Privacy Policy

• MEGA PROMOTING SRL, IDNO 1019600021765, registered in the Republic of Moldova.
• Registered office: s. Dănceni, Ialoveni district, MD-6814, Republic of Moldova.
• Data Protection Officer (DPO): privacy@megapromoting.com.

• Account: email address, optional name, password (bcrypt hashed), MFA secret (optional), connected OAuth accounts.
• Payment data via Stripe (tokenized): we never store full card numbers. Stripe processes payment data on our behalf and returns a token. We retain invoices, amounts, and currency for accounting and tax purposes.
• Usage logs: request metadata (model name, token counts, latency, status code, timestamp, API key alias). We do not store the body of your prompts or completions in standard mode.
• IP address: captured on login and API calls for security auditing and rate limiting.

• Performance of a contract (Art. 6(1)(b) GDPR): account creation, API delivery, billing, technical support.
• Legitimate interest (Art. 6(1)(f) GDPR): security audit logs, anti-abuse rate limiting, fraud prevention, aggregated product analytics. A proportionality test has been performed.
• Consent (Art. 6(1)(a) GDPR): marketing emails, non-essential cookies. You may withdraw consent at any time without penalty.
• Legal obligation (Art. 6(1)(c) GDPR): tax records retention, AML where applicable.

We never sell your data. We do not share it with advertising networks or behavioral tracking platforms. We share data only with the following categories of sub-processors, each bound by a written Data Processing Agreement under Art. 28 GDPR:

• Stripe (USA, covered by EU-U.S. Data Privacy Framework) — payment processing.
• Infobip (Croatia, EU) — transactional email and SMS delivery.
• Cloudflare (USA, DPF) — CDN, DDoS protection, WAF.
• Upstream LLM providers (OpenAI, Anthropic, Google, xAI, Mistral, and others) — your prompt content is forwarded to the provider you selected so they can return a completion. The provider processes the request under their own terms, which we summarize in our DPA sub-processor table.

Under GDPR and Moldovan data protection law, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectify — correct inaccurate or incomplete data.
• Delete — request erasure when the purpose no longer exists.
• Portability — receive your data in a structured, machine-readable format.
• Restrict — temporarily limit processing.
• Object — to processing based on legitimate interest or marketing.
• Lodge a complaint with your national Data Protection Authority (DPA) — for EU residents — or the National Center for Personal Data Protection (CNPDCP, datepersonale.md) for Moldovan residents.

Requests: privacy@megapromoting.com. We respond within 30 days (extendable by 2 months for complex requests, with notice).

• NEXT_LOCALE — stores your language preference. Lifetime: 1 year. Essential for serving content in your language.
• Session cookie — authenticates your session. Lifetime: 30 days. Essential.
• No tracking cookies. We do not use Google Analytics, advertising pixels, or any third-party behavioral tracking.

• Active account data: for as long as your account is active, plus one (1) year after account closure for legal defense and dispute resolution.
• Operational logs: 90 days, then automatically purged.
• Invoices and accounting records: 7 years, as required by Moldovan tax law.
• Backups: deletion propagates within 60 days maximum.

For any question or request related to your personal data:

privacy@megapromoting.com
MEGA PROMOTING SRL, s. Dănceni, Ialoveni district, MD-6814, Republic of Moldova
IDNO 1019600021765