Privacy Notice

starllm provides a unified AI inference platform that gives users access to a curated lineup of large language models, multimodal models, and related AI capabilities through a single interface, API, billing system, and usage experience.

Depending on how you use the Service, starllm may act as a data controller, business, processor, service provider, or equivalent role under applicable privacy laws. For example:

1. we generally act as a controller for account registration, billing, security, fraud prevention, analytics, product administration, marketing, and legal compliance; and
2. where a business customer submits personal data through the API for processing on behalf of its own users, customers, employees, or other data subjects, the business customer is generally responsible for determining the lawful basis, notices, consents, and instructions for that data, and starllm may process that data as a processor or service provider where required by applicable law or a separate data processing agreement.

If you use the Service on behalf of an organization, you are responsible for ensuring that your organization has provided all required notices and obtained all required rights, permissions, and consents before submitting personal data to the Service.

This Privacy Notice applies to personal data processed by starllm in connection with the Service.

It does not apply to third-party websites, applications, models, providers, payment processors, identity providers, analytics tools, or other services that are not controlled by starllm. Those third parties may process personal data according to their own privacy notices, terms, data processing practices, and legal obligations.

The Service may allow you to access third-party AI models and infrastructure providers through starllm. When you use such models or providers, your prompts, files, inputs, outputs, API parameters, usage metadata, and related technical information may be transmitted to those providers as necessary to fulfill your request.

We may collect the following categories of personal data, depending on how you use the Service.

2.1 Account Data

We may collect account information such as:

• email address;
• display name;
• username;
• company or organization name;
• role or team information;
• authentication credentials;
• hashed password information;
• account settings;
• organization settings;
• billing status;
• communication preferences; and
• other information you provide when creating or managing an account.

We do not store plain-text passwords.

2.2 API, Usage, and Technical Data

When you use the Service, we may collect technical and usage information such as:

• API request metadata;
• model names and model routing information;
• token usage, including input tokens, output tokens, cached tokens, and other billable units;
• timestamps;
• IP addresses;
• user-agent strings;
• device and browser information;
• endpoint information;
• request size, latency, status codes, error logs, and provider response metadata;
• rate limit, spending limit, and quota information;
• API key identifiers or hashed API key references;
• referrer URLs;
• diagnostic logs;
• security events; and
• other information needed to operate, secure, debug, bill, monitor, and improve the Service.

2.3 Inputs, Outputs, Files, and Model Interaction Data

Depending on how you use the Service, we may process:

• prompts;
• messages;
• files;
• images;
• documents;
• code;
• instructions;
• API parameters;
• tool call data;
• generated outputs;
• model responses;
• safety signals;
• provider errors; and
• related metadata.

We refer to data submitted to the Service as "Inputs" and data generated through the Service as "Outputs."

You are responsible for ensuring that you have the necessary rights, permissions, notices, consents, and lawful basis to submit any personal data, confidential data, regulated data, or third-party data to the Service.

2.4 Billing and Payment Data

Payments may be processed by our payment processor, Merchant of Record, or billing provider. We may receive and store billing-related information such as:

• customer name;
• billing email;
• billing address;
• company name;
• tax information;
• invoice records;
• transaction identifiers;
• subscription or credit purchase history;
• payment status;
• refund status;
• chargeback information; and
• fraud prevention signals.

We do not intentionally store full payment card numbers or raw payment instrument details unless explicitly provided by a payment provider in a manner required for compliance or dispute handling.

2.5 STAR Rewards and Promotional Data

If you participate in STAR rewards, referrals, campaigns, partner programs, product events, or promotions, we may collect and process information such as:

• reward eligibility;
• referral activity;
• campaign participation;
• STAR balances and redemption history;
• promotional credit usage;
• abuse prevention signals;
• account linkage signals;
• invitation records; and
• related operational logs.

This data is used to operate the reward system, prevent abuse, investigate fraud, enforce campaign rules, and maintain the integrity of the Service.

2.6 Communications and Support Data

If you contact us, submit feedback, report bugs, request support, respond to surveys, or communicate with us, we may process:

• your contact details;
• message contents;
• attachments;
• screenshots;
• support history;
• technical diagnostics; and
• any other information you choose to provide.

