Legal

Privacy

What data Ormas handles, how long we keep it, and what we never see.

What we see

When a turn passes through the Ormas gateway, we record:

  • Routing metadata — the declared model, the served model, prompt/completion token counts, timestamp, and your tenant ID.
  • A quality judgment — a short pass/fail verdict from an independent judge model on a sampled fraction of turns.
  • Cost accounting rows — baseline cost, actual cost, savings, and fee — derived from token counts and public pricing.

We do not record or persist:

  • The content of your messages or completions (beyond what the judge samples, transiently).
  • Your API keys (keys are hashed before storage; the gateway never logs key material).
  • Your identity beyond a pseudonymous tenant ID linked to your signed-in account.

Auth data

When you sign in to the portal, we store:

  • The OAuth identifier returned by your provider (Google or GitHub).
  • Your email address, display name, and avatar URL as returned by the provider.
  • Any data you create inside the portal (API keys as hashed secrets, account preferences).

We don't store passwords. Authentication is delegated entirely to your OAuth provider.

What the judge sees

A fraction of routed turns are graded by an independent judge model (haiku-class Anthropic). The judge receives the last user message and the served response, produces a pass/fail verdict, and that verdict is what we store. We do not store the message content alongside the verdict row.

The judge sample rate is configurable — at steady state ~5-25% of routed turns. You can see the coverage fraction in the savings console.

BYOK and inference privacy

When you provide your own provider key via X-Provider-Key, your key pays the inference. The message content flows from your client → the Ormas gateway → the provider (Anthropic, xAI, etc.) → back. Ormas is the relay; we see traffic in transit but do not persist content beyond the routing metadata above.

The honest boundary: the upstream provider still processes your messages under their own privacy terms. Ormas does not add a data-retention obligation on top of the provider's existing one.

Retention

Routing metadata and quality verdict rows are retained for 90 days by default, then deleted.

Contact

For data requests, account deletion, or privacy concerns, email the maintainer linked in the repo. (Yes, that's manual right now. We'll automate it before it becomes a problem.)