Privacy Policy

1. Who we are

Slashboard ("we", "our") is an AI cost observability service. This Privacy Policy explains how we collect, use, and protect your data.

2. What we collect

Account data: email address, hashed password, organisation name.

Ingest telemetry (sent by your application): model identifier, provider, token counts, cost (computed or submitted), latency, status, and optional attribution tags (team, feature, user_id). We do NOT store prompt or response bodies by default — only if you explicitly enable body capture in Settings.

Usage data: API key activity timestamps, dashboard interaction logs (browser), error logs.

3. How we use it

To provide the service (populate dashboards, compute cost analytics, trigger budget alerts).

To send transactional emails (email verification, password reset, budget alerts).

To detect abuse and ensure platform security.

We do not sell your data. We do not use your LLM telemetry to train any AI model.

4. Data retention

Raw event logs (llm_requests) are retained for 30 days from ingestion and then purged. Aggregated cost rollups (no PII) are retained indefinitely to back long-range charts. Account data is retained until you delete your account.

5. Prompt bodies & PII

By default, Slashboard stores only metadata — model name, token counts, cost, and your attribution tags. Prompt and response bodies are never stored unless you opt in via Settings → Data Retention → Store Prompt & Response Text. If you enable this, ensure your prompts are free of personal data or are appropriately anonymised before sending.

6. Sub-processors

We use the following sub-processors to provide the service: PostgreSQL (database), Redis (queue), MinIO (blob storage). For the cloud-hosted version we use [hosting provider TBD]. All are bound by data processing agreements.

7. Your rights

You can export or delete all your data at any time via account settings or by emailing privacy@slashllm.com. We will respond within 30 days. EU/UK residents have additional rights under GDPR/UK GDPR including access, rectification, erasure, and portability.

8. Security

All data is transmitted over TLS. API keys are stored as SHA-256 hashes. Passwords are hashed with bcrypt. We enforce per-org data isolation at the application layer and test for cross-tenant leakage. We do not log secrets.

9. Cookies

We use a single httpOnly session cookie to maintain your logged-in session. We do not use tracking or advertising cookies.

10. Changes

We will notify you by email at least 14 days before any material change to this policy.

11. Contact

Data protection questions: privacy@slashllm.com