2.7 Cookies, Analytics, and Similar Technologies

We may use cookies, local storage, pixels, SDKs, analytics tools, and similar technologies to operate the Service, remember preferences, authenticate sessions, prevent fraud, measure performance, understand usage, and improve our website and products.

More information is provided in Section 12.

We may use personal data for the following purposes:

1. to create, verify, maintain, and secure accounts;
2. to provide, operate, route, monitor, and improve the Service;
3. to process Inputs and generate Outputs;
4. to transmit requests to third-party models or providers selected by you or made available through the Service;
5. to calculate usage, token consumption, billing, credit balances, STAR rewards, and invoices;
6. to process payments, refunds, taxes, disputes, chargebacks, and accounting records;
7. to detect, prevent, investigate, and respond to fraud, spam, abuse, security incidents, policy violations, unauthorized access, and misuse of the Service;
8. to enforce our Terms of Service, model policies, reward rules, usage limits, and other applicable policies;
9. to debug errors, resolve support requests, improve reliability, and maintain infrastructure;
10. to analyze product performance, model performance, latency, provider reliability, cost efficiency, and user experience;
11. to communicate service updates, security notices, policy updates, billing notices, and administrative messages;
12. to send marketing communications where permitted by law or with your consent where consent is required;
13. to comply with legal, regulatory, tax, accounting, sanctions, export control, law enforcement, or court order obligations;
14. to protect the rights, safety, property, and legitimate interests of starllm, our users, providers, partners, and the public; and
15. for any other purpose disclosed to you at the time of collection or permitted by applicable law.

We may use aggregated, anonymized, or de-identified data for analytics, benchmarking, product development, security, reporting, model performance monitoring, and business purposes. Where data has been anonymized so that it can no longer reasonably identify you, we may use and retain it without restriction, subject to applicable law.

Where the GDPR, UK GDPR, or similar laws apply, we process personal data only where we have a legal basis to do so. Depending on the context, our legal bases may include:

4.1 Performance of a Contract

We process personal data where necessary to provide the Service, create and manage your account, process API requests, calculate usage, provide support, manage billing, and perform our contractual obligations.

4.2 Legitimate Interests

We may process personal data where necessary for our legitimate interests or the legitimate interests of others, provided those interests are not overridden by your rights and freedoms. These interests may include:

• securing the Service;
• preventing fraud, abuse, spam, and misuse;
• maintaining service reliability;
• debugging and troubleshooting;
• enforcing our Terms;
• improving product functionality;
• measuring usage and performance;
• protecting our business, users, providers, and infrastructure;
• conducting internal analytics; and
• communicating non-marketing service information.

4.3 Legal Obligations

We may process personal data to comply with legal, regulatory, tax, accounting, sanctions, export control, consumer protection, cybersecurity, law enforcement, or court order obligations.

4.4 Consent

We may process personal data based on your consent where required, such as for certain marketing communications, optional analytics cookies, or specific optional features. You may withdraw consent at any time, but withdrawal does not affect processing that occurred before withdrawal.

4.5 Vital Interests or Public Interest

In rare cases, we may process personal data where necessary to protect vital interests or where processing is necessary for a task carried out in the public interest, if applicable under law.

starllm is an AI inference platform. This means that some data you submit to the Service may be processed by AI models, infrastructure providers, and related technical systems.

5.1 Third-Party Model Processing

When you use a model provided by a third party, your Inputs, Outputs, API parameters, files, and metadata may be transmitted to that third-party provider or its infrastructure partners as necessary to process your request.

Third-party providers may apply their own safety systems, content filters, logging, retention periods, abuse monitoring, and data processing practices. starllm does not control all aspects of third-party provider processing.

You are responsible for reviewing whether a particular model or provider is appropriate for the data you submit and the use case you intend.

5.2 Training and Model Improvement

Unless otherwise stated in a separate agreement, product setting, or applicable model-specific notice, starllm does not use your API Inputs or API Outputs to train its own foundation models.

We may use usage metadata, diagnostic data, aggregated data, de-identified data, safety signals, error patterns, routing performance data, and operational analytics to monitor, secure, debug, and improve the Service.

