Privacy Policy

Welcome to LibreChat. We value your privacy and strive to protect your personal data. This Privacy Policy outlines the types of data we collect, how we use it, and the measures we take to protect it.

Data Collection and Usage

What Data Do You Collect?

Our API service collects and processes several types of data to ensure optimal functionality and user experience. The legal basis for processing this data is as follows:

  • Personally Identifiable Information (PII): We capture your name, email address, and avatar image. These details can be obtained through social providers like Google and GitHub or directly from you via a dialog prompt. The legal basis for processing PII is user consent and contractual necessity.
  • Usage Data: We monitor API usage details, encompassing subscription information such as ID, status, usage limit, current period end, and cancellation status at the end of the period. This data is processed under our legitimate interests to improve services.
  • Payment Information: We store the Stripe customer ID along with comprehensive invoice details, such as user ID, Stripe invoice ID, status, plan and price IDs, date, amount, currency, customer email, description, due date, discounts, and applicable taxes. Payment information is processed to fulfill contractual obligations and comply with legal requirements.
  • Agreements and Consents: We keep records of your agreements to our terms of service, privacy policy, and refund policy. This includes an agreed status, timestamp, version, method of agreement, and consent text. Additionally, we log device information through ua-parser-js and your IP address to enhance the accuracy of this data. The legal basis for processing this data is user consent.
  • User-Uploaded Files: Files are collected directly from you for the purpose of AI code processing, which is our primary service. This processing is based on user consent.

How Do You Collect Data?

  • Direct Input from Users: Information like name and email is provided directly by you, either through social media login or input prompts. You may also upload files for the code processing service.
  • Automatic Collection through API Usage: Details related to API usage and subscriptions are logged automatically as you interact with our API.
  • Third-Party Sources: Authentication data may be collected from third-party services like Google and GitHub for authentication purposes.
  • Automatic Collection through Cookies: We use HTTP-only session cookies, particularly through NextAuth.js, to maintain user authentication state. These cookies are essential for the proper functioning of our service. The cookies are set as HTTP-only and can only be accessed via HTTPS connections, providing an additional layer of security.

International Data Transfers: If user data is transferred outside the country of origin, we ensure safeguards such as Standard Contractual Clauses (SCCs) are in place to protect data during these transfers. Our servers, including MongoDB Atlas and Cloudflare R2 buckets, comply with international data protection standards.

Why Do You Collect This Data?

We collect data for several essential purposes:

  1. Providing and Improving the API Service: To deliver our core API functionality efficiently, personalize user experience, and continuously enhance our services.
  2. User Authentication and Authorization: To verify user identities, manage user accounts, control access levels, and maintain secure user sessions using HTTP-only cookies.
  3. Billing and Payment Processing: To facilitate billing, manage subscriptions, and provide detailed invoicing and transaction history.
  4. Analytics and Performance Monitoring: To analyze usage patterns for service improvement, monitor API performance, and generate insights for product development.
  5. File Processing and Management: To handle and process user-uploaded files for our code processing service.
  6. Session Management: Use HTTP-only cookies to securely maintain user authentication state.

How Do You Use the Collected Data?

  1. Service Delivery and Improvement: Utilize usage data to optimize API performance and user experience.
  2. Account Management: Use personal information to create and manage user accounts and apply usage data to enforce subscription limits.
  3. Security and Fraud Prevention: Monitor usage patterns to detect security threats and use authentication data to secure user accounts.
  4. Billing and Financial Operations: Process payment information for accurate billing and generate invoices.
  5. Customer Support: Access user data to provide personalized support and troubleshoot technical issues.
  6. Product Development: Analyze usage trends to guide product roadmap and feature prioritization.
  7. File Processing: Use uploaded files to perform requested code processing tasks.
  8. Compliance and Legal Obligations: Maintain necessary records for compliance and respond to legal requests.
  9. Communication: Use contact information to send service updates, billing information, and promotional content.
  10. Data Breach Notification: In the event of a data breach affecting user data, we will notify affected users via email within 72 hours and provide information about the nature of the breach, data affected, and measures taken to contain and mitigate the breach.

Data Sharing and Disclosure

Do You Share Data with Third Parties?

We share payment-related data with payment processors like Stripe for billing purposes. Additionally, we may share data with third-party service providers such as hosting services, analytics tools, and customer support platforms. These providers are subject to strict data processing agreements to ensure user data is handled securely and in compliance with relevant regulations.

Third-Party Service Providers:

  • Stripe: Payment processing.
  • MongoDB Atlas: Data storage.
  • Cloudflare R2: File storage.

We provide links to the privacy policies of these third parties for full transparency.

Under What Circumstances Do You Disclose Data?

  • Legal Obligations: We may disclose data if required by law.
  • Mergers or Acquisitions: In the event of a merger or acquisition, user data may be transferred.
  • With User Consent: We may share data when users explicitly consent.
  • Data Breach: In the event of a data breach, we will notify affected users via email within 72 hours and inform regulatory authorities as required.

Data Security and Storage

How Do You Protect User Data?

  1. Encryption Protocols: All sensitive data is encrypted both in transit (using TLS/SSL) and at rest. User-uploaded files are encrypted using Cloudflare R2’s built-in encryption mechanisms.
  2. Access Controls: Strict access controls ensure that only authorized personnel can access user data, with the principle of least privilege enforced.
  3. Regular Security Audits: Regular security audits and third-party penetration testing are conducted to identify and mitigate vulnerabilities. We adhere to compliance standards like ISO 27001 for information security.
  4. User-Uploaded File Protection: Files are encrypted and stored for a limited 24-hour period with strict access policies.
  5. Database Security: We use MongoDB Atlas with encryption, network isolation, and advanced access controls for secure data storage.
  6. Temporary Log Storage: Temporary logs are encrypted and stored securely for monitoring purposes and are automatically purged after 30 days.
  7. Secure Configuration: Systems are configured following best practices and updated regularly to ensure security against potential threats.

Where Is Data Stored and for How Long?

  1. Storage Locations: Data is stored in MongoDB Atlas, Cloudflare R2 buckets, and secure servers. By default, these servers are located in the United States, unless otherwise specified.
  2. Data Retention Policy: User account data is retained while active and for as long as necessary to provide our services. User-uploaded files are automatically deleted after 24 hours. Temporary logs are kept for 30 days for monitoring and troubleshooting purposes.
  3. Deletion Criteria: Data is deleted upon account closure, user request, or when no longer needed for its intended purpose.
  4. User Control: Users can request data deletion at any time through our provided channels, and we comply with data protection laws like GDPR and CCPA, including the right to erasure.

User Rights and Controls

What Rights Do Users Have Regarding Their Data?

Users have the following rights regarding their personal data:

  • Access: Request access to their personal data.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of their data (right to be forgotten).
  • Portability: Obtain a copy of their data in a portable format.
  • Restrict Processing: Request to restrict how we process their data.
  • Withdraw Consent: Withdraw consent for data processing.
  • Object to Processing: Object to certain processing activities, including profiling.

How Can Users Exercise Their Rights?

  1. Account Settings: Users can update personal information and delete their account directly from the account settings.
  2. Email Requests: Users can contact us at [email protected] for data access, correction, deletion, portability, and other requests. We typically respond within 30 days and will verify the identity of the requester before proceeding.

Compliance and Updates

Which Data Protection Regulations Do You Comply With?

Our privacy policy aligns with GDPR, CCPA, and other relevant data protection regulations.

How Will Users Be Notified of Policy Changes?

Users will be notified of significant changes via email and a prominent notice on our website, with the opportunity to review changes before they take effect. For major changes, we may request renewed consent from users.

API-Specific Considerations

How Does Your API Handle User Authentication and Authorization?

  1. API Key Authentication: Users create unique API keys that must be included in every request.
  2. Authorization: Each API key is tied to the user’s account and associated permissions.
  3. Secure File Access: Temporary file operations require a session ID and file ID for secure access.
  4. Security Measures: All API communications are encrypted, and rate limiting is implemented.

What Data Logs Are Maintained for API Usage?

API usage logs include metadata on API calls, such as timestamps and user ID, for performance monitoring and anomaly detection.

Are There Usage Limits or Rate Restrictions?

API usage is subject to limitations specific to each subscription tier, with rate restrictions to ensure fair usage.

Contact Information

For privacy concerns, users can contact our privacy officer at [email protected] or by mail at:

LibreChat, LLC 1501 Venera Ave Suite 203, Coral Gables, FL 33146.

Additional Considerations

Automated Decision-Making and Profiling

Our API service does not engage in automated decision-making or profiling that has legal or significant effects on users. Data processing is limited to providing our core services and improving user experience.

Thank you for trusting LibreChat with your data. We are committed to protecting your privacy and providing a secure service experience.