Privacy Policy

Last updated: April 16, 2026

1. Introduction

SemaCache ("Company," "we," "us," or "our") respects your privacy and is committed to protecting the personal data you share with us. This Privacy Policy explains what information we collect, how we use it, how we store and protect it, and your rights regarding your data.

This policy applies to all users of the SemaCache website, dashboard, API, and related services (collectively, the "Service"). By using the Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address (via authentication provider)
  • User identifier (unique account ID)
  • Account creation and login timestamps

2.2 Billing Information

If you subscribe to a paid plan, Stripe (our payment processor) collects and processes your payment information. We do not store credit card numbers, bank account details, or other payment credentials on our servers. We receive and store only:

  • Stripe customer ID and subscription ID
  • Subscription tier and billing period
  • Payment status (active, canceled, etc.)

2.3 API Request Data

When you send requests through the Service, we process and may cache:

  • Request prompts and query text (for exact and semantic cache matching)
  • LLM responses (cached for future matching)
  • Model name and request parameters
  • Embedding vectors derived from your queries (for semantic similarity search)
  • Media content hashes (for multimodal request deduplication; we hash media, not store raw media inputs)
  • Generated images and videos (rehosted to cloud storage for delivery)

2.4 Upstream API Keys

You may store your upstream LLM provider API keys (e.g., OpenAI, Gemini) in the Service. These keys are encrypted at rest using AES-256 encryption (Fernet with PBKDF2 key derivation) and are decrypted only in memory at the time of request processing. We do not log, share, or access your decrypted keys for any purpose other than proxying your requests.

2.5 Usage and Analytics Data

We automatically collect:

  • Request counts, cache hit/miss rates, and latency metrics
  • Token usage (prompt tokens, completion tokens)
  • Estimated cost data based on model pricing
  • Error counts and types
  • API key usage patterns (request counts per key)
  • Audit logs of dashboard actions (create/delete keys, model registration, etc.)

2.6 Technical Data

We may collect standard technical information such as IP addresses, browser type, device information, and referring URLs for security, debugging, and service improvement purposes.

3. How We Use Your Information

We use your information to:

  • Provide the Service: Cache and retrieve API responses, proxy requests to upstream LLM providers, and manage your account.
  • Authenticate and authorize: Verify your identity, validate API keys, and enforce usage limits.
  • Process payments: Manage subscriptions, billing, and invoicing via Stripe.
  • Display analytics: Show you usage statistics, cost savings, and performance metrics in the dashboard.
  • Improve the Service: Analyze aggregate usage patterns to improve performance, reliability, and features.
  • Enforce our Terms: Detect and prevent abuse, fraud, and violations of our Terms of Service.
  • Communicate with you: Send transactional emails (billing receipts, account alerts) and, with your consent, product updates.

4. Data Storage and Security

4.1 Infrastructure

Your data is stored across the following infrastructure providers:

  • Google Cloud Platform (Cloud Run, Cloud Storage): Application hosting and media storage, US regions.
  • Supabase (PostgreSQL + pgvector): Semantic cache entries, upstream keys (encrypted), user profiles, audit logs.
  • Upstash (Redis): Exact cache entries, API key metadata, analytics counters, rate limiting data.
  • Vercel: Frontend hosting.
  • Stripe: Payment processing and subscription management.

4.2 Security Measures

We implement the following security measures:

  • AES-256 encryption for upstream API keys at rest
  • TLS/SSL encryption for all data in transit
  • API key authentication for all cache API endpoints
  • Dashboard secret authentication for management endpoints
  • Supabase Row Level Security (RLS) policies
  • Per-user data isolation (your cached data is only accessible through your API keys)

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the security of your account credentials and API keys.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties. We may share your data only in the following circumstances:

  • Service providers: We share data with infrastructure providers (listed in Section 4.1) solely for the purpose of operating the Service. These providers are bound by their own privacy policies and data processing agreements.
  • Upstream LLM providers: When cache misses occur, your request prompts are forwarded to the LLM provider specified by your model selection, using your API keys. This is inherent to the Service's functionality.
  • Legal requirements: We may disclose your data if required by law, regulation, legal process, or governmental request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such change.
  • Protection of rights: We may disclose data to enforce our Terms of Service, protect our rights, privacy, safety, or property, or respond to an emergency.

6. Data Retention

  • Cached responses: Exact cache entries have a configurable TTL (default: 7 days). Semantic cache entries are retained until you delete them or your account is terminated.
  • Analytics data: Request logs and analytics are retained for up to 90 days, depending on your subscription tier.
  • Audit logs: Retained for 7–90 days depending on your subscription tier.
  • Account data: Retained for the duration of your account. Upon account deletion, we will delete your personal data within 30 days, except where retention is required by law.
  • Upstream API keys: Deleted immediately upon your request or account termination.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data ("right to be forgotten").
  • Portability: Request your data in a structured, machine-readable format.
  • Restriction: Request restriction of processing of your data.
  • Objection: Object to processing of your data for certain purposes.
  • Withdraw consent: Withdraw your consent at any time where processing is based on consent.

To exercise any of these rights, contact us at privacy@semcache.dev. We will respond within 30 days.

8. International Data Transfers

Your data may be processed and stored in the United States and other countries where our infrastructure providers operate. By using the Service, you consent to the transfer of your data to these locations. We ensure that appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information is collected, used, shared, or sold.
  • The right to delete personal information held by us.
  • The right to opt out of the sale of personal information. We do not sell your personal information.
  • The right to non-discrimination for exercising your CCPA rights.

10. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR). Our legal bases for processing your data include:

  • Contract performance: Processing necessary to provide the Service you requested.
  • Legitimate interests: Processing necessary for our legitimate business interests (e.g., fraud prevention, service improvement), balanced against your rights.
  • Consent: Where you have given explicit consent for specific processing activities.
  • Legal obligation: Processing necessary to comply with applicable laws.

You may lodge a complaint with your local data protection authority if you believe your rights have been violated.

11. Cookies and Tracking

The Service uses essential cookies for authentication and session management. We do not use advertising cookies or third-party tracking pixels. Authentication cookies are strictly necessary for the Service to function and cannot be disabled.

12. Children's Privacy

The Service is not intended for use by individuals under the age of 18 (or the age of majority in their jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@semcache.dev.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

SemaCache

Email: privacy@semcache.dev