Legal

Privacy Policy

Effective date: May 25, 2026 · Last updated: May 25, 2026

ModelMeld is operated by Stretto Labs LLC, a Wyoming limited liability company doing business as ModelMeld ("we," "our," or "us"). This policy explains what information we collect when you use modelmeld.ai and our hosted services, why we collect it, who we share it with, and what choices you have about it. We've written it in plain language. If anything is unclear, email hello@modelmeld.ai.

1. What we collect

Account information.When you purchase credits or subscribe, we collect the email address you provided at checkout. That email becomes your account identifier. We also store a license JWT we issue to you — it's how you authenticate against the account portal.

Service metadata.When you make a request through the hosted gateway, we log: timestamp, model selected, token counts, latency, cost, and a SHA-256 hash of the prompt content. We use this to operate the service, attribute cost, detect abuse, and produce your account's usage history.

Payment information. Payments are processed by Stripe. Stripe collects your card details directly — we never see them. We retain the Stripe customer ID, the transaction amounts, and the email associated with the purchase.

Website analytics.Vercel Analytics tracks page views, referrers, and country-level geography on modelmeld.ai. It's cookieless and anonymous — no IP-level identification, no cross-site tracking, no consent banner required.

Server logs. Our hosting providers (Render, Vercel) retain server-side request logs (IP address, user agent, request path, response status) on our behalf, typically for 30 days, for security and debugging purposes.

2. What we do NOT collect

Prompt or completion text bodies. The gateway stores a SHA-256 hash of each prompt, not the prompt content itself. The same applies to completions. This is enforced in the open-source engine and is verifiable by reading the code at src/modelmeld/privacy/scrubber.py and src/modelmeld/api/byok.py in the public repository.

Your frontier API keys. When you use the hosted service with your own OpenAI / Anthropic / other frontier provider keys, those keys are sent through our gateway to the provider in real time. They are never persisted to disk, written to logs, or transmitted to any third party other than the provider you authorized.

Payment card details. Stripe handles card collection; we are out of PCI scope.

Optional features that DO store prompt content (completion cache, tiered memory) are off by default and require explicit per-request opt-in via HTTP headers. When enabled, the stored content is scoped to your tenant and subject to the retention windows below.

3. How we use your information

  • To provide the routing gateway and account services you purchased.
  • To process payments and send receipts and license keys.
  • To send transactional emails (license delivery, balance receipts, service-status notices). We do not send marketing email.
  • To detect, investigate, and prevent abuse and fraud.
  • To meet legal, accounting, and tax obligations.
  • To debug and improve the service via aggregate metrics.

We do not use your data to train any model. We do not sell your data. We have not received any law-enforcement requests as of the effective date of this policy.

4. Sub-processors

We use the following sub-processors to provide the service. Each of them processes a specific subset of data on our behalf under their own terms.

  • Stripe, Inc. (United States) — payment processing. Receives your name, email, card details, billing address.
  • Resend, Inc. (United States) — transactional email delivery. Receives your email address and message content (license keys, receipts).
  • Render Services, Inc. (United States) — backend hosting and managed Postgres. Stores account metadata, audit events, billing records.
  • Vercel Inc. (United States) — website hosting and cookieless analytics.
  • Google LLC (United States) — our internal business email (Google Workspace).
  • Mercury Technologies, Inc. (United States) — business banking; not directly customer-facing.

We will update this list before adding a new sub-processor whose processing meaningfully changes the categories of data handled.

5. Data retention

  • Account information — retained while your account is active. Deleted within 30 days of account closure except where retention is required by law.
  • Audit events and service metadata — retained for 12 months from the date of the event.
  • Billing records and tax-relevant data — retained for 7 years to meet U.S. tax obligations.
  • Server logs — retained by our hosting providers for approximately 30 days.
  • License keys — retained while your subscription is active; revocation list retained indefinitely so revoked keys cannot be reused.

6. Your rights

Depending on where you live, you may have rights under the General Data Protection Regulation (EU/UK GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and similar laws. These typically include:

  • The right to access the personal information we hold about you.
  • The right to correct inaccurate information.
  • The right to deletion (subject to legal retention exceptions).
  • The right to data portability (export of your data).
  • The right to opt out of any sale of personal information. (We do not sell personal information.)
  • The right to non-discrimination for exercising these rights.

To exercise any of these rights, email hello@modelmeld.ai from the email associated with your account. We respond within 30 days.

7. Security

We use TLS in transit, encryption at rest for sensitive columns in our database, signed Ed25519 JWTs for license verification, HMAC-signed webhook delivery, and access controls scoped to the principle of least privilege. We sign our release artifacts and publish a CycloneDX SBOM. The open-source engine's security posture is documented in the public SECURITY.md file. To report a security vulnerability, email security@modelmeld.ai.

No system is perfectly secure. We do not warrant that the service will be free of security incidents.

8. International transfers

Our infrastructure runs in the United States. If you access the service from outside the United States, your information will be transferred to and stored in the United States, which may have data-protection laws different from those in your country.

9. Children's privacy

ModelMeld is not directed to children under 13. We do not knowingly collect information from children under 13. If we learn we have, we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. When we make a material change, we'll update the "Last updated" date at the top. For changes that meaningfully reduce your rights, we will provide reasonable notice (typically by email to the address associated with your account) before the change takes effect.

11. Contact

Privacy questions, requests to exercise your rights, or anything else: hello@modelmeld.ai. Security reports go to security@modelmeld.ai.