Privacy Policy

1. Information We Collect

1.1 Account Information

• Email address, display name, and password (hashed — never stored in plain text).
• Google OAuth profile information if you choose to sign in with Google.
• Profile avatar (optional, user-provided URL).

1.2 Usage & Transaction Data

• API request logs: model used, token counts (input/output), cost, latency, and HTTP status code.
• Wallet transactions: top-up amounts, spending history, and earnings (for Providers).
• API key identifiers (we store only a SHA-256 hash of your full key — the full key is never stored).

1.3 Provider Data

• Provider profile details (name, description, type).
• Upstream API keys for registered model endpoints — stored AES-256-GCM encrypted at rest.
• Model configuration: base URL, pricing, capabilities.

1.4 Technical Data

• IP addresses, browser type, and request metadata for security and fraud prevention.
• Cookies and localStorage for session management and user preferences (theme, sidebar state).

2. What We Do NOT Collect

• Prompt content: We do not store, read, or log the content of messages you send to AI models. Request logs record only token counts and metadata — not the actual text.
• AI model outputs: We do not store the text generated by any AI model. Output content passes through our gateway but is not persisted.
• Payment card data: Card details are handled entirely by our third-party payment processors and are never stored on our servers.

3. How We Use Your Information

• To provide, operate, and improve the Foza platform.
• To authenticate your identity and secure your account.
• To process payments, calculate token costs, and manage wallet balances.
• To calculate and disburse Provider earnings, net of the Marketplace Fee.
• To display usage analytics and request logs in your console.
• To detect fraud, abuse, and security incidents.
• To send transactional emails (account confirmation, security alerts). We do not send marketing emails without your explicit consent.
• To comply with legal obligations.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data on the following bases:

• Contractual necessity: Account management, transaction processing, and service delivery.
• Legitimate interests: Security, fraud prevention, and platform improvement.
• Legal obligation: Compliance with tax, financial reporting, or law enforcement requirements.
• Consent: Marketing communications, where applicable.

5. Data Sharing & Disclosure

We do not sell your personal data. We may share data with:

• Payment processors: To handle wallet top-ups and payouts (they process data under their own privacy policies).
• Infrastructure providers: Cloud hosting, database, and CDN providers under data processing agreements.
• Law enforcement: When required by law, court order, or to protect the rights and safety of Foza or others.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to you.

Note on AI model requests: When you send an API request, it is routed to the upstream model endpoint registered by the Provider. The Provider's own privacy policy governs data handling on their end. Foza is not responsible for Provider data practices.

6. Data Retention

• Account data is retained for the duration of your account and up to 90 days after deletion.
• Usage logs (token counts, costs, latency) are retained for 12 months for billing and analytics purposes.
• Transaction records may be retained longer to comply with tax and financial regulations.
• Encrypted Provider API keys are deleted immediately upon model removal or account termination.

7. Security

We implement industry-standard security measures including: TLS encryption in transit, AES-256-GCM encryption for sensitive credentials at rest, SHA-256 hashing for API keys, short-lived JWT access tokens (15 minutes), and bcrypt password hashing. While we take security seriously, no system is 100% secure. You are responsible for safeguarding your API keys and account credentials.

8. Cookies & Local Storage

• Authentication tokens: Stored in localStorage for session management. Cleared on logout.
• Preferences: Theme (dark/light) and sidebar state stored in localStorage. No tracking.
• We do not use advertising cookies or third-party tracking pixels.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your account and associated personal data.
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Restriction: Request restriction of processing in certain circumstances.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Children's Privacy

The Platform is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, please contact us and we will delete the account promptly.

11. International Transfers

Your data may be processed in countries outside your own. When transferring data internationally, we use appropriate safeguards such as Standard Contractual Clauses or rely on adequacy decisions where applicable.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-platform notice at least 14 days before taking effect. The "Effective date" at the top will always reflect the current version.

13. Contact

For privacy-related questions or to exercise your rights, contact our Data Protection contact at [email protected].