privacy policy.
last updated: july 8, 2026
01 the short version
we keep what we need to run your account and bill you: your email, hashed api keys and per-request usage metadata. we don't sell your data and we don't use your prompts to train models.
02 what we collect
account. your email and name when you sign in. sign-in runs on workos. an account created by an agent holds no personal data until you claim it with your email.
api keys. we store only a hash of each key, plus its name, prefix and last 4 characters so you can tell them apart. we can't recover a lost key.
usage. for each request we record the model, provider, token counts, cost and timestamp. this powers billing and your dashboard.
billing. payments run on stripe. stripe handles your card; we store a customer reference and your credit history, never card numbers.
provider keys. if you bring your own key we encrypt it with aes-256-gcm under a key held in aws kms. it's only decrypted inside the gateway to make your requests.
site. basic anonymous analytics via vercel analytics. no ad trackers.
03 your prompts and outputs
request and response content passes through the gateway to the provider you chose. we don't store it in our database. we may log prompts and outputs in our monitoring tool (posthog) to debug problems and improve routing. we never sell your content or use it to train models.
04 where your requests go
your content goes to the model provider that serves your request: openai, anthropic, google, xai or z.ai, or your own azure or bedrock account when you bring a key. each provider processes it under its own privacy policy.
05 who we share with
the services that run the impossibl ai api: workos for sign-in, stripe for payments, supabase for our database, vercel for hosting the site, aws for the gateway infrastructure and posthog for analytics. each one gets only what its job needs. we don't sell personal data. we'll disclose data if the law genuinely requires it.
06 cookies
a session cookie keeps you signed in. that's it. no advertising cookies.
07 retention
account data stays while your account is open. usage and billing records stay as long as accounting rules require. when data stops being needed, we delete or anonymize it.
08 your rights
you can ask for a copy of your data, ask us to correct it or ask us to delete it. email f@impossibl.com and we'll handle it. depending on where you live, like the eu or california, these rights are also backed by law.
09 security
keys are hashed or encrypted, traffic runs over tls and secrets sit behind aws kms. no system is perfect. if a breach puts you at risk, we'll notify you.
10 children
the impossibl ai api is not for children under 13 and we don't knowingly collect their data.
11 changes
we may update this policy. we'll post the new version here and change the date at the top.
12 contact
privacy questions: f@impossibl.com. impossibl, inc., 2261 market street ste 85136, san francisco, ca 94114.