Privacy Policy

ApiLink Limited ("ApiLink", "we", "us", "our") is a company registered in New Zealand. We operate the API platform at apilink.io.

For GDPR purposes, ApiLink is the data controller of your personal information. You can contact us at support@apilink.io.

• Email address (required for account creation)
• Password hash (never stored in plaintext)
• Company name and VAT/GST number (optional, for invoice generation)

• API request logs: timestamp, model used, token counts, cost, latency, status
• Request IDs (UUIDs) for debugging — we do not store prompt or response content
• IP address at time of request (retained for 90 days)

• Payment amount and currency
• Transaction reference from payment processor
• We do not store credit card numbers — payments are handled by our payment processors

• Browser type and OS (from user-agent, for dashboard sessions only)
• Cookie for session authentication (strictly necessary)

• Providing the service — authenticating API requests, deducting balance, logging usage
• Billing — generating invoices, processing refunds
• Security — detecting abuse, fraud prevention
• Legal obligations — tax records, regulatory compliance
• Communication — service announcements, security alerts (no marketing without consent)

We do not sell your personal data. We do not use your API request content for training AI models.

• Contract — processing necessary to provide the service you signed up for
• Legal obligation — tax records, fraud prevention
• Legitimate interest — security monitoring, abuse detection
• Consent — marketing communications (you can withdraw at any time)

We share data only with:

• AI model providers (e.g. OpenAI, Anthropic, Google, DeepSeek) — your API request content is forwarded to process your request. Each provider has their own privacy policy.
• Aggregator gateways (e.g. OpenRouter, SiliconFlow) — we may route your request through these intermediaries to reach the model you selected. Some aggregators (notably SiliconFlow, even when accessed via its international tier at cloud.siliconflow.com) are operated by entities incorporated in China and may process your data on infrastructure subject to Chinese law. If you select a model only available through such an aggregator (e.g. Qwen, GLM, MiniMax, Hunyuan, Kimi), your request content will be processed by that aggregator. By choosing such a model you acknowledge this transfer.
• Supabase — our database and authentication provider (data stored in Singapore region)
• Payment processors — Stripe and/or others, for transaction processing
• Vercel — our hosting provider

All processors are bound by data processing agreements. We do not share data with any other third parties.

• Account data — retained while your account is active, deleted within 30 days of account deletion
• Usage logs — retained for 12 months for billing dispute resolution
• Payment records — retained for 7 years (legal requirement)
• IP logs — retained for 90 days

Depending on your location, you may have the following rights:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — delete your account and personal data ("right to be forgotten")
• Portability — receive your usage data in machine-readable format
• Objection — object to processing based on legitimate interest
• Withdrawal of consent — for any consent-based processing

To exercise any right, email support@apilink.io. We respond within 30 days.

You can delete your account at any time from your Account Settings.

We use only one cookie: a session authentication token (strictly necessary). We do not use tracking or advertising cookies.

You cannot opt out of the session cookie as it is required for the service to function.

Your account and payment data is processed in the United States (Vercel, Stripe) and Singapore (Supabase). These transfers are protected by Standard Contractual Clauses (SCCs) where required by GDPR.

Your API request content is processed in different jurisdictions depending on the model you call:

• OpenAI, Anthropic, Google models — processed in the United States
• Mistral, Meta (Llama), Cohere — typically processed in the European Union or United States
• DeepSeek, Qwen, GLM, Kimi, MiniMax, Hunyuan and other Chinese-origin models — processed by providers incorporated in China. Although some operate international tiers (e.g. cloud.siliconflow.com) that bill in USD and accept overseas customers, the underlying entity remains a Chinese company subject to Chinese law. Selecting any of these models constitutes your explicit consent to this transfer. We have no control over data handling once it reaches these providers.

If you do not wish your prompts to be transferred outside the EU/US, restrict your use to OpenAI, Anthropic, Google, Mistral, Meta, or Cohere models.

Our service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us at support@apilink.io.

We will notify registered users by email at least 14 days before any material changes to this policy. Continued use of the service constitutes acceptance.

Privacy questions: support@apilink.io

If you are in the EU/UK and believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority.