OwnLLMOwnLLM
GDPR-aligned · EU-hosted

Privacy Policy

How OwnLLM collects, processes, stores, and protects personal data on the SaaS control plane and across our subprocessors.

Last updated: May 4, 2026

1. Data controller

The data controller for personal data processed through the OwnLLM marketing site, dashboard, and hosted services is OwnLLM, operated by Impulse Lab, a French entity. For tenant-internal data (your employees, your conversations), OwnLLM acts as a data processor on behalf of the customer organization, who is the data controller.

Our Data Processing Agreement (DPA) formalizes this relationship. You can download it on the security page or request a customized version on Enterprise plans.

2. Scope

This policy covers personal data processed through:

  • The marketing site at ownllm.app.
  • The tenant dashboards at {tenant}.ownllm.app.
  • The OwnLLM control plane API, including pairing, heartbeat, audit log ingestion, and the OpenAI-compatible proxy at /v1/*.
  • The native OwnLLM desktop app (Mac, Windows, Linux) when it communicates with our control plane.

Inference itself executes on the GPU machine you operate. Model weights, system prompts, and any data you load into local context never leave that machine unless you explicitly use the hosted chat UI.

3. Data we process

We collect the minimum data needed to operate the service.

CategoryExamplesLegal basis
Account dataEmail, full name, organization name, role within the tenant.Contract performance (Art. 6(1)(b))
Authentication dataMagic-link tokens, session JWTs, optional 2FA secrets, SSO subject identifiers, SCIM external IDs.Contract performance (Art. 6(1)(b))
Billing dataStripe customer ID, invoice metadata. Payment card details are handled directly by Stripe and never reach OwnLLM servers.Legal obligation (Art. 6(1)(c)) and contract (Art. 6(1)(b))
Conversation contentPrompts and assistant responses sent through the hosted chat UI. Encrypted at rest with a per-tenant key. API traffic that bypasses the hosted chat is forwarded to your machine and not persisted by OwnLLM.Contract performance (Art. 6(1)(b))
Audit & usage metadataUser ID, model used, token counts, duration, timestamp, channel (chat or API). No prompt or response content.Legitimate interest (Art. 6(1)(f)) — security, billing, abuse prevention
Agent telemetryAgent version, machine specs (vRAM, RAM, cores), model status, heartbeat health, tunnel hostname.Contract performance (Art. 6(1)(b))
Product analyticsPostHog events on the marketing site and the admin app: page views, funnel steps, feature usage. IPs are truncated.Legitimate interest (Art. 6(1)(f)) — product improvement

4. Purposes & legal bases

  • Provide the service: authenticate users, route requests to the right tenant, bill the subscription, deliver model responses.
  • Secure the platform: detect abuse, enforce rate limits, investigate incidents, rotate secrets.
  • Comply with legal obligations: tax records, accounting, regulatory requests with valid legal basis.
  • Improve the product: aggregated analytics on the marketing site and admin dashboard to understand usage. Customer prompts and responses are never used for analytics or model training.
  • Communicate with you: transactional emails (magic links, billing receipts, incident notices). Marketing emails only with explicit opt-in.

5. Where data is stored

The OwnLLM control plane runs entirely in the European Union.

  • Application: Vercel, EU regions enabled by default (Frankfurt, Paris).
  • Database: Neon Postgres, Frankfurt region, Germany.
  • Transactional emails: Resend, EU region.
  • Product analytics: PostHog Cloud EU.
  • Error monitoring: Sentry, EU region.

Conversation content (chat threads through the hosted UI) is stored in the Neon Frankfurt database, encrypted at rest with an AES-GCM key unique to your tenant.

6. Encryption

  • In transit: TLS 1.3 enforced on every connection. The Cloudflare Tunnel between your agent and our control plane is mutually authenticated.
  • At rest: Neon disk encryption (AES-256). Conversation message contents are additionally encrypted at the application layer with a per-tenant key managed via KMS.
  • Secrets: API keys are stored as sha256 hashes only. Pairing keys are hashed and consumed once. Tunnel credentials are stored in the OS keychain on the customer machine.

