Privacy Policy

Mytm-Group SAS, registered in France, is the data controller for HiWay2LLM. Contact: privacy@hiway2llm.com

3.1. Account Data (legal basis: contract execution)

• Email address
• Password hash (PBKDF2-SHA256 — we never store plaintext passwords)
• API key hashes (SHA-256 — we never store plaintext API keys)
• Account creation date

3.2. Usage Metadata (legal basis: contract execution + legitimate interest)

• Request timestamp
• Model selected by the router
• Token count (input/output)
• Cost in USD
• Routing tier (light/standard/heavy)
• Routing latency (milliseconds)
• Complexity score (0.0 to 1.0)

This data is used for billing, analytics, and Service improvement. It does NOT contain any prompt content, response content, or personally identifiable information beyond the account email.

3.3. Payment Data (legal basis: contract execution)

Payment is processed by Stripe, Inc. The Company does not store credit card numbers. See Stripe's Privacy Policy.

• Prompt content (messages sent to LLMs)
• LLM response content
• System prompts
• Tool definitions or tool call results
• IP addresses (not logged)
• Browser fingerprints or cookies (dashboard uses localStorage only)
• Location data

5.1. LLM Providers: Your prompts are forwarded to the LLM provider selected by the routing engine (Anthropic, OpenAI, Google, Mistral, DeepSeek). Each provider has its own privacy policy. HiWay2LLM uses the provider's API — we do not add any tracking or metadata to your prompts.

5.2. Stripe: Payment data is processed by Stripe. No credit card data passes through HiWay2LLM servers.

5.3. We do NOT sell, rent, or share personal data with any other third party.

• Account data: retained until account deletion
• Usage metadata: retained for 24 months for billing and analytics
• Payment records: retained for 10 years (French accounting law)
• Prompt/response content: NOT retained (zero seconds)

Under the General Data Protection Regulation (EU) 2016/679, you have the right to:

• Access — request a copy of your data
• Rectification — correct inaccurate data
• Erasure — request deletion of your account and data
• Portability — receive your usage data in JSON format
• Objection — object to processing based on legitimate interest
• Restriction — request restriction of processing

To exercise these rights, contact privacy@hiway2llm.com. We respond within 30 days.

8.1. HiWay2LLM is a routing proxy, not an AI system as defined by the EU AI Act (Regulation 2024/1689). We do not train, fine-tune, or deploy AI models.

8.2. The routing scoring engine uses deterministic heuristics (CPU-based pattern matching), not machine learning. It does not make decisions that affect natural persons.

8.3. We provide full transparency on routing decisions: every response includes headers indicating which model was selected, the complexity score, and the routing latency.

8.4. Clients using HiWay2LLM to deploy AI systems remain responsible for their own AI Act compliance obligations.

• All connections use TLS 1.3 (HTTPS enforced by Caddy)
• Passwords hashed with PBKDF2-SHA256 (100,000 iterations)
• API keys hashed with SHA-256
• Redis data encrypted at rest (when using managed Redis)
• Server hosted in OVH datacenter (France, EU)
• No prompt data touches persistent storage

Enterprise clients can request a Data Processing Agreement (DPA) compliant with GDPR Article 28. Contact legal@hiway2llm.com.

You may file a complaint with the French data protection authority (CNIL): www.cnil.fr