Skip to content
IQ Routing

Privacy Policy

Effective date: May 1, 2026

Last reviewed: July 3, 2026

1. Information We Collect

We collect the following types of information:

  • Account information: your email address and organization name provided during registration.
  • Usage data: API request metadata including timestamps, provider selections, response latencies, token counts, and error rates.
  • Device and access data: IP address, browser type, and access timestamps when you use the dashboard.

2. Information We Do Not Collect

IQ Routing does not persistently store the content of API request or response payloads. Prompt and completion text is processed transiently for routing purposes and is not logged unless you explicitly enable payload logging in your account settings.

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Service.
  • Generate analytics and insights visible in your dashboard.
  • Monitor Service performance and detect abuse or security incidents.
  • Communicate with you about your account, updates, and support requests.
  • Improve the Service through aggregated, anonymized usage analysis.

4. Data Sharing

We do not sell your personal information. We may share information with:

  • AI providers: request content, which can include your prompt text, is transmitted to the upstream provider that serves your chosen model to fulfill the request. In addition, a short, truncated excerpt of each routed request is sent to OpenAI for model-tier routing classification on IQ Routing's own credentials, independent of the provider keys you configure. Provider-specific privacy policies apply to the data they receive; the full list is on our subprocessors page.
  • Service providers: third-party services that assist in operating the platform (e.g., hosting, authentication, billing, email delivery), bound by confidentiality obligations. The current list is published on our subprocessors page.
  • Legal requirements: when required by law, subpoena, or government request.

5. Data Retention

Retention windows differ by data class:

  • Account information: retained for the duration of your account.
  • Usage and request-payload data: retained for 30 days by default, configurable between 30 and 365 days in your account settings.
  • Audit-log data: retained for 90 days or longer to support security, compliance, and chain-of-custody requirements.

Upon account deletion, we remove your personal information within 30 days, except where a longer retention period is required by law.

6. Data Security

We implement industry-standard security measures including encryption in transit (TLS 1.2+), encryption at rest for stored data, and access controls on internal systems. Provider API keys are encrypted at rest using authenticated encryption, and the key-vault reveal path uses AES-256-GCM envelope encryption. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

7. PII Redaction
Roadmap

Optional PII redaction at the gateway boundary, which would detect and mask personally identifiable information in request payloads before they reach upstream providers, is on our roadmap and is not yet live. Until it ships, do not rely on the gateway to strip PII from prompts; treat upstream providers as recipients of the payloads you send.

8. Cookies and Local Storage

The dashboard relies on a small set of first-party identifiers to keep you signed in, remember your preferences, and surface in-app announcements only once. We do not use third-party tracking cookies or advertising pixels. The identifiers we set fall into two categories, both first-party and strictly functional:

Essential identifiers (required for the Service to function):

  • Clerk session and client cookies (__session, __client, __client_uat, __clerk_db_jwt): first-party cookies set by Clerk, our authentication provider, to keep you signed in to the dashboard and protect sign-in against cross-site request forgery. Expire when your session ends or you sign out.
  • iq.active_org: HMAC-signed first-party cookie that records which organization you are currently viewing inside the dashboard. Required so the dashboard renders data for the right organization when you have access to more than one. Expires with your session.

Functional identifiers (improve the experience; persist in your browser local storage):

  • iq-theme: remembers whether you selected the light or dark theme. Holds no personally identifiable information and is never transmitted to us.
  • iq-saved-filters-*: per-org saved filter sets you choose to save on the requests, audit, and alerts surfaces. Stored only in your browser; never transmitted to us.
  • Welcome-tour and developer-panels-tour completion flags: boolean markers that prevent the dashboard from re-showing onboarding overlays after you have completed them. Stored only in your browser.
  • Banner-dismiss flags (whats-new and seed-traffic-*): boolean markers per org that record which one-time banners you have dismissed. Stored only in your browser.

All identifiers above are first-party and either strictly essential to the Service or functional preferences you control through the dashboard. We do not load third-party analytics, advertising, or cross-site tracking on the dashboard.

9. Your Rights

The data controller for the personal information described in this policy is IQ Routing. Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your personal information (right to erasure). When you delete your account, the gateway emits a recorded erasure event and removes your personal information within 30 days, except where a longer retention period is required by law.
  • Object to or restrict certain processing of your information.
  • Export your data in a portable format.
  • Withdraw consent at any time, where processing is based on your consent.
  • Lodge a complaint with a supervisory authority (for individuals in the European Economic Area or the United Kingdom).

To exercise any of these rights, contact us at the address below.

9a. Legal Bases for Processing (GDPR)

Where the EU or UK General Data Protection Regulation applies, we rely on the following Article 6 legal bases, by purpose:

  • Performance of a contract (Art. 6(1)(b)) to provide, operate, and maintain the Service and to route your API requests.
  • Legitimate interests (Art. 6(1)(f)) to monitor Service performance, detect abuse and security incidents, and improve the Service through aggregated, anonymized analysis.
  • Legal obligation (Art. 6(1)(c)) to retain audit-log and billing records as required by law.
  • Consent (Art. 6(1)(a)) for any processing you opt into, such as enabling payload logging.

9b. California Privacy Rights (CCPA/CPRA)

In the past twelve months we have collected the following categories of personal information, as defined by the California Consumer Privacy Act: identifiers (such as your email address and IP address), commercial information (such as your subscription and billing records), and internet or network activity (such as API request metadata and dashboard access logs).

We do not sell or share your personal information as those terms are defined under California law, and we have not done so in the preceding twelve months. California residents may exercise their rights to know, delete, correct, and opt out without discriminatory treatment by contacting us at the address below.

10. International Data Transfers

Your information may be processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place for any cross-border data transfers.

10a. Data Processing Addendum

A Data Processing Addendum (DPA) is available on request. Contact privacy@iq-routing.com to request a copy.

11. Children's Privacy

The Service is not directed to individuals under the age of 16, and in the United States we do not knowingly collect personal information from children under 13 (COPPA). If we learn that we have collected information from a child below the applicable age, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. Continued use of the Service after changes constitutes acceptance of the revised policy.

13. Contact

For privacy-related inquiries, contact us at privacy@iq-routing.com.

IQ Routing
734 Cimity Ct, San Jose, CA 95138