required) | Consent |
Sub-processors
We use the following third parties to deliver the service. Each is bound by either a standard Data Processing Agreement (DPA) or their published terms.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | AWS ap-southeast-2 (Sydney) |
| Vercel | Dashboard hosting, API edge compute, request logs | Global edge, primary region syd1 |
| OpenAI | LLM provider (when routed to GPT models) | United States |
| Anthropic | LLM provider (when routed to Claude models) | United States |
| LLM provider (when routed to Gemini models) | United States | |
| xAI | LLM provider (when routed to Grok models) | United States |
| DeepSeek | LLM provider (when routed to DeepSeek models) | People's Republic of China |
| Groq | LLM provider (when routed to Groq-hosted models) | United States |
| Together AI | LLM provider (when routed to Together-hosted models) | United States |
| Stripe | Payment processing | United States / Ireland |
| Google Analytics (optional) | Anonymised dashboard analytics | United States |
Routing a request to a given provider only happens if the router picks a model hosted by them, or if you pin to a specific model. You can constrain which providers your requests touch by setting per-tier overrides in your dashboard.
International transfers
Our primary infrastructure (Supabase, Vercel syd1) is in Australia. The LLM providers we route to are predominantly in the United States, with one (DeepSeek) in China. If you are in the EEA, UK, or Switzerland, your data may be transferred outside of those regions when a request is routed to those providers.
Where required, transfers rely on Standard Contractual Clauses or other approved transfer mechanisms made available by the relevant provider. You can avoid routing to a specific jurisdiction by restricting providers in your tier configuration.
Retention
| Data | Retention |
|---|---|
| Account record | Until you delete your account, then deleted within 30 days. |
| API keys (hashed) | Until you revoke the key, then deleted within 30 days. |
| Usage events (telemetry) | Up to 13 months for analytics, then aggregated and the raw rows deleted. |
| Prompt and response bodies | Not stored. Held only in function memory for the request lifetime; ephemeral logs may persist for up to 7 days at the hosting layer. |
| Invoices and tax records | 7 years (or as legally required). |
| Support correspondence | Up to 24 months after the last reply. |
Security
- TLS 1.2+ for all traffic to and from our API and dashboard.
- API keys are stored as SHA-256 hashes; the full key is shown to you exactly once at creation and never logged.
- Passwords are hashed by Supabase Auth using bcrypt-equivalent algorithms.
- Database access is restricted by Postgres row-level-security policies scoped to the authenticated user.
- Provider API keys, secrets, and OAuth tokens are stored as encrypted environment variables on Vercel; only the running function can read them at request time.
- We monitor for anomalous traffic patterns and rate-limit at the edge.
No system is perfectly secure. If you believe you have found a vulnerability, please email iudexroute@gmail.com with the subject “Security report” — we acknowledge within one business day.
Your rights
Depending on where you live, you have some or all of these rights:
- Access — get a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — delete your data (subject to legal retention requirements).
- Restriction — limit how we use your data.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where we rely on consent, withdraw it at any time.
- Complain — lodge a complaint with your local supervisory authority. EU users may also contact their national DPA; UK users the ICO; Australian users the OAIC.
To exercise any of these, email iudexroute@gmail.com from the address on your account. We respond within 30 days.
California (CCPA/CPRA): in addition to the rights above, California residents may request disclosure of the categories of personal information we collected, sold (we don't), or disclosed for a business purpose, and may opt out of sale or sharing (we don't engage in either).
Children
Iudex Route is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, email us and we will delete it.
Changes to this policy
We may update this policy as the product evolves. Material changes will be announced by email to account holders and/or by a notice in the dashboard at least 14 days before they take effect. The “Last updated” date at the top reflects the most recent revision.
Contact
For any privacy question, request, or complaint:
iudexroute@gmail.com (subject line “Privacy”)