Privacy Policy

Last updated: January 2025

1. Introduction

LLMBase, operated by Eyloo GmbH, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI platform. We process personal data in accordance with applicable European data protection requirements.

Our Commitment: We operate with a privacy-first approach, hosting our infrastructure in selected European locations and implementing data minimization and anonymization measures to protect your data.

2. Data Controller

The data controller responsible for your personal data is:

Eyloo GmbH
Im Hemchen 20
56410 Montabaur
Germany
Email: privacy@llmbase.ai
Data Protection Contact: privacy@llmbase.ai

3. Information We Collect

We collect information that you provide directly to us, including:

  • Account Information: Name, email address, and authentication credentials (managed via Hanko)
  • Usage Data: Interactions with our AI services, chat history, model selections, and API usage patterns
  • Technical Data: IP address (anonymized where possible), browser type, device information, and session data
  • Analytics Data: Website, product, and conversion analytics via DataFast, Pirsch, PostHog, and X Ads where applicable
  • Error Logs: Technical error information collected via Sentry for service improvement
  • Payment Information: Billing details and payment methods (processed securely by third-party payment processors)

4. LLM Processing & Data Architecture

4.1 European-Hosted Models

We host selected Large Language Models directly on European infrastructure. Current hosting locations include Germany, Finland, Switzerland, and the Netherlands. When you use these models:

  • Data Location: Processing occurs in the listed European hosting locations
  • Data Sovereignty: We prioritize European hosting and European data protection standards
  • Direct Processing: No external AI labs are involved
  • Full Control: We maintain complete control over the infrastructure and data processing
  • Model Training: Your queries are NOT used to train or improve third-party models

4.2 Lab Models

LLMBase Chat may also offer lab models such as OpenAI GPT, Anthropic Claude, Google Gemini, xAI Grok, and similar commercial models when they are available for your plan. When you choose those models, the following protections apply:

Privacy Protection Measures:

  • Data Minimization: LLMBase sends only the prompt content and settings required to produce the selected response
  • Account Separation: LLMBase account identifiers, session tokens, billing data, and internal analytics identifiers are not part of the model prompt
  • IP Protection: Model requests originate from LLMBase infrastructure rather than your browser or device
  • No Training by LLMBase: LLMBase does not use your conversations to train AI models
  • Plan Choice: For maximum data locality, choose EU-hosted open-source models in the model picker

Important: Lab models are optional. The model picker lets you choose between EU-hosted open-source models and available lab models based on your privacy and workload requirements.

4.3 Model Selection Transparency

We clearly indicate which models are European-hosted and which are lab models. You can make informed choices about which models to use based on your privacy preferences.

5. Third-Party Services & Processors

We work with carefully selected third-party processors who meet strict GDPR compliance standards. All processors have signed Data Processing Agreements (DPAs) with us:

Hanko

Purpose: User authentication and identity management

Data Processed: Email addresses, authentication credentials, session tokens, user profile information

Location: United States with Standard Contractual Clauses (SCCs)

Legal Basis: Contract performance, Data Processing Agreement in place

Cloudflare D1

Purpose: Database storage for application data

Data Processed: Chat history, usage counters, subscription metadata, waitlist emails

Location: Cloudflare network (EU data handling per configuration)

Legal Basis: Contract performance, Data Processing Agreement in place

Cloudflare

Purpose: Content delivery network, DDoS protection, and web security

Data Processed: IP addresses (anonymized), request headers, technical connection data

Location: Global network with EU data centers

Legal Basis: Legitimate interest (security), Standard Contractual Clauses

Sentry

Purpose: Error tracking and application performance monitoring

Data Processed: Error logs, stack traces, device information (anonymized)

Location: EU-hosted option enabled

Legal Basis: Legitimate interest (service quality), Data Processing Agreement

DataFast

Purpose: Website analytics, acquisition attribution, and revenue attribution

Data Processed: Page activity, referrer and campaign parameters, visitor/session identifiers, cookies, IP address, browser and device information, country, and checkout attribution metadata

Location: International infrastructure, including the United States, with safeguards such as Standard Contractual Clauses where applicable

Legal Basis: Legitimate interest in understanding acquisition and revenue performance; consent where required by applicable cookie law

Pirsch

Purpose: Privacy-friendly website analytics while we evaluate analytics providers

Data Processed: Page views, events, referrer and campaign parameters, IP address, browser and device information, country, and technical request metadata

Location: Germany / European Union

Legal Basis: Legitimate interest in service improvement; consent where required by applicable cookie law

PostHog

Purpose: Product analytics for LLMBase Chat and bundled mobile/desktop app surfaces

Data Processed: Product behavior, feature interactions, runtime platform, and session identifiers

Location: Self-hosted on our EU infrastructure or EU cloud option

Legal Basis: Legitimate interest (product improvement), Data Processing Agreement

X Ads

Purpose: Advertising conversion measurement

Data Processed: Conversion events, technical identifiers, and campaign attribution data required for X Ads measurement

Location: Global infrastructure, including the United States

Legal Basis: Consent where required; legitimate interest where legally available

Important Note: We configure all analytics tools to maximize privacy protection, including IP anonymization, opt-out mechanisms, and minimal data collection settings.

