1. Roles
You (the customer) are the controller of personal data sent through LMHaven. LMHaven is the processor. Where you send personal data to upstream model providers via our gateway, those providers act as our sub-processors.
2. Sub-processors
| Provider | Purpose | Region |
|---|---|---|
| Cloudflare R2 | Object storage (user records, payment intents, usage logs) | Global, EU-friendly |
| Anthropic | Claude model inference | USA |
| Gemini model inference | Global | |
| ByteDance / Volcano Engine | Seedream image inference | USA / Singapore |
| NovelAI | NovelAI image inference | USA |
| PixAI | PixAI image inference | Global |
| ElevenLabs | ElevenLabs voice inference | USA |
| Stripe | Card payment processing | USA / EU |
| PayPal | PayPal payment processing | USA / EU |
| Heleket | Crypto invoice processing | EU |
| Resend | Transactional email delivery | USA / EU |
| Railway | Application hosting | Global |
Material changes to the sub-processor list are announced in the changelog channel at least 14 days before taking effect.
3. Security measures
- Encryption in transit: TLS 1.2+ everywhere. HSTS preload enabled with a 2-year max-age.
- Encryption at rest: Cloudflare R2 server-side encryption (AES-256). Sensitive application fields additionally wrapped with AES-256-GCM using a 32-byte application key.
- Authentication: scrypt-hashed passwords with per-user random salts. HttpOnly session cookies; session tokens stored as SHA-256 hashes.
- Rate limiting: per-IP and per-account limits on auth and checkout endpoints.
- Webhook integrity: Stripe signatures verified via HMAC-SHA256 with a 5-minute clock window; PayPal verified server-side via PayPal’s verification endpoint; Heleket confirmed by polling Heleket and matching TXIDs.
- Idempotency: every payment crediting operation is locked on a (provider, event-id) pair to prevent double-credit.
- Source-map exposure: production builds ship without browser source maps; backend code is not retrievable from the client.
4. Data subject rights
We will assist you in responding to data-subject requests (access, rectification, erasure, portability) within 5 business days of receipt.
5. International transfers
Where personal data is transferred outside the EEA/UK, we rely on the European Commission’s Standard Contractual Clauses and equivalent UK addenda. Sub-processors above have all signed compatible terms.
6. Breach notification
We will notify you without undue delay (and within 72 hours at the latest) of any confirmed personal-data breach affecting your data, with what we know at the time and what we are doing about it.
7. Audits
On reasonable written request (no more than once per year unless legally required), we will provide our most recent SOC 2 / ISO 27001 attestation as available, plus reasonable additional information to verify our compliance with this DPA.
8. Termination
On termination of the underlying service contract, we will delete your personal data within 30 days unless retention is legally required. Backups age out within 90 days.
Contact
Data-protection enquiries: support on Discord.