Privacy Policy

Last updated: 2026-05-28 · Effective: 2026-05-28

Contents

Who we are
Scope
Data we collect
How we use data
Legal bases (GDPR / UK GDPR)
Sharing & sub-processors
Retention
Security
International transfers
Your rights
Cookies & tracking
Children
California residents
Changes to this Policy
Contact

1. Who we are

This Privacy Policy describes how Elite AI Empire LLC, a Delaware limited liability company ("Elite AI Empire", "we", "us"), collects, uses, and shares personal data in connection with the Lumen API service and the website at lumen-api.eliteaiempire.com (the "Service"). For the purposes of EU and UK data protection law, Elite AI Empire is the controller of personal data collected through the Service.

2. Scope

This Policy applies to data we collect about: (a) account holders and visitors to the Service; (b) personnel of organizations that use the Service; and (c) people who contact us. It does not apply to third-party services we link to, which have their own policies. By using the Service you agree to this Policy and the Terms of Service.

3. Data we collect

Category	Examples	Source
Account data	email address, optional company / project name, hashed API key, plan tier, account creation date	you, when you sign up
Billing data	Stripe customer ID, subscription ID, payment status, last4 of card (held by Stripe, not us)	Stripe, when you start a paid subscription
Technical data	IP address (hashed at ingest), user-agent string, timestamp, audit hash of each request	your browser / client, automatically
Usage metadata	per-request: model tier selected, prompt-token count, completion-token count, cost estimate, latency, success/error status, audit hash	the Service, automatically
Customer Content	the prompts and messages you send via the API, and the model responses returned to you	you, in each API request
Support data	messages you send to support, including any data you choose to include	you

Customer Content (your prompts and the responses) is forwarded to the model provider selected for that request and is not stored on our servers beyond the brief time needed to relay the request and response. We do not log message bodies in our audit log; only the request shape and outcome metadata listed above.

IP addresses are hashed at ingest for abuse-detection purposes; we do not retain the original IP.

4. How we use data

We use the data described above to:

provide, operate, and secure the Service (authentication, routing, rate-limiting, audit logging);
process payments and manage subscriptions through Stripe;
send transactional email (welcome, magic-link login, billing notifications, security alerts) through Brevo;
respond to support requests;
detect, investigate, and prevent abuse, fraud, security incidents, and violations of our Terms;
generate aggregated and anonymized statistics about Service usage and routing performance for internal reporting and product improvement;
comply with legal obligations and enforce our agreements.

We do not use Customer Content to train our own models. We do not sell personal data.

5. Legal bases (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process personal data on the following legal bases:

Performance of a contract — to provide the Service you signed up for and to process billing;
Legitimate interests — to secure the Service, prevent abuse and fraud, communicate operational notices, and improve the product, balanced against your rights and freedoms;
Legal obligation — to comply with tax, accounting, and other applicable laws;
Consent — where required (for example, for any optional marketing emails). You may withdraw consent at any time.

We do not sell personal data. We share personal data with the following categories of recipients:

Model-provider sub-processors — Anthropic PBC, OpenAI L.L.C., and Google LLC. Each chat-completion request you send is forwarded, in full, to one of these providers as selected by the routing algorithm, so that the provider can generate the response. Each provider applies its own privacy and data-handling policies to the content it receives; please review their policies if their handling matters to you.
Payment-processing sub-processor — Stripe, Inc. handles all card data and subscription billing. We do not see or store full payment-card numbers.
Email-delivery sub-processor — Brevo (Sendinblue SAS) sends transactional emails on our behalf.
Infrastructure sub-processor — Oracle Cloud Infrastructure hosts the Service.
Professional advisors — accountants, lawyers, auditors, and similar advisors under duties of confidentiality.
Legal & safety — courts, regulators, law-enforcement, and other authorities where required by valid legal process or to protect our rights, property, or the safety of others.
Successor — in connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections.

A current list of sub-processors is available on request from the contact address below.

7. Retention

Account & billing records — retained for the life of your account and for up to seven (7) years after closure for tax, accounting, and dispute-resolution purposes.
Audit-log metadata (hash-chained request records) — retained for at least 90 days and up to 13 months.
Hashed IP addresses — retained for up to 13 months for abuse detection.
Customer Content — not retained on our servers beyond the brief time needed to relay the request and response, except as part of audit-log metadata, which never contains message bodies.
Support correspondence — retained for up to 3 years from last contact.

We may retain data for longer where required by law or where reasonably necessary to defend legal claims.

8. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including: encryption in transit (HTTPS / TLS 1.2 or higher), API-key hashing (we store only SHA-256 hashes, never plaintext keys), HMAC-signed session cookies, hash-chained audit logs, role-based access controls, secrets stored in restricted-permission environment files, and routine patching. No system is perfectly secure; we cannot guarantee absolute security.

9. International transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States and other countries where our sub-processors operate, which may have different data-protection laws than your jurisdiction. Where required, we rely on appropriate transfer mechanisms (such as the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum) for transfers of personal data from the EEA, UK, or Switzerland.

10. Your rights

Subject to applicable law, you have the right to:

access the personal data we hold about you;
rectify inaccurate or incomplete personal data;
erase personal data ("right to be forgotten") in certain circumstances;
restrict or object to certain processing, including processing based on legitimate interests and direct marketing;
data portability — receive your data in a structured, machine-readable format;
withdraw consent at any time where processing is based on consent;
lodge a complaint with your local data-protection authority.

To exercise any of these rights, email support@eliteagenticsolutions.com. We will respond within the time required by applicable law (typically 30 days). We may need to verify your identity before acting on the request.

11. Cookies & tracking

The Service uses a small number of cookies for essential operation:

Session cookie (lumen_session) — an HMAC-signed cookie storing your customer ID and an expiry timestamp, used to keep you logged into your dashboard. Expires after 14 days.
Stripe and our infrastructure providers may set their own cookies for fraud-prevention and load-balancing.

We do not run third-party advertising trackers and we do not place advertising cookies. We may use a privacy-respecting analytics tool to count aggregate page views, without persistent identifiers, to understand which docs pages are useful.

12. Children

The Service is not directed to children under 16 and we do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to the Service, please contact us and we will delete it.

13. California residents

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you rights to know what personal information we collect, to delete it, to correct it, to opt out of "sale" or "sharing" of personal information, and to limit the use of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise CCPA rights, contact us at the address below.

14. Changes to this Policy

We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, give you reasonable notice by email or in-app notice before the change takes effect.

15. Contact

Questions about this Policy or your data? Contact us at:

Elite AI Empire LLC
A Delaware limited liability company
Email: support@eliteagenticsolutions.com
Web: eliteaiempire.com