Privacy Policy

This Privacy Policy describes how Conduix (operated by iVirtualsoft Corp) collects, uses, and shares information when you use our service.

1. What we collect

• Account information. Name, work email, organization name, and credentials (password hash, multi-factor enrollment state, recovery codes) that you provide at signup or in settings.
• Billing information. The billing identifier returned by Stripe, the plan you are on, your credit balance, and records of credit purchases and consumption. Card details are collected and stored by Stripe; Conduix never sees or stores raw card numbers.
• Usage and request metadata. Timestamps, models selected, providers routed to, request and response token counts, cost meters, latency, error codes, and request identifiers. This information powers your dashboard, usage reports, audit log, and our internal operations.
• Request content (prompts and completions). When you call the API, your prompts and the upstream provider’s completions are processed in order to route the request, apply governance policy, and return the response. Retention of request content is described below.
• Audit log entries. Records of security-relevant and account-management events (login, key creation, member changes, policy changes, payment events).
• Telemetry. Basic web analytics (page views, referrers, user agent) and server logs used for debugging, security, and capacity planning.

2. How we use information

• To operate, secure, and improve the service.
• To route requests to upstream model providers you select.
• To meter usage, calculate credit consumption, and process payments.
• To prevent fraud and abuse, including rate-limit enforcement, anomaly detection, and investigation of policy violations.
• To communicate with you about your account, security alerts, product updates, and policy changes.
• To comply with law and respond to lawful requests.

3. Sub-processors

We use the following sub-processors to operate the service. Each receives only the information necessary for the function it performs.

Upstream model providers

• OpenAI
• Anthropic
• Google
• Groq
• Together AI
• Mistral
• DeepSeek
• Fireworks AI
• xAI

When you select a model, the corresponding upstream provider receives the request payload and returns the response. Each provider processes data under its own privacy policy and terms.

Infrastructure and operations

• Amazon Web Services — hosting, managed database, managed cache, secrets storage, and managed networking.
• Stripe — payment processing and stored billing identifiers.
• Cloudflare — edge proxy, DDoS protection, and bot mitigation.
• Postmark — transactional email delivery (verification, password reset, security notifications, billing receipts).

4. Data retention

We retain information for as long as your account is active and for a limited period afterward to satisfy legal, accounting, and security obligations. Request content (your prompts and the resulting completions) is retained only as needed to operate the service, and we do not use your request content to train AI models. Usage and billing records and audit-log entries are kept for the periods required for our operations and compliance; backups are overwritten on a rolling basis in the normal course of operations. You may request deletion as described in the “Your rights” section.

5. Security

• Provider API keys and BYO-endpoint credentials are encrypted at rest using envelope encryption.
• Optional PII redaction is available for structured PII (such as email addresses, phone numbers, payment-card numbers, and IP addresses) before requests leave the gateway. PII detection is best-effort; it does not cover names, free-text identifiers, or unstructured personal data.
• Access to production systems is restricted to authorized personnel under the principle of least privilege; administrative actions are recorded in audit logs.
• Despite reasonable safeguards, no system is perfectly secure. Please report suspected vulnerabilities to support@conduix.ai.

6. Your rights

Depending on where you live, you may have rights with respect to your personal information, which can include the right to:

• Access the personal information we hold about you.
• Correct inaccurate personal information.
• Delete your account and associated personal information.
• Export your personal information in a portable format.
• Object to or restrict certain processing, where applicable under GDPR, the UK GDPR, the CCPA/CPRA, or similar laws.
• Withdraw consent where processing relies on consent.

To exercise these rights, contact support@conduix.ai. We will respond within the time period required by applicable law. We may ask you to verify your identity before processing the request.

7. Cookies

We use essential and session cookies required to authenticate you and to operate the dashboard (for example, to remember that you are signed in and to protect against cross-site request forgery). We do not currently use advertising or cross-site tracking cookies. A more detailed cookie disclosure will be added when the policy is finalized.

8. International transfers

Conduix is operated from the United States, and our infrastructure sub-processors (notably AWS) may transfer and store data outside your country of residence. Where such transfers are subject to European, UK, or similar data-protection law, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism.

9. Children

Conduix is not directed to children under 16 and we do not knowingly collect personal information from children. If you believe a child has provided information to us, contact us at support@conduix.ai and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or in the dashboard before they take effect. The “Last updated” date at the top reflects the most recent revision.

11. Contact

Privacy questions: support@conduix.ai. Security questions and vulnerability reports: support@conduix.ai.