Privacy Policy

Last updated: January 2025

1. Introduction

LLMBase, operated by Eyloo GmbH, is committed to protecting your privacy and maintaining the highest standards of data protection. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI platform. We are fully GDPR compliant and process all data in accordance with European data protection regulations.

Our Commitment: We operate with a privacy-first approach, hosting our infrastructure in Germany and implementing advanced data anonymization techniques to ensure your data sovereignty remains protected at all times.

2. Data Controller

The data controller responsible for your personal data is:

Eyloo GmbH
Germany
Email: privacy@llmbase.ai
Data Protection Officer: dpo@llmbase.ai

3. Information We Collect

We collect information that you provide directly to us, including:

  • Account Information: Name, email address, and authentication credentials (managed via Appwrite)
  • Usage Data: Interactions with our AI services, chat history, model selections, and API usage patterns
  • Technical Data: IP address (anonymized where possible), browser type, device information, and session data
  • Analytics Data: Privacy-focused analytics via Pirsch Analytics and PostHog (anonymized and aggregated)
  • Error Logs: Technical error information collected via Sentry for service improvement
  • Payment Information: Billing details and payment methods (processed securely by third-party payment processors)

4. LLM Processing & Data Architecture

4.1 Open-Source Models (Germany-Hosted)

We host open-source Large Language Models directly on our infrastructure located in Germany. This includes models that are freely available under open-source licenses. When you use these models:

  • Data Location: All processing occurs exclusively within German data centers
  • Data Sovereignty: Your data never leaves the European Union
  • Direct Processing: No third-party AI providers are involved
  • Full Control: We maintain complete control over the infrastructure and data processing
  • Model Training: Your queries are NOT used to train or improve third-party models

4.2 Proprietary Models (Anonymized Proxy)

For proprietary models that are not open-source (including but not limited to Grok, GPT-4, Claude, and other commercial models), we implement a privacy-preserving proxy architecture:

Privacy Protection Measures:

  • Request Anonymization: All identifying information is stripped from requests before forwarding
  • IP Masking: Your IP address is replaced with our server's IP address
  • Metadata Removal: User identifiers, session tokens, and tracking information are removed
  • Proxy Layer: Requests are routed through our German infrastructure before reaching external providers
  • Response Sanitization: Responses are processed to remove any potential tracking mechanisms
  • No Data Retention by Providers: We negotiate data processing agreements that prohibit model providers from storing or training on your data

Important: Even when using proprietary models, your identity and personal information remain protected through our anonymization layer. The model providers receive only the content of your query without any identifying information.

4.3 Model Selection Transparency

We clearly indicate which models are hosted in Germany and which are proxied through our anonymization layer. You can make informed choices about which models to use based on your privacy preferences.

5. Third-Party Services & Processors

We work with carefully selected third-party processors who meet strict GDPR compliance standards. All processors have signed Data Processing Agreements (DPAs) with us:

Clerk

Purpose: User authentication and identity management

Data Processed: Email addresses, authentication credentials, session tokens, user profile information

Location: United States with Standard Contractual Clauses (SCCs)

Legal Basis: Contract performance, Data Processing Agreement in place

Appwrite

Purpose: Backend services and database management

Data Processed: Application data, user-generated content

Location: EU-hosted infrastructure

Legal Basis: Contract performance, Data Processing Agreement in place

Cloudflare

Purpose: Content delivery network, DDoS protection, and web security

Data Processed: IP addresses (anonymized), request headers, technical connection data

Location: Global network with EU data centers

Legal Basis: Legitimate interest (security), Standard Contractual Clauses

Sentry

Purpose: Error tracking and application performance monitoring

Data Processed: Error logs, stack traces, device information (anonymized)

Location: EU-hosted option enabled

Legal Basis: Legitimate interest (service quality), Data Processing Agreement

Pirsch Analytics

Purpose: Privacy-focused website analytics

Data Processed: Anonymized usage statistics, no personal identifiers

Location: EU/Germany

Legal Basis: Legitimate interest, GDPR-compliant (no consent required)

PostHog

Purpose: Product analytics and feature usage tracking

Data Processed: Anonymized user behavior, feature interactions

Location: Self-hosted on our EU infrastructure or EU cloud option

Legal Basis: Legitimate interest (product improvement), Data Processing Agreement

Important Note: We configure all analytics tools to maximize privacy protection, including IP anonymization, opt-out mechanisms, and minimal data collection settings.

6. Legal Basis for Processing

Under GDPR, we process your personal data based on:

  • Contract Performance (Art. 6(1)(b) GDPR): To provide our AI services and fulfill our contractual obligations to you
  • Legitimate Interest (Art. 6(1)(f) GDPR): To improve our services, ensure security, prevent fraud, and optimize performance
  • Legal Obligation (Art. 6(1)(c) GDPR): To comply with applicable laws, regulations, and legal processes
  • Consent (Art. 6(1)(a) GDPR): For marketing communications and optional features (which you can withdraw at any time)

7. Data Storage and Security

7.1 Infrastructure Location

Our primary infrastructure is hosted in German data centers that comply with the highest security standards, including ISO 27001 certification. This ensures:

  • Full compliance with German and EU data protection laws
  • Data sovereignty within the European Union
  • Protection from non-EU governmental data access requests
  • Physical security measures meeting German banking standards

7.2 Security Measures

We implement comprehensive technical and organizational measures:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access control (RBAC) and multi-factor authentication
  • Network Security: Cloudflare DDoS protection and Web Application Firewall (WAF)
  • Monitoring: 24/7 security monitoring and automated threat detection via Sentry
  • Regular Audits: Periodic security assessments and penetration testing
  • Data Minimization: We collect only necessary data and anonymize where possible
  • Backup & Recovery: Encrypted backups with geographic redundancy within the EU

