Privacy Policy

1. Who we are

Retanu is operated by Black Gibbon Ltd (“we,” “us,” “our”). We are the data controller for the personal data described in this policy. You can reach our data-protection point of contact at privacy@retanu.com.

2. What this policy covers

This policy applies to all personal data we process when you visit retanu.com, create an account, use the Retanu console, or send inference requests through the Retanu gateway. It does not apply to the content of inference requests and responses you send through the gateway, which is addressed in Section 7 below.

3. Data we collect

We collect the following categories of personal data:

Account data

Name, email address, and profile picture provided by your identity provider (e.g., Google) when you sign in.

Organization data

Organization name, workspace names, and configuration settings you create in the console.

Usage metadata

For each inference request routed through the gateway: timestamp, workspace identifier, model selected, provider used, token counts, estimated cost, and latency. This metadata does not include the content of your prompts or responses.

Provider credentials

API keys you supply for inference providers (OpenAI, Anthropic, DeepInfra, Google). These are stored encrypted and used solely to route your requests.

Log and device data

IP address, browser type, and pages visited when you use the console. We collect this for security monitoring and to diagnose issues.

Payment data

If you subscribe to a paid plan, payment information is collected and processed by our payment processor (e.g., Stripe). We do not store full card numbers on our servers.

4. How we use your data

We use personal data for the following purposes:

• Provide and operate the service — authenticate you, route inference requests, enforce spend caps and rate limits, and generate usage reports.
• Billing and cost attribution — meter usage per workspace and generate statements with your configured rates.
• Security and abuse prevention — detect unauthorized access, enforce rate limits, and monitor for anomalous usage patterns.
• Service improvements — analyze aggregate, de-identified usage patterns to improve routing accuracy and platform reliability.
• Communication — send you service-related emails (account verification, security alerts, billing notices). We do not send marketing emails unless you opt in.
• Legal compliance — meet our obligations under applicable laws and respond to lawful requests from authorities.

5. Legal basis for processing

If you are in a jurisdiction that requires a legal basis for processing personal data (such as the EEA or UK), we rely on the following:

Contract performance

Processing necessary to provide the Retanu service you signed up for (account data, usage metadata, provider credentials).

Legitimate interests

Security monitoring, fraud prevention, and service improvement, where these interests are not overridden by your rights.

Legal obligation

Processing required to comply with applicable laws (e.g., tax records, responding to lawful data requests).

Consent

Where required, such as for optional marketing communications. You can withdraw consent at any time.

6. Data sharing

We do not sell your personal data. We share data only in these circumstances:

Inference providers

When you send a request through the gateway, we forward it to the provider you configured (OpenAI, Anthropic, DeepInfra, or Google) using your own API keys. Each provider processes the request under its own privacy policy and terms.

Infrastructure providers

We use cloud hosting, database, and CDN services to operate the platform. These providers process data on our behalf under data processing agreements.

Payment processors

If you use a paid plan, your payment data is processed by our payment provider (e.g., Stripe) under their privacy policy.

Legal requirements

We may disclose data if required by law, court order, or to protect the rights, property, or safety of our users or the public.

Business transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy.

7. Inference request content

Zero-retention by default. The content of inference requests (prompts) and responses is not stored by Retanu. We forward requests to the configured provider and return the response to your application. Only routing metadata (model, cost, latency, token counts) is retained for billing and usage tracking.

If an organization administrator enables content logging for a workspace, request and response content will be stored for the retention period configured by the administrator. Content logging is off by default and must be explicitly enabled per workspace.

Regardless of your Retanu settings, inference providers may retain request content under their own data-processing terms. Review your provider's policies for details.

8. Data retention

Account data

Retained while your account is active. Deleted within 30 days of account closure, unless we are required by law to retain it longer.

Usage metadata

Retained for 24 months for billing, reporting, and dispute resolution. After 24 months, metadata is aggregated and de-identified.

Provider credentials

Deleted immediately when you remove a provider key from the console, or within 30 days of account closure.

Inference content (if enabled)

Retained for the period configured by the organization administrator. Defaults to 0 days (not stored).

Log and device data

Retained for up to 90 days for security monitoring, then deleted.

9. Security

We implement the following security measures to protect your data:

• Data isolation — every organization's data is separated at the database level using row-level security policies. One organization cannot access another's data, keys, or logs. Verified by 16 automated isolation tests.
• Encryption in transit — all connections to the console, gateway, and admin API use TLS.
• Credential protection — provider API keys are stored encrypted. Keys are never written to application logs. An automatic scrubber removes sensitive patterns from all log output.
• Restricted database role — the application connects with a role that cannot bypass security policies. Administrative access is limited to migration and maintenance operations.
• Fail-closed controls — if a budget or rate-limit check cannot run (e.g., database unavailable), the request is rejected rather than allowed through.

For a detailed breakdown of implemented vs. planned security capabilities, see our Security page.

10. International data transfers

If you are located outside the region where our servers are hosted, your data may be transferred to and processed in a different jurisdiction. Where we transfer personal data outside the EEA or UK, we rely on standard contractual clauses or other appropriate safeguards recognized under applicable data-protection law. You can request a copy of the relevant safeguards by contacting us at privacy@retanu.com.

11. Your rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your personal data, subject to legal retention requirements.
• Restriction — ask us to restrict processing of your data in certain circumstances.
• Data portability — request your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@retanu.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data-protection authority.

12. Cookies and tracking

The Retanu console uses strictly necessary cookies for authentication and session management. We do not use advertising cookies or third-party tracking pixels. We do not sell or share cookie data with advertisers.

We may use a privacy-respecting analytics service (e.g., Plausible, Fathom) to measure aggregate page views on the marketing site. These services do not use cookies and do not track individual users across sites.

13. Children's privacy

Retanu is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@retanu.com and we will delete it promptly.

14. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by posting a notice in the console at least 14 days before the changes take effect. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

15. Contact us

If you have questions about this privacy policy or how we handle your data, contact us at: