Sign In

Privacy Policy

How OpenRouter collects, uses, and protects your information. This policy covers all OpenRouter services including API access, dashboard usage, and the interactive playground.

Effective Date: April 29, 2026. This Privacy Policy describes the policies and procedures of OpenRouter on the collection, use, and disclosure of your information when you use our services. It also tells you about your privacy rights and how the law protects you. By using the OpenRouter platform, you agree to the collection and use of information in accordance with this Privacy Policy.

Information We Collect

OpenRouter collects several categories of information to provide, maintain, and improve our AI model access platform.

Account Information

When you create an OpenRouter account, we collect the email address you provide, a hashed representation of your password, and any optional profile information you choose to add such as your name or organization affiliation. This information is used to authenticate your access to the platform, communicate service-related announcements, and provide customer support. Your password is never stored in plain text; it is processed through a one-way cryptographic hash function with a unique per-user salt before storage.

API Usage Data

When you use the OpenRouter API, we collect and retain data about each request for operational and billing purposes. This includes the model identifier, the number of input tokens processed, the number of output tokens generated, the provider that served the request, the timestamp, and the API key identifier used. We do not retain the content of your prompts or the content of model responses beyond the standard request log retention period unless you explicitly configure extended logging for auditing or debugging purposes. The default retention period for request logs is thirty days. Workspace administrators may extend this to ninety days or reduce it to zero through account settings.

Billing and Payment Information

When you purchase OpenRouter credits, we collect transaction data including the amount, timestamp, and payment method identifier. Full payment card details are processed directly by our PCI-compliant payment processor and are never transmitted to or stored on OpenRouter servers. We receive and retain a payment token that allows recurring transactions for auto-reload configurations, but this token cannot be used to reconstruct your full card number. Billing history, including transaction amounts and dates, is retained for the life of your account and for a reasonable period thereafter to comply with financial recordkeeping obligations.

Playground and Dashboard Activity

Your interactions with the OpenRouter Playground and dashboard are logged for service improvement and support purposes. This includes feature usage patterns, preference settings, and interface interactions. We use this data to identify usability issues, prioritize feature development, and provide contextual support. This activity data does not include the content of prompts entered in the Playground unless you explicitly save them as templates.

Device and Connection Information

When you access OpenRouter, our servers automatically receive standard connection metadata including your IP address, browser type and version, operating system, referring URL, and the date and time of your request. This information is used for security monitoring, rate limit enforcement, and aggregate usage analysis. IP addresses may be stored in access logs for up to thirty days for security and abuse prevention purposes.

How We Use Your Information

OpenRouter uses the collected information for the following purposes, each grounded in the operational requirements of providing a unified AI model access platform.

Service delivery encompasses account authentication, API request processing and routing, credit balance management, and the operation of all platform features including team workspaces, analytics dashboards, and the interactive playground. Without this information, the platform cannot function as a unified gateway to multiple AI providers.

Billing and financial operations require transaction data to process credit purchases, calculate consumption charges, generate invoices, and support auto-reload transactions. This data is also used for internal financial reporting and auditing purposes in compliance with standard accounting practices.

Platform security and abuse prevention rely on connection metadata, API usage patterns, and account activity data to detect unauthorized access attempts, prevent fraud, enforce rate limits, and investigate violations of our terms of service. Security monitoring is continuous and automated, with human review initiated only when automated systems flag anomalous patterns that require investigation.

Service improvement and development use aggregated, de-identified data about feature usage patterns to prioritize engineering resources, identify performance bottlenecks, and evaluate the impact of platform changes. This analysis is conducted on aggregated data sets that do not identify individual users or reveal the content of specific API requests.

Communication includes service-related emails such as account verification messages, password reset links, billing notifications, budget alerts, and important changes to platform features or policies. OpenRouter does not send marketing emails or promotional materials. All communications from the platform are directly related to your account or service usage.

Data Sharing and Disclosure

OpenRouter shares information only in the limited circumstances described below. We do not sell personal information, and we do not share API request content with third parties except as necessary to route your requests to the model providers you select.

Service Providers and Subprocessors

We engage third-party service providers to perform functions on our behalf, including payment processing, cloud infrastructure hosting, and email delivery. These providers receive only the information necessary to perform their specific functions and are contractually bound to use that information solely for the purpose of providing services to OpenRouter. Our payment processor receives transaction amounts and payment method details but does not receive API usage content or account activity data. Our cloud infrastructure provider hosts platform data but does not have access to decrypted API request content.

Model Providers

When you send an API request to OpenRouter specifying a particular model, the content of your request — including the prompt text, system messages, and any attached data — is transmitted to the provider that ultimately serves the request. The provider processes this data according to their own privacy policy and data handling practices. OpenRouter's role is to route your request; once the provider receives it, their data handling policies apply to the content of that specific request. We recommend reviewing the privacy policies of model providers whose services you use, particularly for sensitive or regulated data.

Legal Obligations

We may disclose information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or comparable legal instruments. We will notify you of such disclosure unless prohibited by law or where notification would impede an ongoing investigation. We may also disclose information to protect the rights, property, or safety of OpenRouter, our users, or the public, including in the context of fraud prevention and security investigations.

Data Retention

OpenRouter retains different categories of data for different periods based on operational necessity and legal requirements. Account information is retained for the duration of your account and for a reasonable period after account closure to handle any residual billing or support matters. API request logs are retained for thirty days by default, with workspace-level options to extend to ninety days or reduce to zero. Billing records are retained for the period required by applicable tax and financial regulations. Security and access logs are retained for up to ninety days for abuse investigation purposes. After the applicable retention period expires, data is deleted or anonymized through processes designed to prevent reconstruction.

