Legal
Privacy Policy
Last updated: 2026-07-06. This policy explains what Remekie One ("we", "us"), the company behind RemKey, collects when you use the RemKey gateway and dashboard, and how we handle it.
What we collect
- Account information: the email and organization details you give us when you sign up.
- Request metadata: for every request routed through RemKey, we record timestamps, which model tier and model handled it, token counts, cost, latency, the guardrail action taken (allow, redact, or block) and which categories of finding triggered it (e.g. "email", "injection"), and a hash of the record chained to the one before it. We do not store the text of your prompts or model responses in this log, it's metadata sufficient to bill accurately and produce a signed compliance trail, not a transcript.
- Provider keys (BYOK): if you connect your own Anthropic, OpenAI, or OpenRouter key, it's encrypted at rest (AES-256-GCM) and only decrypted in memory to dispatch your request to that provider. We never log the raw key.
- Prompt/response content, transiently: your request and response content passes through RemKey to be classified, screened for PII/injection, and routed, in-memory, for the duration of that single request. Where you've configured guardrails to redact content, the redacted version is what's forwarded. Content is not retained after the request completes unless you've separately enabled full-content logging.
How we use it
To route, guard, and bill your requests; to produce the signed audit exports you request; to operate and improve the gateway (aggregate, not per-prompt-content); and to communicate with you about your account.
Who else sees it
Your request is sent to whichever model provider you've configured (Anthropic, OpenAI, OpenRouter, or another provider you've connected), subject to that provider's own terms and privacy policy, that's inherent to a gateway: we route to the provider you chose, we don't introduce a new one. We don't sell your data, and we don't use your prompt or response content to train models.
Data retention
Request metadata is retained for as long as your account is active, so your audit trail stays continuous. Signed audit export bundles you generate are stored until you delete them. Provider keys are retained encrypted until you revoke them, revocation is immediate.
Security
Provider keys are encrypted at rest. The audit trail is hash-chained and Ed25519-signed, so tampering is detectable, not just logged. Access to the admin plane requires a bearer token, compared in constant time.
Your rights
You can request a copy of your account data, request deletion of your account and associated data (subject to any audit-retention obligations you've configured), and revoke any provider key at any time from the dashboard.
Changes to this policy
We'll update the date at the top of this page when this policy changes and, for material changes, tell active accounts directly.
Contact
Questions about this policy: sales@remkey.ai.