What we collect
- Email address — for sign-in, receipts, and required service emails.
- Password (hashed) — stored as a scrypt hash with a per-user random salt; we never see the plaintext.
- API key hashes — only the SHA-256 hash of each issued key is stored; we cannot recover plaintext keys.
- Payment intents — internal payment IDs, amounts, and the provider used. Card numbers, PayPal credentials, and crypto addresses are handled by Stripe, PayPal, and Heleket respectively — we never see them.
- Usage logs — per-request entries containing timestamp, model, modality, units consumed, latency, and the masked API key prefix. Used for billing, debugging, and abuse-prevention.
- Server-side technical logs — IP address and user-agent on auth events, retained for 30 days for fraud detection.
What we don’t do
- We do not sell, share, or monetise your data.
- We do not use your prompts or completions to train any model.
- We do not run any third-party advertising trackers on the dashboard or app.
Where it lives
All persistent data is stored in Cloudflare R2 (S3-compatible object storage). Encryption at rest is enforced by R2; sensitive at-rest fields are additionally wrapped with AES-256-GCM using our application key. Sub-processors are listed in the DPA.
Your rights
If you are in the EU/EEA, UK, or California, you have the right to access, correct, port, and delete your personal data. Email support on Discord from your registered address and we’ll process it within 30 days.
Cookies
We use exactly one cookie — lmh_session — which is HttpOnly, Secure (in production), SameSite=lax, and required for sign-in. There are no analytics cookies.
Children
LMHaven is not directed at users under 18. If we learn we have collected data from a minor, we delete it.
Changes
Material changes to this policy are announced in the changelog channel at least 14 days before they take effect.
Contact
Privacy questions: support on Discord.