Third-party model providers may have separate policies regarding whether and how they use data for training, abuse monitoring, or service improvement. Where feasible, starllm may select provider configurations that reduce or disable training on customer API data, but we do not guarantee that every third-party provider offers identical controls.

5.3 Sensitive Data

You should not submit highly sensitive personal data, regulated health information, payment card data, government identification numbers, biometric identifiers, precise location data, trade secrets, confidential business information, children's data, or other regulated data unless you have confirmed that your use case, selected model, provider, account configuration, and legal basis are appropriate.

If you submit such data, you are responsible for all required notices, consents, safeguards, contractual terms, and legal compliance.

If you use the Service on behalf of a business, application, organization, or other third party, you are responsible for your own users, customers, employees, contractors, and other data subjects whose personal data you submit to the Service.

You represent and warrant that:

1. you have provided all required privacy notices;
2. you have obtained all required consents or other legal bases;
3. you have the right to submit the data to starllm and relevant third-party providers;
4. your use of the Service complies with applicable privacy, consumer protection, employment, sector-specific, and data protection laws;
5. your instructions to starllm are lawful; and
6. you will not submit data that you are prohibited from submitting.

Where required by applicable law, business customers may need to enter into a separate Data Processing Agreement or similar agreement with starllm before submitting personal data for processing on behalf of others.

If you need a Data Processing Agreement, please contact us using the contact details below.

We may share personal data with the following categories of recipients where necessary for the purposes described in this Privacy Notice.

7.1 Model Providers and Infrastructure Partners

We may share Inputs, Outputs, files, API parameters, usage metadata, and technical information with upstream model providers, cloud providers, hosting providers, routing infrastructure, database providers, security vendors, and other infrastructure partners as necessary to provide the Service.

7.2 Payment, Billing, and Tax Providers

We may share billing, transaction, tax, fraud prevention, and account information with payment processors, Merchant of Record providers, billing platforms, accounting providers, tax compliance providers, banks, card networks, and dispute resolution providers.

7.3 Identity, Authentication, and Security Providers

We may share account, authentication, device, IP address, and security-related data with identity providers, authentication providers, fraud detection services, abuse prevention vendors, security monitoring vendors, and access control systems.

7.4 Analytics and Product Operations Providers

We may share limited usage, device, browser, event, and product analytics data with analytics, observability, logging, customer support, and product operations providers.

Where required by law, we will use consent or provide opt-out controls for non-essential analytics.

7.5 Professional Advisers and Compliance Recipients

We may share information with lawyers, accountants, auditors, insurers, banks, consultants, and other professional advisers where necessary for business, legal, compliance, financial, or risk management purposes.

7.6 Legal, Safety, and Enforcement Disclosures

We may disclose personal data where we reasonably believe it is necessary to:

• comply with law, regulation, legal process, court order, or government request;
• enforce our Terms of Service or other policies;
• detect, investigate, or prevent fraud, abuse, security incidents, or technical issues;
• protect the rights, property, safety, or interests of starllm, our users, providers, partners, or the public; or
• respond to emergencies.

7.7 Business Transfers

If starllm is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, transfer of business, or similar transaction, personal data may be disclosed, transferred, or assigned as part of that transaction, subject to applicable law.

7.8 No Sale of Personal Data

We do not sell personal data for money. We also do not knowingly sell or share personal data of children.

Where certain privacy laws define "sale" or "sharing" broadly to include targeted advertising or cross-context behavioral advertising, we will provide required notices and choices if we engage in such activities.

starllm may process and transfer personal data in countries other than the country where you are located. These countries may have data protection laws that differ from those in your jurisdiction.

Where personal data subject to the GDPR, UK GDPR, or similar laws is transferred internationally, we rely on appropriate transfer mechanisms where required, which may include:

• adequacy decisions;
• Standard Contractual Clauses;
• UK International Data Transfer Addendum or equivalent mechanisms;
• Data Processing Agreements;
• transfer risk assessments;
• contractual, technical, and organizational safeguards; or
• other lawful transfer mechanisms permitted by applicable law.