7. Retention

We keep personal data only as long as necessary to deliver the service and meet legal obligations.

ItemDuration
Account & billing recordsFor the entire contract lifetime + 10 years after termination (French commercial code).
Authentication sessionsMagic-link 15 min, session 24h with refresh rotation.
Conversations — Team30 days from message creation, then deleted.
Conversations — Startup12 months by default, configurable down to 30 days.
Conversations — EnterpriseConfigurable per contract, default 12 months.
Audit logs — Team30 days, metadata only.
Audit logs — Startup90 days, metadata only, CSV export available.
Audit logs — Enterprise12 months, metadata only, CSV and API export.
Agent logs (on customer machine)7 rolling days, never uploaded to OwnLLM.
Application logs (Vercel)30 days.
Cloudflare tunnel logs7 days, accessed only on incident.

When a tenant terminates its subscription, all tenant-scoped personal data is deleted within 30 days, except billing records which we keep for the legally required period.

8. Subprocessors

We only share personal data with the subprocessors strictly needed to operate the service. Each one has signed our standard DPA and supports GDPR-compliant transfer mechanisms where applicable.

SubprocessorPurposeRegion
VercelWebsite hosting (EU regions enabled)EU
NeonPostgres databaseFrankfurt
CloudflareNetwork tunnel, DNS, WAFGlobal / DPA
ResendTransactional emailsEU
StripePayments and subscriptionsIreland
PostHog CloudProduct analyticsEU
SentryError monitoringEU

We notify customers at least 30 days before adding a new subprocessor; Enterprise customers may object in writing.

9. International transfers

Stripe (Ireland) operates within the EU/EEA. Cloudflare and Vercel are US-headquartered companies operating EU infrastructure under GDPR-aligned terms; transfers to the US are covered by the EU–US Data Privacy Framework and Standard Contractual Clauses where applicable.

We do not transfer conversation content or audit logs outside the European Union.

10. Your GDPR rights

Under the GDPR you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • erase your personal data (right to be forgotten), subject to legal retention obligations;
  • restrict or object to certain processing;
  • receive your data in a portable, machine-readable format;
  • withdraw consent at any time when processing is based on consent;
  • lodge a complaint with the French data protection authority (CNIL) or your local supervisory authority.

To exercise any of these rights, email privacy@ownllm.app. We respond within 30 days. If you are an end user inside a customer organization, please contact your organization administrator first; we forward your request to them.

11. Cookies

We use the minimum set of cookies required to operate the service:

  • Session cookies (essential): authentication, CSRF protection. No consent required.
  • Preference cookies (essential): UI theme, last-used model.
  • Analytics cookies (PostHog, EU-hosted): only set after explicit consent on the marketing site. Disabled inside paid tenants by default.

We do not use advertising cookies and we do not sell or share personal data with advertising networks.

12. Security measures

  • Strict tenant isolation enforced at the database query level, with automated tests in CI.
  • Magic-link authentication with 15-minute TTL, signed JWT sessions with refresh rotation, optional 2FA TOTP, required on Enterprise.
  • API keys hashed with sha256, scoped per user and per model, with monthly budgets. Revocation is immediate.
  • Tunnel shared secret rotated every 30 days. Outbound-only Cloudflare Tunnel — no inbound port is opened on the customer side.
  • Locked dependencies (bun.lock, Cargo.lock), automated bun audit, signed releases (Apple Developer + Authenticode), SBOM generated for each release.
  • Continuous monitoring (Sentry + Better Stack), alerting on abnormal heartbeat patterns and on agents going offline for more than 30 minutes.

Read the full posture on the security page.

13. Data breach notification

If we discover a personal data breach likely to result in a risk for the rights and freedoms of natural persons, we notify affected customers without undue delay and within 72 hours of becoming aware of it, in line with Article 33 GDPR. Customers, as data controllers, remain responsible for notifying their own end users and supervisory authorities where required.

14. Changes

We update this policy whenever our processing activities change. Material changes are announced by email at least 14 days before they take effect, and the updated version is published on this page with a new "Last updated" date.