Privacy Policy

StrategicSyntax SL · Madrid, Spain · Effective 14 June 2026

1.Who We Are (Data Controller)

This Privacy Policy explains how we collect, use and protect personal data in connection with the Cudator service ("Cudator", the "Service", "we", "us" or "our").

The data controller responsible for your personal data is:

StrategicSyntax SL, a company incorporated in Madrid, Spain.
Registered address: Calle Luis Carreño, núm. 9, 1A, 28750 San Agustín del Guadalix (Madrid), Spain
CIF/VAT number: ESB26652156
Contact for all enquiries, including privacy and data protection requests: support@cudator.ai

Effective date: 14 June 2026.

This document is provided in good faith as a transparency template describing how the Service handles personal data. It is not legal advice and does not create any legal relationship between us and the reader beyond what is set out here. If you are a customer assessing your own compliance obligations, you should consult your own legal counsel and, where appropriate, carry out your own data protection assessment.

2.Scope

This Privacy Policy applies to personal data processed when you create or administer a Cudator account, use the Cudator API gateway and reseller billing features, visit our websites, or otherwise communicate with us.

It does not govern how the third-party model providers you choose to route requests to process the content you send them. Each such provider acts under its own terms and privacy policy in respect of that processing. See the section on sharing and sub-processors below.

3.What Cudator Is

Cudator is a multi-provider large language model (LLM) router and API gateway. It exposes a single OpenAI-compatible API endpoint and routes each request to a suitable third-party model provider (for example OpenAI, Anthropic, Google, Mistral, Cohere, Voyage AI, or self-hosted models such as vLLM/DeepSeek) according to policy criteria such as cost, latency, quality and region or data residency.

Cudator also provides reseller billing: a prepaid wallet with spend caps per key, team or entity; multi-currency settlement; VAT/GST handling; and consolidated invoicing across subsidiaries.

4.Our Core Privacy Promise — Zero Payload Retention

Cudator does not retain the prompts you send or the responses returned to you. We operate on a zero data retention basis for request and response payloads: the content of your API calls is passed through to the chosen model provider and is not stored by us afterwards.

What we do retain is usage metadata only. Every call is logged at the request level, recording: the model used, the region, token counts, cost, timestamps and the request status. We use this metadata for audit, metering and billing. It does not include the body of your prompts or the model's responses.

5.Personal Data We Collect

We collect and process the following categories of personal data:

Account and contact details — such as name, email address, organisation or team name, login credentials and account role.
Billing data — such as wallet balance, spend caps, invoices, currency, tax identifiers (e.g. VAT/GST numbers) and limited payment-related information handled by our payment processor. We do not store full card numbers.
Usage metadata only — for each request: the model, region, token counts, cost, timestamps and status. As stated above, prompt and response payloads are not retained.
Cookies and analytics data — information collected through our websites, as described in the cookies section below.
Support communications — the content of messages you send us and our correspondence with you.

6.How and Why We Use Your Data

We use personal data for the following purposes:

To create, operate and secure your account and provide the Service.
To route API requests and apply policy-based provider selection.
To meter usage, manage prepaid wallets and spend caps, calculate cost, handle taxes and issue invoices.
To maintain request-level audit logs (metadata only) for accountability and billing accuracy.
To provide customer support and respond to your enquiries.
To detect, prevent and investigate fraud, abuse and security incidents.
To improve and maintain the reliability and performance of the Service.
To send service-related communications and, where applicable, comply with our legal and tax obligations.

7.Legal Bases for Processing (GDPR Article 6)

We rely on the following legal bases under Article 6 of the General Data Protection Regulation (GDPR):

Performance of a contract (Art. 6(1)(b)) — to provide the Service, operate your account, route requests and carry out billing.
Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud and abuse, maintain audit logs, and improve reliability and performance, where these interests are not overridden by your rights.
Consent (Art. 6(1)(a)) — for optional analytics cookies and any optional communications. You may withdraw consent at any time.
Legal obligation (Art. 6(1)(c)) — to meet accounting, tax and other statutory requirements.