7.3 Employee Access

Access to personal data is restricted to authorized personnel only, based on the principle of least privilege. All employees undergo data protection training and are bound by confidentiality agreements.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements:

  • Account Data: Retained while your account is active, deleted within 30 days of account closure
  • Chat History: Retained according to your preferences, can be deleted at any time
  • Usage Logs: Anonymized and aggregated after 90 days, retained for 12 months for analytics
  • Payment Data: Retained for 10 years to comply with German tax law (HGB, AO)
  • Support Tickets: Retained for 3 years for quality assurance and legal compliance
  • Marketing Data: Retained until consent is withdrawn or 3 years of inactivity

When data is no longer needed, we securely delete or anonymize it using industry-standard data destruction methods.

9. Your GDPR Rights

Under GDPR, you have comprehensive rights regarding your personal data:

  • Right to Access (Art. 15 GDPR): Request a copy of all personal data we hold about you
  • Right to Rectification (Art. 16 GDPR): Correct inaccurate or incomplete personal data
  • Right to Erasure (Art. 17 GDPR): Request deletion of your personal data ("Right to be Forgotten")
  • Right to Restriction (Art. 18 GDPR): Limit how we process your personal data
  • Right to Data Portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format
  • Right to Object (Art. 21 GDPR): Object to processing based on legitimate interest
  • Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw consent at any time for consent-based processing

How to Exercise Your Rights: Contact us at privacy@llmbase.ai with your request. We will respond within one month as required by GDPR. You may also access many of these functions directly through your account settings.

10. Cookies and Tracking Technologies

We use privacy-focused analytics tools (Pirsch Analytics) that do not require cookie consent under GDPR as they do not collect personal data. We also use essential cookies for:

  • Authentication: To keep you logged in securely
  • Security: To prevent fraud and protect our services
  • Preferences: To remember your settings and choices

You can manage cookie preferences in your browser settings. Note that disabling essential cookies may affect the functionality of our services.

11. International Data Transfers

We prioritize keeping your data within the European Union. However, when transfers outside the EU are necessary (e.g., for certain proprietary AI models), we ensure:

  • Anonymization: All identifying information is removed before any international transfer
  • Standard Contractual Clauses (SCCs): EU-approved data transfer mechanisms
  • Adequacy Decisions: Transfers only to countries recognized by the EU as having adequate data protection
  • Additional Safeguards: Supplementary measures beyond SCCs, including encryption and access controls

Our proxy architecture ensures that even when using models hosted outside the EU, your personal data remains protected through our Germany-based anonymization layer.

12. Children's Privacy

Our services are not intended for children under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately.

13. AI-Specific Privacy Considerations

13.1 Model Training

Open-Source Models: We may use aggregated, anonymized data to fine-tune open-source models hosted on our infrastructure. Individual user data is never used without explicit consent.

Proprietary Models: When using our proxy service for external AI providers, we have negotiated agreements ensuring your data is NOT used for model training by those providers.

13.2 Prompt and Response Data

Your prompts and AI responses are treated as personal data and are subject to the same protections outlined in this policy. You can delete your chat history at any time through your account settings.

13.3 AI Quality Improvement

We may analyze anonymized and aggregated usage patterns to improve our service quality, model selection, and user experience. This analysis never includes identifiable personal data.

14. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours (as required by GDPR Art. 33)
  • Inform affected users without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach and mitigation steps
  • Document all breaches in accordance with GDPR requirements

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will:

  • Post the updated policy on this page with a new "Last updated" date
  • Notify you via email of material changes if required by law
  • Provide reasonable notice before implementing changes that require your consent
  • Maintain an archive of previous versions available upon request

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Eyloo GmbH
Privacy Inquiries: privacy@llmbase.ai
Data Protection Officer: dpo@llmbase.ai
General Support: support@llmbase.ai

17. Limitations and Disclaimers

This Privacy Policy is provided for informational purposes. While we make commercially reasonable efforts to protect your data, we cannot guarantee absolute security.

17.1 No Absolute Security

Despite our security measures, no system is completely secure. We disclaim all warranties regarding data security, whether express or implied. You acknowledge that internet transmission is inherently insecure and that you use our services at your own risk. We are not responsible for unauthorized access, hacking, data loss, or any damages resulting from security breaches beyond our reasonable control. You further acknowledge that:

  • Data transmission over the internet carries inherent risks
  • Third-party services may have their own security vulnerabilities
  • We cannot prevent all unauthorized access attempts
  • You are responsible for securing your own devices and credentials
  • By using our services, you accept these risks
  • Your sole remedy for any privacy-related concerns is to discontinue use of the service

17.2 Third-Party Disclaimer

We are not responsible for the privacy practices of third-party services (Clerk, Cloudflare, Sentry, etc.), even though we have Data Processing Agreements with them. Their terms and policies govern their relationship with you. We expressly disclaim all liability for their actions, data breaches, or policy changes.

17.3 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING FROM PRIVACY-RELATED ISSUES, INCLUDING BUT NOT LIMITED TO DATA BREACHES, UNAUTHORIZED ACCESS, OR DISCLOSURE OF INFORMATION. OUR TOTAL LIABILITY SHALL NOT EXCEED €100 OR THE AMOUNT YOU PAID US IN THE LAST 12 MONTHS, WHICHEVER IS LOWER.

18. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement, if you believe we have not complied with GDPR requirements.

For Germany, the competent supervisory authority is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Website: www.bfdi.bund.de