You acknowledge that third-party model providers and infrastructure partners may operate globally and that international processing may be necessary to provide the Service.

We retain personal data for as long as reasonably necessary for the purposes described in this Privacy Notice, unless a longer retention period is required or permitted by law.

Retention periods may vary depending on the type of data, account status, legal requirements, security needs, billing needs, dispute risk, fraud prevention needs, provider requirements, and operational requirements.

Unless otherwise stated or required by law, we generally apply the following retention approach:

1. Account data: retained while your account is active and for a reasonable period after closure for legal, security, fraud prevention, and business record purposes.
2. Billing, invoice, tax, and transaction records: retained for the period required by applicable tax, accounting, payment, and legal obligations.
3. API usage logs and technical metadata: retained for a reasonable period for billing, security, debugging, fraud prevention, abuse monitoring, and service improvement.
4. Inputs and Outputs: retained only as necessary to provide the Service, support debugging, comply with legal obligations, investigate abuse, enforce policies, or as otherwise described in product settings or agreements.
5. Support communications: retained for as long as necessary to resolve the request, maintain business records, improve support, and protect legal rights.
6. Security and abuse logs: retained for as long as necessary to protect the Service, investigate misuse, enforce policies, and comply with legal obligations.
7. Aggregated, anonymized, or de-identified data: may be retained indefinitely where it can no longer reasonably identify an individual.

We may delete, anonymize, or aggregate data when it is no longer needed. We may also retain certain data where deletion is delayed due to backups, legal holds, fraud investigations, dispute resolution, security incidents, accounting obligations, or technical limitations.

We implement reasonable technical, organizational, and administrative measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure.

These measures may include, where appropriate:

• encryption in transit;
• encryption at rest;
• access controls;
• authentication controls;
• API key hashing or protection;
• logging and monitoring;
• network security controls;
• role-based access restrictions;
• secure development practices;
• vulnerability management;
• incident response procedures; and
• vendor security review.

No method of transmission, storage, or processing is completely secure. We cannot guarantee that the Service will be immune from unauthorized access, cyberattacks, data loss, technical failure, or other security incidents.

You are responsible for maintaining the confidentiality of your account credentials, API keys, access tokens, organization settings, and systems that connect to the Service. We are not responsible for unauthorized access resulting from your failure to secure your credentials, API keys, devices, networks, applications, or end-user environments.

We may use cookies and similar technologies for the following purposes:

1. Strictly necessary cookies: required for authentication, session management, security, account access, load balancing, and core site functionality.
2. Preference cookies: used to remember settings such as language, display preferences, and cookie choices.
3. Analytics cookies: used to understand how users interact with the Service, measure performance, improve product design, and diagnose issues.
4. Security and fraud prevention technologies: used to detect abuse, prevent automated attacks, protect accounts, and enforce usage limits.
5. Marketing cookies: used only where permitted by law or with consent where consent is required.

You can manage cookies through your browser settings and, where available, through our cookie preference tools. Disabling certain cookies may affect the availability or functionality of the Service.

We do not use cookies for cross-site behavioral advertising without providing required notice and consent or opt-out rights where applicable.

We may send administrative, transactional, security, billing, and service-related communications without requiring marketing consent where permitted by law.

We may send promotional or marketing communications if you have consented or where otherwise permitted by applicable law. You may opt out of marketing communications at any time by using the unsubscribe link in the message or contacting us.

Opting out of marketing communications does not prevent us from sending non-marketing messages related to your account, security, billing, legal notices, or service operations.

Depending on your location and applicable law, you may have rights regarding your personal data, including the right to:

• access personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request deletion of personal data;
• request restriction of processing;
• object to certain processing;
• withdraw consent where processing is based on consent;
• request data portability;
• opt out of certain marketing or targeted advertising activities;
• appeal certain decisions where required by law; and
• lodge a complaint with a data protection authority.

These rights are not absolute and may be subject to legal limitations, exemptions, verification requirements, retention obligations, security needs, fraud prevention needs, and the rights of others.