8.Cookies

Our websites use cookies. We display a cookie-consent banner on your first visit. Essential cookies, which are necessary for the site to function and to remember your preferences, are always active. Optional analytics cookies are only set if you give your consent through the banner.

You can change or withdraw your cookie choices at any time using the banner or your browser settings.

9.Sharing and Sub-processors

We do not sell your personal data. We share data only with the service providers needed to operate Cudator, who act as our processors or sub-processors under appropriate agreements:

Amazon Web Services (AWS) — cloud hosting and infrastructure (compute, database, cache), including email delivery.
Cloudflare — DNS, TLS, content delivery (CDN) and static site hosting (Pages).
Stripe — payment processing.
Third-party LLM providers you choose to route to (for example OpenAI, Anthropic, Google, Mistral, Cohere, Voyage AI, and self-hosted models such as vLLM/DeepSeek — see the provider list in What Cudator Is above, and others you select) — they process the request content you send to them. Each provider's own terms and privacy policy apply to that processing, and they act as independent controllers or processors in respect of it, depending on the provider.

We may also disclose personal data where required by law or to protect our rights, safety or property.

10.International Transfers

Some of our sub-processors and the model providers you route to may process personal data outside the European Economic Area (EEA). Where this happens, we rely on appropriate safeguards under Chapter V of the GDPR, principally the European Commission's Standard Contractual Clauses (SCCs), together with any additional measures needed to protect the data. You may contact us at support@cudator.ai for more information about the safeguards in place.

11.Data Retention

We keep personal data only for as long as necessary for the purposes set out in this Policy:

Prompt and response payloads — not retained (zero data retention).
Account and contact details — for the duration of your account, and for a reasonable period afterwards to handle closure, disputes and legal claims.
Usage metadata and audit logs — retained for as long as needed for billing, audit and security, and to meet our legal obligations.
Billing and tax records — retained for the period required by applicable accounting and tax law.
Support communications — retained for as long as needed to handle your request and for a reasonable period thereafter.

When data is no longer required, we delete or anonymise it.

12.Your Rights Under the GDPR

Subject to the conditions in the GDPR, you have the right to:

Access the personal data we hold about you.
Rectification of inaccurate or incomplete data.
Erasure of your data ("right to be forgotten").
Data portability — to receive your data in a structured, commonly used, machine-readable format.
Restriction of processing in certain circumstances.
Objection to processing based on our legitimate interests.
Withdraw consent at any time, where processing is based on consent, without affecting prior processing.

To exercise any of these rights, contact us at support@cudator.ai. You also have the right to lodge a complaint with the Spanish supervisory authority, the Agencia Española de Protección de Datos (AEPD) (www.aepd.es; C/ de Jorge Juan, 6, 28001 Madrid, Spain), or with the supervisory authority in your country of residence.

13.Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse or alteration. These include encryption in transit (TLS), access controls, encryption of stored provider credentials, and request-level audit logging of usage metadata. Our zero data retention design for prompts and responses further limits exposure. No system can be guaranteed completely secure, but we work to maintain protections appropriate to the risk.

14.Children

The Service is intended for businesses and is not directed to children or minors. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@cudator.ai and we will take appropriate steps to delete it.

15.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes, we will update the effective date and, where appropriate, provide additional notice. We encourage you to review this Policy periodically.

16.Governing Law and Contact

This Privacy Policy is governed by the laws of Spain. Subject to any mandatory rights you have as a data subject, the courts of the city of Madrid, Spain shall have exclusive jurisdiction over any dispute arising from it.

For any question, request or complaint regarding privacy or this Policy, contact us at:

StrategicSyntax SL
Calle Luis Carreño, núm. 9, 1A, 28750 San Agustín del Guadalix (Madrid), Spain
Email: support@cudator.ai