4 OPEN-SOURCE AGENTS, ALWAYS-ONSANTURI · SCOPED PER ENGAGEMENTYOUR OWN DEDICATED VMTELEGRAM + GOOGLE WORKSPACE NATIVEEMAIL CHARLIE@SANTURI.IO 4 OPEN-SOURCE AGENTS, ALWAYS-ONSANTURI · SCOPED PER ENGAGEMENTYOUR OWN DEDICATED VMTELEGRAM + GOOGLE WORKSPACE NATIVEEMAIL CHARLIE@SANTURI.IO

Privacy

Last updated: April 19, 2026

Our commitment

No one (not LaunchPod, not the model providers, not Cloudflare, not any employee) should be able to read the contents of your prompts. This page describes what we do today to make that true, what we do not yet do, and how we plan to prove it.

What we do today

Zero Data Retention routing

Every model call goes through OpenRouter on a Zero Data Retention (ZDR) contract path. Providers on ZDR contractually agree not to log, retain, or train on prompts and responses. If a model is not available on a ZDR path, we do not offer it on the platform, not even as a fallback.

No prompt or response logs on our infrastructure

Prompt and response content is not written to any log we control. Not on your VM, not on the API server, not in metrics. Operational telemetry (instance names, timestamps, billing records, error codes) is retained for ops and compliance, but the content of what you and your bot say to each other is not.

Dedicated VM per customer

Every bot runs on its own Hetzner Cloud virtual machine with its own memory, disk, and process tree. There is no shared runtime, no multi-tenant container, and no other customer's code running alongside yours. If LaunchPod shuts down tomorrow, your server is still your server.

Data jurisdiction

Your VM runs on European cloud infrastructure. GDPR principles apply by default. Santuri LLC, the operating entity, is a US company; model inference runs through sub-processors listed on the sub-processors page. See that page for the full data-flow map.

We never train on your data

We do not use your prompts, responses, or VM contents to train any model, fine-tune any model, or build any dataset. We do not sell or share your data with marketers, advertisers, or data brokers. This is a hard operational commitment, not a toggle.

What we do NOT do

We try to be honest about the current limits of the system.

  • No end-to-end encryption of prompts. Model providers necessarily see prompt content in order to respond. ZDR reduces retention risk but does not make the content invisible. If you have a prompt that must never be seen in plaintext by any third party, do not send it to any hosted LLM (ours or anyone else's).
  • No full-disk encryption at rest yet. Hetzner volumes are not encrypted at the block level by default. Physical seizure of the host disk would expose VM state. We are evaluating LUKS-encrypted volumes as part of the Phase 2 roadmap.
  • No control over what Telegram, Discord, or your connected apps see. When your bot sends a message through Telegram, Telegram sees it. When your bot reads from Discord, Discord saw it first. The messaging platforms are outside our boundary. We recommend reading their privacy policies before connecting your bot.
  • No hardware attestation or sealed enclaves today. We are working toward TEE-backed inference and cryptographic receipts as a Phase 2 commitment. We do not currently claim to deliver them. Do not assume any prompt is invisible to an operator with root on the model provider's hardware.
  • We retain operational metadata. Instance names, creation timestamps, billing records, API request metadata (timestamps, endpoints, user IDs) are retained for operations and compliance. We do not retain prompt or response content.

How we prove it

  • Whitepaper (coming soon). A technical deep-dive on the routing rules, the provider contracts, and our Phase 2 roadmap toward TEE inference and attestation.

1. Overview

LaunchPod ("we", "us"), operated by Santuri LLC, is a managed cloud hosting service for AI agent software. This section describes, in legal terms, what data we collect, how we use it, and your rights.

2. Data We Collect

Account data

When you create an account, we collect your email address and name via Clerk (our authentication provider). We also store a Stripe customer ID for billing.

Billing data

LaunchPod is a Santuri service. Billing is set up directly with you as part of your engagement. When invoicing flows through Stripe, any payment information you provide is collected and processed by Stripe. We do not store your full credit card number. We receive a Stripe customer ID and subscription status.

Instance data

We store metadata about your instances: instance ID, name, status, creation date, and server ID. Terminal access to your VM is provided via a secure tunnel. No SSH keys are stored by LaunchPod. We do not access, monitor, or log the contents of your VM, including files or AI conversations.

Usage data

We collect basic analytics on our marketing site (page views, referrers). We log API request metadata (timestamps, endpoints, user IDs) for operational monitoring. We do not use third-party tracking cookies.

Third-party integrations

If you connect messaging platforms (such as Telegram or Discord) to an AI agent running on your instance, those credentials and any associated data are stored only on your dedicated VM. If you optionally connect external accounts (e.g., via your framework's BYOK flow) to an AI agent running on your instance, those credentials are stored only on your VM. LaunchPod does not receive, proxy, or store your messaging tokens, OAuth tokens, or conversation history from these integrations.

3. How We Use Your Data

  • To provision and manage your cloud instances
  • To process payments and manage subscriptions
  • To provide terminal access to your instances
  • To route model calls through ZDR providers and meter credit usage
  • To send transactional emails (account, billing)
  • To monitor and improve the Service

4. Data Storage and Security

Account and instance metadata is stored in a Supabase Postgres database, which Supabase encrypts at rest at the platform level. Your VM instances run on dedicated cloud servers. Each instance is a dedicated VM, so your data is not shared with other users. See the sub-processors page for the current limits on at-rest encryption.

5. Sub-processors

We use a small number of third-party services to operate the platform. Each is listed with its purpose and jurisdiction on our sub-processors page. Model inference is routed through OpenRouter on Zero Data Retention endpoints. We only share the minimum data necessary for each service to function.

6. Model Access

LaunchPod provides AI model access directly. You do not need to supply your own API keys. Inclusive model usage, overage handling, and the model menu are scoped per engagement. Model calls are routed through OpenRouter's ZDR endpoints; we do not receive or retain the contents of those calls.

7. Data Retention

Account data is retained while your account is active. When you delete your account or cancel your subscription, your instances and all data on them are permanently deleted. We retain billing records as required by law. API logs (metadata only, no prompt content) are retained for 90 days for operational purposes.

8. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Export your data
  • Request a Data Processing Agreement (DPA) if you are an EU business

To exercise these rights, email hello@santuri.io.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email. The "last updated" date at the top reflects the most recent revision.

10. Contact

Questions about this policy? Email us at hello@santuri.io.

© launchpod 2026 ★ a santuri servicemade with care · cloudflare-powereddocsprivacyterms