Privacy Policy

This Privacy Policy explains how Data Products LLP (“we”, “us”), operator of flo2.com (“flo2”, the “Service”), handles personal data. flo2 is a zero-markup, bring-your-own-keys (BYOK) LLM gateway: you supply your own provider API keys and flo2 forwards your requests to those providers on your behalf. We do not resell tokens.

Who we are

Data Products LLP is a limited liability partnership registered in the Province of British Columbia, Canada, and is the data controller for personal data processed through flo2. Contact: [email protected].

What we collect

We deliberately keep collection minimal:

• Account data — your email address (used to create your account and send one-time sign-in codes), and, if you set one, a password hash and 2FA secret. We never store your email password.
• Provider API keys — the third-party LLM provider keys you add. These are encrypted at rest (AES-256-GCM) and are used only to authenticate your requests to the provider you routed them to.
• Usage metadata — for each request we route: timestamp, model, provider, token counts, latency, computed cost, status and your flo2 key id. This powers your dashboard and billing transparency.
• Request & response content — by default we do NOT store the content of your prompts or the model’s answers. Content is stored only when you explicitly opt in per flo2 key (the “Collect training data” setting) or run an A/B test. In those cases the full request and the served answer are stored for your own export/comparison.
• Technical data — IP address and user-agent on requests, session tokens (stored in Redis), and standard server logs.
• Analytics — if enabled and you consent, privacy-respecting web analytics on our public pages.

How we use it

• Operate the Service: authenticate you, route your requests, and show your usage and costs.
• Maintain reliability and security (rate limiting, abuse prevention, debugging).
• Notify you about your account (e.g. a model that a provider retired, or a quota issue).
• Only with your opt-in: retain prompt/response content so you can export it for your own fine-tuning.

Bring-your-own-keys & sub-processors

When you send a request, flo2 forwards it — including its content — to the LLM provider you routed it to, using your own key. Those providers process your data under their own terms and privacy policies. Depending on your routing, providers may include: OpenAI, Anthropic, Google, Groq, Cerebras, DeepInfra, OpenRouter, Mistral, NVIDIA and xAI. We also rely on infrastructure sub-processors for hosting, database, CDN/proxy (Cloudflare) and transactional email. We do not sell your personal data.

Data retention

Account and provider-key data persist while your account is active. Usage metadata is retained to provide historical dashboards. Opt-in training content and A/B content are retained subject to a bounded cap and may be pruned automatically. You can delete your stored training data at any time, and you can request deletion of your account and associated data (see “Your rights”).

Security

Provider keys are encrypted at rest with AES-256-GCM. Access is restricted, traffic is served over HTTPS, and sessions expire. No method of transmission or storage is 100% secure, but we take reasonable measures appropriate to the sensitivity of the data.

Your rights

Subject to applicable law (including Canada’s PIPEDA and, where relevant, the GDPR), you may request access to, correction of, export of, or deletion of your personal data, and you may withdraw consent (e.g. disable training-data collection). To exercise these rights, email [email protected].

Cookies & analytics

We use a strictly-necessary session cookie to keep you signed in. Any analytics or non-essential cookies are loaded only with your consent where required.

International transfers

We and our sub-processors may process data in Canada, the United States and elsewhere. Where required, we rely on appropriate safeguards for cross-border transfers.

Children

flo2 is not directed to individuals under 16 and we do not knowingly collect their data.

Changes

We may update this policy; material changes will be reflected by the “Last updated” date above.

Contact

Data Products LLP — [email protected]. See also our Terms of Service.