Privacy Policy
Last updated: July 1, 2026 · Applies to all users of nimbusapi.net.
The one-line summary
Nimbus does not log the content of your prompts or the responses returned to you. We store aggregate usage counters (tokens in, tokens out, model, timestamp, latency) so we can bill you and keep the gateway healthy. That's it.
1. Who we are
Nimbus API is operated by FoogleGiber LLC, a Delaware limited liability company. For the purposes of GDPR, FoogleGiber LLC is the data controller. Contact: privacy@nimbusapi.net.
2. Data we collect
Account data
- Email address (used for login, receipts, security alerts).
- Password (stored as a bcrypt hash — never in plaintext).
- Display name (optional).
- API keys you create (hashed at rest; only the last four characters are shown after creation).
Security telemetry
- IP address of login and API requests (used for rate limiting, fraud detection, and abuse response).
- User-agent header of dashboard sessions.
- Login timestamps.
Aggregate usage
- Per-request: model, timestamp, tokens in, tokens out, latency, HTTP status.
- Per-day aggregates for dashboard charts.
- Not collected: the prompt text, the response text, function-call arguments, or any content embedded in a request or response.
Payment data
Payment card numbers, crypto wallet addresses, and billing addresses are handled by our payment processors (SellAuth, NowPayments). Nimbus receives only a confirmation token, the amount, and the currency. We never see or store your full card number.
3. How we use data
- To operate the Service — authenticate you, route requests, meter usage, and bill.
- To defend the Service — detect fraud, block abuse, respond to security incidents.
- To communicate with you — service alerts, receipts, security notices, and (with your consent) product updates.
- To comply with legal obligations — including responding to lawful requests from courts, tax authorities, and law enforcement.
We do not sell your data. We do not use your prompts, responses, or aggregate usage to train machine learning models — ours or anyone else's.
4. Third-party providers
When you send a request, Nimbus forwards it to the upstream provider you selected (OpenAI, Anthropic, Google, xAI, Meta, DeepSeek, Mistral, Azure OpenAI, or others). Those providers have their own privacy policies and their own retention practices. In particular:
- OpenAI: 30-day retention for abuse monitoring on standard API traffic.
- Anthropic: 30-day retention for abuse monitoring on standard API traffic.
- Azure OpenAI (routed via our Azure Foundry account): 30-day retention unless zero-retention is enabled.
- Google, xAI, Meta, DeepSeek, Mistral: see their respective policies linked from our documentation.
Nimbus itself does not retain the prompt or response — but the provider may, per their policy. If you require zero-retention routing, contact privacy@nimbusapi.net for enterprise options.
5. Cookies
We use one first-party cookie: a session cookie that keeps you logged in to the Dashboard. It is HTTP-only, Secure, SameSite=Lax, and expires when you log out or after 30 days of inactivity. We do not use analytics cookies, advertising cookies, or third-party tracking pixels on this site.
6. Retention
- Account data: retained while the account is open, deleted 30 days after account closure.
- Aggregate usage counters: 24 months, then anonymized (email replaced with a hash) for internal analytics.
- Security telemetry (IPs, user-agents, login timestamps): 90 days.
- Payment records: 7 years, to meet U.S. tax and accounting obligations.
7. Your rights
Depending on where you reside, you may have rights under the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, the California Consumer Privacy Act (CCPA), or similar laws. These include:
- Access. Request a copy of the personal data we hold about you.
- Portability. Receive that data in a machine-readable format.
- Correction. Ask us to fix inaccurate data.
- Deletion. Ask us to delete your data (subject to legal retention requirements).
- Objection. Object to specific uses of your data.
- Complaint. Lodge a complaint with your local supervisory authority.
To exercise any of these rights, email privacy@nimbusapi.net from the address associated with your account. We respond within 30 days.
8. Security
We use TLS 1.2+ for all traffic, hash passwords with bcrypt, hash API keys at rest, enforce least-privilege access to production data, and log administrative access for audit. No system is perfectly secure — if we ever suffer a breach affecting your personal data, we will notify you and any applicable authority within the deadlines imposed by law.
9. International transfers
Our infrastructure is hosted in the United States (primarily on Vercel, Cloudflare, and Azure). If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. Where required, we rely on Standard Contractual Clauses for transfers of EU personal data.
10. Children
The Service is not directed at children under 13, and we do not knowingly collect personal data from them. If we learn we have collected data from a child under 13, we will delete it.
11. Changes
We may update this policy. Material changes will be announced by email and shown as a banner in the Dashboard for 30 days. The "Last updated" date at the top reflects the most recent revision.