To exercise your rights, contact us using the contact details below. We may ask you to verify your identity and provide information necessary to process your request. We may refuse, limit, or delay a request where permitted by law, including where the request is excessive, unfounded, repetitive, technically infeasible, legally restricted, or affects the rights and freedoms of others.

If you are an end user of one of our business customers, we may direct your request to that business customer where the customer controls the relevant personal data.

We may use automated systems to support security, fraud prevention, abuse detection, rate limiting, account protection, model routing, billing calculations, and service reliability.

These systems may affect account access, API access, credit usage, STAR rewards, rate limits, payment review, or fraud investigation. Where required by law, you may request human review of decisions that produce legal or similarly significant effects.

We do not intentionally use automated decision-making to make high-impact decisions about employment, credit, housing, education, healthcare, insurance, legal status, criminal justice, or public benefits on behalf of customers.

The Service is not directed to children. You must be at least 18 years old, or the age of legal majority in your jurisdiction, to use the Service unless we expressly allow otherwise in writing.

We do not knowingly collect personal data from children. If you believe that a child has provided personal data to us without appropriate consent, please contact us and we will take reasonable steps to delete the data where required by law.

You may not submit children's personal data to the Service unless you have all legally required rights, consents, and safeguards.

16.1 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you may have rights under applicable data protection laws, including the GDPR or UK GDPR. You may contact us to exercise your rights or to ask questions about our processing activities.

Where required, we will identify the applicable controller, processor, representative, or data protection contact in our product, contract, Data Processing Agreement, or this Privacy Notice.

You may also have the right to lodge a complaint with your local supervisory authority.

16.2 Republic of Korea

If Korean privacy law applies, we process personal data in accordance with applicable requirements under the Personal Information Protection Act and related regulations. You may request access, correction, deletion, suspension of processing, or other rights available under applicable Korean law, subject to legal limitations and verification requirements.

16.3 United States State Privacy Laws

Depending on your state of residence, you may have rights to access, correct, delete, obtain a copy of, or opt out of certain uses of personal data. We do not sell personal data for money. If we engage in activities considered "selling," "sharing," or targeted advertising under applicable state privacy laws, we will provide required notices and opt-out mechanisms.

The Service may contain links to third-party websites, documentation, payment pages, model providers, community platforms, or external services. We are not responsible for the privacy practices, security, content, or policies of third parties.

You should review the privacy notices and terms of any third-party service before using it or providing personal data to it.

For business customers who require a Data Processing Agreement, Standard Contractual Clauses, or other data protection terms, starllm may provide such terms where appropriate and commercially feasible.

Unless a separate written agreement states otherwise, this Privacy Notice does not create any obligation for starllm to accept special processing instructions, sector-specific compliance obligations, data residency requirements, custom retention periods, custom subprocessors, or custom security requirements.

Any custom privacy, security, compliance, data residency, or regulated-data obligations must be agreed in writing by starllm.

We use reasonable safeguards designed to protect personal data, but no system can be guaranteed to be completely secure.

To the maximum extent permitted by applicable law, starllm is not responsible for unauthorized access, loss, disclosure, alteration, or misuse of personal data resulting from:

• user-side credential compromise;
• leaked or mismanaged API keys;
• insecure customer applications or integrations;
• customer-side configuration errors;
• malware or compromise on customer devices or networks;
• third-party provider failures;
• internet or cloud infrastructure failures;
• force majeure events;
• attacks that could not reasonably have been prevented using commercially reasonable safeguards; or
• other circumstances outside our reasonable control.

Where required by applicable law, we will notify affected users, customers, regulators, or other parties of a personal data breach in accordance with applicable legal requirements.

We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, providers, business operations, or service offerings.

When we update this Privacy Notice, we will revise the effective date above. Where required by law or where changes are material, we may provide additional notice, such as by email, dashboard notification, or website notice.

Your continued use of the Service after an updated Privacy Notice becomes effective means that you acknowledge the updated Privacy Notice.

If you have questions, requests, or concerns about this Privacy Notice or our privacy practices, please contact us at:

Website: https://starllm.org

If you are contacting us about a privacy rights request, please include enough information for us to verify your identity and understand your request. We may request additional information where necessary for verification, security, or legal compliance.