Cookies and Similar Technologies

OpenRouter uses essential cookies that are necessary for the platform to function. These include session cookies that maintain your authenticated state as you navigate the dashboard and security cookies that support CSRF protection. We do not use tracking cookies, advertising cookies, or analytics cookies from third-party services. The platform does not deploy fingerprinting techniques or other browser-based tracking mechanisms beyond the essential session management described above.

You can configure your browser to reject cookies, but doing so will prevent you from logging into the platform and accessing authenticated features including the dashboard, API key management, and the playground. Essential session cookies are deleted when you close your browser or log out of your account. No persistent cookies are set on your device beyond the duration of your authenticated session.

Your Privacy Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. OpenRouter respects these rights and provides mechanisms to exercise them through your account settings or by contacting our support team.

Right to Access and Portability

You can access your account information at any time through your dashboard settings. This includes your email address, billing history, API key metadata, and workspace configurations. You can also export your usage data in machine-readable formats through the analytics dashboard. For information not directly accessible through the dashboard, you may request a copy by contacting support. We will provide the requested information within thirty days of verifying your identity.

Right to Rectification

If your account information is inaccurate or incomplete, you can update it through your dashboard settings at any time. Changes to your email address require verification through both the old and new email addresses to prevent unauthorized modification. Billing records reflect actual transactions and cannot be modified, but you can add notes or references to your billing profile for internal tracking purposes.

Right to Deletion

You may request deletion of your account and associated personal information at any time. Account deletion is permanent and irreversible. Upon deletion, we remove your account information, API keys, workspace configurations, and personal data from active systems within thirty days. Information that must be retained for legal compliance — such as billing records for completed transactions — will be retained for the legally required period and then deleted. Anonymized or aggregated data that does not identify you may be retained for analytical purposes.

Right to Restrict Processing

You can restrict certain types of data processing through your account settings. This includes disabling request logging entirely for maximum data minimization, reducing log retention to the minimum period, and opting out of any non-essential data collection. Note that disabling request logging will reduce the functionality of the analytics dashboard and may limit our ability to provide usage-based support.

California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act provides you with specific rights regarding your personal information. This section describes those rights and how to exercise them in the context of the OpenRouter platform.

Under the CCPA, California residents have the right to know what personal information is collected about them, the right to know whether their personal information is sold or disclosed and to whom, the right to opt out of the sale of their personal information, the right to access their personal information, and the right to equal service and price even if they exercise their privacy rights.

OpenRouter does not sell personal information as defined under the CCPA. We do not share personal information with third parties for cross-context behavioral advertising or for any commercial purpose beyond the service delivery and operational purposes described in this policy. The categories of personal information we collect — identifiers such as email addresses, commercial information such as transaction records, and internet activity such as API usage logs — are used exclusively for the business purposes of providing, securing, and improving the OpenRouter platform.

To exercise your CCPA rights, you may submit a verifiable consumer request by contacting OpenRouter support with the subject line "CCPA Request." We will verify your identity by confirming your account ownership through the email address associated with your account. We will respond to verifiable requests within forty-five days as required by California law. You may designate an authorized agent to submit a request on your behalf, provided the agent can demonstrate written authorization and we can verify your identity directly.

California residents also have the right not to receive discriminatory treatment for exercising their CCPA rights. OpenRouter does not deny services, charge different prices, or provide a different level of service based on whether you exercise your privacy rights under California law.

Children's Privacy

OpenRouter is not directed to individuals under the age of sixteen. We do not knowingly collect personal information from children. If we become aware that a child under sixteen has provided us with personal information, we will take steps to delete such information from our systems. If you believe a child under sixteen has created an OpenRouter account, please contact our support team immediately.

International Data Transfers

OpenRouter is operated in the United States, and the information we collect is processed and stored on servers located in the United States. If you access the platform from outside the United States, your information will be transferred to, processed in, and stored in the United States, which may have data protection laws that differ from those in your country of residence. By using OpenRouter, you consent to the transfer of your information to the United States and its processing there in accordance with this Privacy Policy.

Data Security

OpenRouter implements technical and organizational measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit using TLS 1.3, encryption of sensitive data at rest, API key hashing with industry-standard algorithms, access controls that limit employee data access to those with a legitimate business need, regular security assessments including penetration testing and vulnerability scanning, SOC 2 Type II compliance certification, and ISO 27001 certification for our information security management system.

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the confidentiality of your API keys and account credentials. If you believe your account has been compromised, contact support immediately to initiate key rotation and account recovery procedures.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features. When we make material changes, we will notify you through the email address associated with your account at least thirty days before the changes take effect. For non-material changes, the updated policy will be posted on this page with a revised effective date. Your continued use of OpenRouter after the effective date of any changes constitutes acceptance of the updated Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your information.

Contact Information

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a security concern, you can reach OpenRouter through the following channels. For general privacy inquiries, contact our support team through the platform's contact form or by email. For security vulnerabilities, use our responsible disclosure process as described in our security documentation. For legal notices, our mailing address is in San Francisco, California. We aim to acknowledge all privacy-related inquiries within two business days and to provide substantive responses within ten business days. The Better Business Bureau provides additional resources for consumers evaluating privacy practices of online services, and we encourage users to review these materials to understand their rights and the standards that responsible platforms should meet.