Privacy

Privacy Policy

What data flows through the proxy, the data-logging modes you control, how long anything is kept, and the subprocessors that power the platform.

Last updated June 22, 2026

How a request flows

Every proxied request runs through the same pipeline. Provider keys stay server-side and no provider spend starts until the user is verified and the policy passes.

1

Verify the end user

Your app sends the end user token (Firebase or Supabase). The proxy verifies it against your auth provider before any provider spend can start. Optional Firebase App Check ties the request to a known app.

2

Resolve the app user

We look up or create an app-user record keyed to the verified external user id, and attach the entitlement category from RevenueCat so the right policy applies.

3

Evaluate policy

The policy engine checks the requested model, endpoint, per-request token cap, and daily and monthly request and cost limits before forwarding. Blocked requests never reach a provider.

4

Route and commit

Allowed requests are forwarded through our hosted gateway to the model provider using your server-side key. Token counts and cost are committed to usage, and analytics are captured in PostHog.

Data-logging modes you control

Logging is off by default. You choose per app how much of a request is retained. Anything stored beyond disabled is encrypted at rest with AES-256-GCM and deleted when its retention window expires.

Disabled
No request or response content is stored. This is the default.
Request metadata
Only the endpoint type and requested model are stored, never the prompt or response content.
Request body
The request payload is stored, encrypted at rest.
Response body
The model response is stored, encrypted at rest.
Full
Both request and response payloads are stored, encrypted at rest.

Encryption at rest

Provider keys and any logged request or response payloads are encrypted with AES-256-GCM before they reach the database, with a per-record initialization vector and authenticated additional data. We store ciphertext, never plaintext secrets.

Retention

Each data log carries a retention window you set per app. Once it expires, the log is eligible for deletion. Usage counters and cost aggregates are kept so your dashboard analytics stay accurate.

Your end users' data

The proxy processes your end users' prompts and responses on your behalf to deliver the AI features you build. You control whether any of that content is logged and for how long. You remain the controller of your end-user relationship and are responsible for obtaining any consent your jurisdiction requires before content is sent to model providers.

Subprocessors

We rely on the following subprocessors to operate the service. Each processes only the data needed for its role.

Subprocessors, their purpose, and the data they process
SubprocessorPurposeData processed
SupabasePrimary Postgres database and end-user token verification for the Supabase auth provider.Account, app, policy, usage records, and encrypted secrets.
Model providersOpenAI, Anthropic, OpenRouter, and other providers you configure. Their policies apply to forwarded traffic.Prompt and response content you choose to send.
Dodo PaymentsMerchant of record for subscription billing.Billing identity and subscription state for the account holder.
RevenueCatResolves the entitlement category that selects the applicable policy for each end user.End-user entitlement and subscription category.
PostHogLLM analytics and product usage events.Per-request usage metadata such as tokens, cost, model, and status.
VercelHosting and edge delivery for the dashboard and proxy.Standard request and infrastructure logs.

For the security controls behind this policy, see our Security page.

Put the proxy between your app and your provider bill.

Stand up a verified, server-held AI proxy and start routing traffic in minutes.

MobileAiProxy

A hosted, OpenAI-compatible proxy that keeps provider keys server-side, verifies users, and tracks usage and cost.

© 2026 MobileAiProxy. All rights reserved.

Built for mobile AI teams.