Privacy

Last updated: April 19, 2026

Our commitment

No one — not LaunchPod, not the model providers, not Cloudflare, not any employee — should be able to read the contents of your prompts. This page describes what we do today to make that true, what we do not yet do, and how we plan to prove it.

What we do today

PII scrubbing before the prompt leaves your VM

Every prompt your bot generates runs through a redaction layer on your VM before it is sent to any model provider. Email addresses, phone numbers (E.164 format), US Social Security numbers, credit card numbers (Luhn-validated), and IP addresses are replaced with opaque tokens. The model provider sees the tokens, not the underlying values. The scrubbed tokens are restored on the response before your bot sees it. The original prompt is never written to any log we control.

Zero Data Retention routing

We route model calls through OpenRouter's Zero Data Retention (ZDR) endpoints. Providers on ZDR contractually agree not to log, retain, or train on prompts and responses. If a model is not available on a ZDR path, we do not offer it on the platform.

Dedicated VM per customer

Every bot runs on its own Hetzner Cloud virtual machine with its own memory, disk, and process tree. There is no shared runtime, no multi-tenant container, and no other customer's code running alongside yours. If LaunchPod shuts down tomorrow, your server is still your server.

EU jurisdiction

Your VM is provisioned in Helsinki or Falkenstein (European Union) on Hetzner infrastructure. GDPR applies by default. Santuri LLC, the operating entity, is a US company but your data processing happens in the EU. See sub-processors for the full data-flow map.

We never train on your data

We do not use your prompts, responses, or VM contents to train any model, fine-tune any model, or build any dataset. We do not sell or share your data with marketers, advertisers, or data brokers. This is a hard operational commitment, not a toggle.

What we do NOT do

We try to be honest about the current limits of the system.

No end-to-end encryption of prompts. Model providers necessarily see the (scrubbed) prompt content in order to respond. ZDR reduces retention risk but does not make the content invisible. If you have a prompt that must never be seen in plaintext by any third party, do not send it to any hosted LLM — ours or anyone else's.
No full-disk encryption at rest yet. Hetzner volumes are not encrypted at the block level by default. Physical seizure of the host disk would expose VM state. We are evaluating LUKS-encrypted volumes as part of the Phase 2 roadmap.
No control over what Telegram, Discord, or your connected apps see. When your bot sends a message through Telegram, Telegram sees it. When your bot reads from Discord, Discord saw it first. The messaging platforms are outside our boundary. We recommend reading their privacy policies before connecting your bot.
No hardware attestation or sealed enclaves today. We are working toward TEE-backed inference and cryptographic receipts as a Phase 2 commitment. We do not currently claim to deliver them. Do not assume any prompt is invisible to an operator with root on the model provider's hardware.
We retain operational metadata. Instance names, creation timestamps, billing records, API request metadata (timestamps, endpoints, user IDs) are retained for operations and compliance. We do not retain prompt or response content.

How we prove it

Open-source router. The PII scrubber and ZDR routing code that runs on every VM is open-source. You can read it, audit it, and verify that your VM is running the version we publish.
Transparency report. We publish a quarterly transparency report with government data requests received (count and type), any policy violations found, and any sub-processor changes.
Whitepaper (coming soon). A technical deep-dive on the scrubber, the routing rules, the provider contracts, and our Phase 2 roadmap toward TEE inference and attestation.

1. Overview

LaunchPod ("we", "us"), operated by Santuri LLC, is a managed cloud hosting service for AI agent software. This section describes, in legal terms, what data we collect, how we use it, and your rights.

2. Data We Collect

Account data

When you create an account, we collect your email address and name via Clerk (our authentication provider). We also store a Stripe customer ID for billing.

Billing data

Payment information (credit card details) is collected and processed by Stripe. We do not store your full credit card number. We receive a Stripe customer ID and subscription status.

Instance data

We store metadata about your instances: instance ID, name, status, creation date, and server ID. Terminal access to your VM is provided via a secure tunnel — no SSH keys are stored by LaunchPod. We do not access, monitor, or log the contents of your VM, including files or AI conversations.

Usage data

We collect basic analytics on our marketing site (page views, referrers). We log API request metadata (timestamps, endpoints, user IDs) for operational monitoring. We do not use third-party tracking cookies.

Third-party integrations

If you connect messaging platforms (such as Telegram or Discord) or external accounts (such as Google via OAuth) to an AI agent running on your instance, those credentials and any associated data are stored only on your dedicated VM. LaunchPod does not receive, proxy, or store your messaging tokens, OAuth tokens, or conversation history from these integrations.

CLI authentication

If you use the LaunchPod CLI, we issue a short-lived JWT token stored on your local machine. This token authenticates CLI requests to our API and expires after 30 days.

3. How We Use Your Data

To provision and manage your cloud instances
To process payments and manage subscriptions
To provide terminal access to your instances
To route model calls through ZDR providers and meter credit usage
To send transactional emails (account, billing)
To monitor and improve the Service

4. Data Storage and Security

Account and instance metadata is stored in a Supabase Postgres database. Sensitive fields are encrypted at rest using AES-256-GCM. Your VM instances run on dedicated cloud servers in the European Union. Each instance is a dedicated VM — your data is not shared with other users.

5. Sub-processors

We use a small number of third-party services to operate the platform. Each is listed with its purpose and jurisdiction on our sub-processors page. Model inference is routed through OpenRouter on Zero Data Retention endpoints. We only share the minimum data necessary for each service to function.

6. Model Access and Credits

LaunchPod provides AI model access directly — you do not need to supply your own API keys. Every account includes 1,000 credits, with additional credit packs available for purchase. Credit balances are metered per-call on our infrastructure based on the model provider's published rates plus a platform margin. Model calls are routed through OpenRouter's ZDR endpoints; we do not receive or retain the contents of those calls.

7. Data Retention

Account data is retained while your account is active. When you delete your account or cancel your subscription, your instances and all data on them are permanently deleted. We retain billing records as required by law. API logs (metadata only, no prompt content) are retained for 90 days for operational purposes.

8. Your Rights

You have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion of your account and data
Export your data
Request a Data Processing Agreement (DPA) if you are an EU business

To exercise these rights, email hello@santuri.io.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email. The "last updated" date at the top reflects the most recent revision.

10. Contact

Questions about this policy? Email us at hello@santuri.io.