6. Legal Basis for Processing

Under GDPR, we process your personal data based on:

  • Contract Performance (Art. 6(1)(b) GDPR): To provide our AI services and fulfill our contractual obligations to you
  • Legitimate Interest (Art. 6(1)(f) GDPR): To improve our services, ensure security, prevent fraud, and optimize performance
  • Legal Obligation (Art. 6(1)(c) GDPR): To comply with applicable laws, regulations, and legal processes
  • Consent (Art. 6(1)(a) GDPR): For marketing communications and optional features (which you can withdraw at any time)

7. Data Storage and Security

7.1 Infrastructure Location

Our infrastructure uses European hosting locations, currently including Germany, Finland, Switzerland, and the Netherlands. This supports:

  • European data protection standards
  • Regional data processing choices for supported services
  • Reduced reliance on non-European infrastructure for hosted models
  • Physical and operational security controls at selected providers

7.2 Security Measures

We implement comprehensive technical and organizational measures:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access control (RBAC) and multi-factor authentication
  • Network Security: Cloudflare DDoS protection and Web Application Firewall (WAF)
  • Monitoring: 24/7 security monitoring and automated threat detection via Sentry
  • Regular Audits: Periodic security assessments and penetration testing
  • Data Minimization: We collect only necessary data and anonymize where possible
  • Backup & Recovery: Encrypted backups with geographic redundancy within the EU

7.3 Employee Access

Access to personal data is restricted to authorized personnel only, based on the principle of least privilege. All employees undergo data protection training and are bound by confidentiality agreements.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements:

  • Account Data: Retained while your account is active, deleted within 30 days of account closure
  • Chat History: Retained according to your preferences, can be deleted at any time
  • Usage Logs: Anonymized and aggregated after 90 days, retained for 12 months for analytics
  • Payment Data: Retained for 10 years to comply with German tax law (HGB, AO)
  • Support Tickets: Retained for 3 years for quality assurance and legal compliance
  • Marketing Data: Retained until consent is withdrawn or 3 years of inactivity

When data is no longer needed, we securely delete or anonymize it using industry-standard data destruction methods.

9. Your GDPR Rights

Under GDPR, you have comprehensive rights regarding your personal data:

  • Right to Access (Art. 15 GDPR): Request a copy of all personal data we hold about you
  • Right to Rectification (Art. 16 GDPR): Correct inaccurate or incomplete personal data
  • Right to Erasure (Art. 17 GDPR): Request deletion of your personal data ("Right to be Forgotten")
  • Right to Restriction (Art. 18 GDPR): Limit how we process your personal data
  • Right to Data Portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format
  • Right to Object (Art. 21 GDPR): Object to processing based on legitimate interest
  • Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw consent at any time for consent-based processing

How to Exercise Your Rights: Contact us at privacy@llmbase.ai with your request. We will respond within one month as required by GDPR. You may also access many of these functions directly through your account settings.

10. Cookies and Tracking Technologies

We use essential cookies for:

  • Authentication: To keep you logged in securely
  • Security: To prevent fraud and protect our services
  • Preferences: To remember your settings and choices

We also use functional analytics and conversion technologies, including DataFast cookies, Pirsch analytics, and X Ads conversion pixels, to understand acquisition, revenue attribution, and marketing performance after the relevant cookie preference is accepted.

You can manage cookie preferences through the cookie banner and your browser settings. Note that disabling essential cookies may affect the functionality of our services.

11. International Data Transfers

We prioritize keeping your data within the European Union. However, when transfers outside the EU are necessary (e.g., for certain lab models), we ensure:

  • Anonymization: All identifying information is removed before any international transfer
  • Standard Contractual Clauses (SCCs): EU-approved data transfer mechanisms
  • Adequacy Decisions: Transfers only to countries recognized by the EU as having adequate data protection
  • Additional Safeguards: Supplementary measures beyond SCCs, including encryption and access controls

These safeguards are designed so that, even when you choose models hosted outside Europe, identifying account and session data remains protected.

12. Children's Privacy

Our services are not intended for children under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately.

13. AI-Specific Privacy Considerations

13.1 Model Training

Open-Source Models: We may use aggregated, anonymized data to fine-tune open-source models hosted on our infrastructure. Individual user data is never used without explicit consent.

Lab Models: When using optional lab models, LLMBase does not use your data for model training, and we require training protections in our commercial terms where available.

13.2 Prompt and Response Data

Your prompts and AI responses are treated as personal data and are subject to the same protections outlined in this policy. You can delete your chat history at any time through your account settings.

13.3 AI Quality Improvement

We may analyze anonymized and aggregated usage patterns to improve our service quality, model selection, and user experience. This analysis never includes identifiable personal data.

14. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours (as required by GDPR Art. 33)
  • Inform affected users without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach and mitigation steps
  • Document all breaches in accordance with GDPR requirements

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will:

  • Post the updated policy on this page with a new "Last updated" date
  • Notify you via email of material changes if required by law
  • Provide reasonable notice before implementing changes that require your consent
  • Maintain an archive of previous versions available upon request

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Eyloo GmbH
Privacy Inquiries: privacy@llmbase.ai
Data Protection Contact: privacy@llmbase.ai
General Support: support@llmbase.ai

17. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement, if you believe we have not complied with GDPR requirements.

For Rheinland-Pfalz, the competent supervisory authority is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Website: www.datenschutz.rlp.de