LLMeter

Privacy Policy

Last updated: April 2026

1. Who We Are

LLMeter ("we", "us") is operated by John Medina, sole proprietor based in Colombia. We are the data controller for personal information processed via llmeter.org. For privacy matters, contact hello@llmeter.org.

2. Information We Collect

You provide directly: email address, name, password hash; provider API keys (stored AES-256-GCM encrypted, read-only recommended); optional organization/team metadata; support communications.

Billing data: collected and stored by Paddle as Merchant of Record. We receive limited metadata only (plan, subscription status, country, transaction ID). Card and tax details are handled exclusively by Paddle.

Automatically collected: pages visited, features used, timestamps, IP address, browser/OS. Essential cookies for authentication and session management.

From your providers (if connected): usage metadata — model name, token counts, cost per request. We do not access prompts, completions, fine-tuned models, or any content data.

3. How We Use Your Data

  • Provide and operate the Service
  • Process subscriptions and send transactional emails (receipts, password resets, alerts)
  • Send budget and anomaly alerts you configure
  • Improve features, troubleshoot, and analyze usage patterns
  • Prevent fraud, abuse, and enforce our Terms
  • Comply with legal and tax obligations

4. Legal Bases (GDPR / UK GDPR)

  • Contract — processing necessary to deliver the Service you subscribed to
  • Legitimate interests — service improvement, security, fraud prevention
  • Consent — marketing communications and optional cookies (opt-in)
  • Legal obligation — tax records, responding to lawful requests

5. Data Security

All API keys are encrypted at rest using AES-256-GCM with per-key nonces. Data in transit is protected with TLS 1.3. Passwords are hashed (bcrypt). We apply least-privilege access controls, regular patching, and Supabase Row-Level Security. No method of transmission is 100% secure; we cannot guarantee absolute security. In case of a confirmed breach affecting your data, we will notify you as required by applicable law.

6. Data Retention

  • Usage data: 30 days on Free, 1 year on Pro/Team (extended retention available)
  • Account data: retained while your account is active; deleted within 30 days of account deletion (backups may retain encrypted copies up to 90 days)
  • Billing records: retained by Paddle per their policy and as required by tax law
  • Support communications: up to 24 months
  • Server access logs: up to 90 days

7. Third Parties (Sub-processors)

We use the following providers to operate the Service. They process personal data only on our instructions and under data-protection agreements:

  • Vercel — application hosting, edge network
  • Supabase — database (PostgreSQL) and authentication
  • Upstash — Redis cache and rate limiting
  • Inngest — background job execution
  • Resend — transactional email delivery
  • Plausible — privacy-friendly web analytics (no cookies, no personal data collected)
  • Paddle.com Market Ltd. — payment processing, Merchant of Record (Paddle Privacy)

We do not sell or share personal data with third parties for advertising.

8. International Transfers

Your data may be processed in countries outside your own, including the United States and the European Union, depending on where our sub-processors operate. Where required by law, transfers rely on Standard Contractual Clauses or equivalent safeguards.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (subject to legal retention obligations)
  • Restrict or object to processing
  • Data portability — receive your data in a machine-readable format
  • Withdraw consent at any time (without affecting prior lawful processing)
  • Lodge a complaint with a supervisory authority

Residents in the EEA/UK benefit from the GDPR / UK GDPR. California residents benefit from the CCPA/CPRA. Brazilian residents from the LGPD. Colombian residents from Ley 1581 de 2012 and Decreto 1377 de 2013. To exercise any right, email hello@llmeter.org; we respond within 30 days.

You can also export or delete your data at any time from your account settings without contacting us.

10. Cookies and Analytics

We use essential cookies for authentication and session management. For analytics we use Plausible, a cookie-less, privacy-friendly analytics service that does not collect personal data or use cross-site tracking. You can clear or block cookies in your browser settings.

11. Children

The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact hello@llmeter.org and we will delete it.

12. Third-Party Links

The Service may link to third-party sites (including your connected AI providers). We are not responsible for their privacy practices; review their policies before providing data.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by email or a prominent in-app notification. The "Last updated" date reflects the latest revision.

14. Contact

For privacy questions, data requests, or complaints, email hello@llmeter.org.