Privacy Policy

ATPetrichor · v1.0

ATPetrichor (the “Provider,” “we,” “us” or “our”) takes your privacy seriously. This Privacy Policy (this “Policy”) explains how we collect, use, store, share and protect personal information related to you and your users, in accordance with applicable laws.

By using the Platform, you acknowledge and agree to this Policy. If you do not agree, please discontinue use.

1. Information we collect

1.1 Account Information

When you register or use the Platform, we may collect:

  • Company legal name, registration number, address, business phone;
  • Contact name, title, email, mobile phone;
  • Authentication information (passwords are stored hashed; 2FA settings); and
  • API Key generation logs and management activity.

1.2 API Request Data

When you call the Platform's APIs, we collect:

  • Request metadata: timestamps, model, token counts, response status codes, usage;
  • Request content (prompts) and response content (outputs): as necessary to provide the Services, we transmit request content to the relevant Upstream Provider in real time. Except as required by Upstream Provider policy, abuse detection, service improvement or legal compliance, we do not retain request/response content for model training; and
  • Technical data: IP address, HTTP headers, SDK version, client identifiers.

1.3 Billing and Usage

  • Credit purchase records, invoice information, payment account (partial);
  • Credit consumption records, monthly reconciliation data; and
  • Refund / Service Credit application records.

1.4 Console Access and Operations

  • Login times, IPs, browser and OS fingerprints;
  • Console operation logs; and
  • Cookies and similar tracking technologies.

1.5 Support and Interaction

  • Ticket content, customer service conversations, reported security incidents; and
  • Survey responses, marketing engagement, subscription preferences.

2. Purposes of processing

We process the above information for the following purposes:

  1. Service provision: executing API calls, billing reconciliation, user authentication, console functionality;
  2. Security: detecting and preventing abuse, attacks and fraud; maintaining service integrity and availability;
  3. Service improvement: analyzing usage patterns in aggregate / de-identified form;
  4. Legal compliance: cooperating with regulatory authorities, tax filings, legal remedies;
  5. Communications and marketing: sending service notices, product updates, operational announcements; marketing emails are sent only with your consent and provide an unsubscribe mechanism; and
  6. Contract performance: fulfilling rights and obligations under MSA, SOF, ToS.

3. Sharing and disclosure

3.1 Upstream Providers

To provide the Services, we transmit your API request content (prompts) to one or more of the following Upstream Providers:

  • Google LLC (United States)
  • Microsoft Corporation (United States)
  • Other integrated Upstream Providers (as published in the console or Pricing List)

Each Upstream Provider has its own privacy policy. Processing of your data by such providers is governed by their respective policies. We recommend reviewing them.

3.2 Service Providers (Sub-processors)

We use the following categories of service providers to operate the Platform:

  • Cloud infrastructure (AWS, GCP, Azure);
  • Payment processing (Stripe, etc.);
  • Email and communications (SendGrid, Twilio, etc.);
  • Monitoring and analytics (Datadog, New Relic, etc.);
  • Customer support (Zendesk, Intercom, etc.); and
  • Authentication services (Auth0, Okta, etc.).

We enter into data processing agreements with each provider, requiring them to handle data to standards consistent with this Policy. The full sub-processor list is available upon request.

3.3 Legal Disclosure

We may disclose your data as required by law, court order or governmental authority. To the extent legally permitted, we will provide prior notice.

3.4 Mergers and Reorganization

In the event of a merger, acquisition or asset sale, your data may be transferred as part of the transaction. The acquirer shall assume the same protection obligations as set out in this Policy.

4. International transfers

Your data may be transferred outside Taiwan (in particular, to the United States, Singapore and the EU), especially when transmitted to Upstream Providers. We ensure lawful cross-border transfers by:

  1. EU data: using appropriate safeguards for lawful cross-border transfer;
  2. Taiwan data: complying with applicable data protection law; and
  3. Technical measures: encrypting transfers using TLS 1.2 or higher.

5. Data retention

We retain your data per the following principles:

  • Account data: 5 years after account termination (for legal record-keeping and accounting obligations);
  • API request content (prompts / outputs): not retained by default; may be retained up to 30 days for abuse detection or legal compliance;
  • API metadata (usage, tokens, timestamps): 12 months;
  • Billing records: 7 years per tax regulations;
  • Console access logs: 12 months;
  • Support tickets: 24 months; and
  • Cookies: up to 12 months depending on cookie type.

6. Your rights

Subject to applicable law, you have the following rights regarding your personal data:

  1. Access: to know what data we collect;
  2. Correction: to request correction of inaccurate or outdated data;
  3. Deletion: to request deletion (subject to legal retention obligations);
  4. Restriction: to request suspension of certain processing activities;
  5. Data portability: to obtain a copy of your data in a structured, commonly used format;
  6. Object to automated decision-making: including profiling;
  7. Withdraw consent: at any time, for processing based on consent; and
  8. Lodge a complaint: with the relevant supervisory authority.

To exercise these rights, please email [email protected]. We will respond within 30 days of receipt.

8. Children's privacy

The Platform is notoffered to minors under 18. We do not knowingly collect personal information from minors. If you become aware of a minor's personal information on the Platform, please notify us immediately and we will delete it within a reasonable time.

9. Data security

We protect your data using:

  • Transit encryption: TLS 1.2 or higher for all API and console traffic;
  • At-rest encryption: AES-256;
  • Access control: least-privilege principle, 2FA, full audit logging for employees;
  • Vulnerability management: periodic penetration testing, vulnerability scanning, patching;
  • Incident response: 72-hour security incident notification; and
  • Employee training: onboarding security training and annual refreshers.

Internet transmission and storage cannot be guaranteed 100% secure; we apply industry-standard protections but make no absolute guarantee.

10. Policy updates

We may update this Policy from time to time. Material changes will be communicated by email, console announcement or website homepage notice, and shall take effect 30 days after publication. If you disagree with the updated version, discontinue use before the effective date; continued use constitutes acceptance.

Effective date: 2026-06-15 · Version: v1.0