Privacy Policy

Last updated: May 17, 2026

This Privacy Policy explains what information Onlist collects, how it is used, and how it is shared when you visit the website, sign in to the dashboard, browse the catalog, or send API requests through the gateway.

The policy is organized around a single principle: the Onlist platform layer and the upstream provider layer are different. Onlist meters and bills your requests but does not store request or response bodies for ordinary metering. The upstream provider that serves a request receives those bodies and applies its own logging, retention, and (if any) training policy. Choose providers accordingly.

1. Information we collect

Account information you provide. Email, display name, password hash, authentication and 2FA settings, billing actions, API key configuration, and support messages. If you apply to participate as an upstream provider, this also includes the business or operator identity, endpoint, and policy details you submit.

Service metadata collected automatically. Request timestamps, selected model, selected upstream provider, token counts, status codes, latency, cache hits, billing amounts, IP address, user agent, security events, and audit logs. This metadata is what makes the service work — routing, metering, billing, settlement, dispute resolution, and abuse detection.

Prompts and responses. Onlist does not store request or response bodies for ordinary metering. Limited content may be temporarily reviewed or retained only when you explicitly enable a debugging or analytics feature that requires it, when an abuse investigation or support request requires it, or when required by law.

2. We do not train on your data

Onlist does not use your prompts, files, or outputs to train Onlist-owned models. We do not sell prompts or outputs to data brokers.

This commitment covers the platform layer that we operate. It does not extend to what an upstream provider does after the request leaves our gateway — see Section 3.

3. Upstream provider visibility and policies

When you send an API request through Onlist, the upstream provider endpoint that serves it receives your prompts, files, context, and generated outputs. That upstream provider can technically log, retain, or process the data according to its own systems and declared policies, and may forward the call to a further upstream (for example, an official model provider's API).

Onlist surfaces upstream provider data-retention declarations where available (no logs, limited retention, or not declared). These are commitments made by the upstream provider but are not a substitute for reading the underlying model-provider policy.

For reference, several major commercial model providers publish their own no-training defaults for API traffic (for example, Anthropic and OpenAI state that they do not, by default, train models on data submitted through their commercial APIs). Upstream provider behavior depends on which further upstream it routes to and on its own configuration. Onlist cannot independently verify every upstream relationship at request time.

For sensitive or regulated data, review the upstream provider's page and the corresponding model-provider policy before routing traffic.

4. How we use information

We use information to operate the gateway, authenticate accounts, meter usage, bill credits, settle with upstream providers, rank upstream providers, investigate fraud, handle disputes, provide support, secure the platform, and improve reliability.

We may use aggregated or de-identified data to publish catalog statistics, model availability, provider performance, and product analytics.

5. Sharing information

We share request data with the upstream provider that serves the request. We may also share information with payment processors, infrastructure providers, analytics providers, security tools, professional advisors, or authorities when required by law or necessary to protect rights and safety.

We do not sell your personal information.

6. Data retention

Account information is retained while your account is active. Billing, settlement, audit, and security logs may be retained as long as necessary for accounting, dispute resolution, fraud prevention, legal compliance, and platform integrity.

You may request account deletion where applicable. Some records may remain for legal, tax, security, dispute, or anti-abuse purposes.

7. Security

Onlist uses technical and organizational safeguards including HTTPS, access controls, hashed or encrypted secrets where appropriate, audit logs, and abuse monitoring. No internet service is completely secure, and you remain responsible for protecting your credentials and API keys.

8. International processing

Onlist and its upstream providers may process data in different countries. By using the service, you understand that information may be transferred to and processed in jurisdictions with different data-protection laws.

9. Your choices

You can manage profile information, API keys, routing settings, and account preferences in the dashboard. You may contact us to request access, correction, deletion, or other privacy rights available under applicable law.

10. Cookies

Onlist uses cookies and similar technologies for authentication, preferences, security, analytics, and product operation. Disabling required cookies may break login and dashboard features.

11. Changes

We may update this Privacy Policy from time to time. Material updates will be posted on the site or communicated through account email where practical.

12. Contact

For the fastest response, sign in and submit a support ticket. You can also reach us at [email protected].