Privacy Policy
How Verlon handles your data. The short version: we don't store the content of your prompts or responses unless you explicitly turn it on, and every internal access of stored content is recorded with a reason.
- Payload storage is off by default. Verlon does not write the content of your prompts or responses to disk unless you opt in.
- Encrypted at rest when opted in. Prompt and response bodies are wrapped in AES-256-GCM before being written to the database.
- Every internal view is recorded. Verlon employees cannot decrypt stored content without picking a reason category and typing a specific detail. The action is logged before the data is returned.
- 30-day retention for content. Opted-in payload content is nulled after 30 days. Metadata is retained while your account is active.
Overview
Verlon ("we", "us", "our") operates the Verlon AI infrastructure platform. This Privacy Policy explains what we collect, what we do with it, how long we keep it, and the controls you have over it. The defaults are deliberately minimal: we collect what we need to run the platform and nothing more.
What we collect
Account information
- Your email address
- A hashed password (bcrypt)
- Account creation date
Usage metadata
For every API request you send through Verlon, we record metadata so the platform can route traffic, surface usage in your dashboard, and detect abuse:
- Gate identifier and gate configuration at request time
- Model used and routing decision
- Token counts, cost, latency, success / error status, timestamps
- Session identifier (when supplied by your code)
Prompt and response content
We do not store the content of your prompts or responses by default. Every account starts with payload storage turned off. New requests are logged with metadata only — the actual message text, tool inputs, and tool outputs are never written to disk.
You can opt in to encrypted payload storage from your dashboard under Settings → Security & Privacy. When opted in, prompt and response bodies are persisted so you can see them in your dashboard logs. Verlon does not scrub, modify, or filter the content — what you sent is what gets stored. You are responsible for deciding what data to send through us, including any personal information the prompts may contain.
Technical data
Automatically captured:
- IP address
- Browser type and version
- Device information
- Access times
How we use it
- To run the routing, gating, and billing layer
- To render your dashboard analytics
- To detect and prevent abuse or fraud
- To improve the product and ship new features
- To send service updates you can't opt out of
Storage & security
In transit
All traffic between you, Verlon, and upstream model providers is TLS 1.2+.
At rest (when payload storage is enabled)
Prompt and response bodies are wrapped in an AES-256-GCM envelope before being written to the database. A fresh initialization vector is generated for every row, and an authentication tag detects any tampering. The master encryption key is stored as a process environment variable, separated from the database that holds the ciphertext.
Account secrets
Passwords are hashed with bcrypt. Provider API keys you supply via BYOK are encrypted with the same AES-256-GCM scheme as payload content.
Infrastructure
Verlon runs on Railway (compute) and managed PostgreSQL. Both have their own physical-security and SOC 2 postures.
Internal access & audit
Verlon employees can decrypt a stored prompt or response only by explicitly revealing it one row at a time from our admin dashboard. Bulk decryption is not possible — the admin listing UI shows metadata only, with payload columns returned as null.
Every reveal requires the employee to pick a reason category (support ticket, abuse investigation, bug investigation, quality review, or other) and type a specific free-text detail. The audit row — including who viewed which request, when, the reason, and the source IP — is written to our audit table before the decrypted content is returned.
If you want a report of every internal view of your account's data, email micah@verlon.ai.
Third-party providers
Verlon proxies your requests to upstream AI providers (OpenAI, Anthropic, Google, Mistral, and others). When you use these providers through Verlon:
- Your prompt and the provider's response transit our infrastructure so we can route, log metadata, and apply your gate configuration.
- Each provider has their own privacy policy and data-handling terms. Using a provider through Verlon does not change how that provider treats the content of your requests.
- Whether Verlon retains your prompt and response content after the request completes depends on your account's payload-storage setting. The default is off.
- Provider API keys you supply via BYOK are encrypted at rest with AES-256-GCM.
Retention
Different categories of data have different retention windows:
- Account data (email, password hash, gate configurations, BYOK keys): retained until you delete your account.
- Prompt and response content (only present when you have opted in to payload storage): 30 days, after which a nightly worker nulls the payload columns. Once nulled, recovery is not possible.
- Request metadata (model, tokens, cost, latency, timestamps, gate id): retained while your account is active so historical usage charts work. Deleted when you delete your account.
- Audit logs (admin actions on your account, including payload reveals): retained for accountability as long as your account is active.
Your rights
You have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion of your data
- Export your data
- Opt out of analytics
To exercise any of these, email micah@verlon.ai.
Self-hosted deployments
If you self-host Verlon, you control all data storage and processing. This Privacy Policy does not apply to your deployment; you are responsible for compliance with applicable laws.
Children's privacy
Verlon is not intended for users under 13. We do not knowingly collect information from children under 13.
Changes to this policy
We may update this Privacy Policy from time to time. Substantive changes will be announced by email or in the product.
Contact
Questions or requests about this policy:
Email: micah@verlon.ai
Docs: docs.verlon.ai