Effective Date: April 19, 2025

Privacy Policy

This Privacy Policy describes how AjaxAI ( "Company," "we," "our," or "us") collects, uses, and discloses information about users of our batch prediction API service for language model providers (the "Service").

1. INFORMATION WE COLLECT

We collect the following types of information:

1.1 Information You Provide to Us

  • Account Information: When you register for an account, we collect your name, email address, and payment information.
  • Google Service Account Information: We collect Google Cloud credentials and permissions necessary to make API calls on your behalf.
  • Communications: If you contact us directly, we may receive additional information about you, such as your name, email address, and the contents of your message.

1.2 Information We Collect Automatically

  • Usage Data: We collect information about your use of our Service, including the number of API calls, token usage, timestamps, and performance metrics.
  • Device Information: We collect information about the device you use to access our Service, including IP address, browser type, operating system, and device identifiers.
  • Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect information about your interaction with our Service.

Google Cloud Permissions

Our Service requires specific Google Cloud permissions to function effectively while maintaining the principle of least privilege:

Storage Object User Role

This permission is essential for our core service functionality, allowing us to:

  • Create, retrieve, and manage the prediction input and output files necessary for batch processing
  • Upload your data to temporary storage before processing
  • Download prediction results after processing
  • Clean up temporary files to maintain your privacy and reduce costs

While this role theoretically permits additional actions like viewing folder metadata, our application is programmatically limited to accessing only the specific objects required for your batch prediction jobs.

AI Platform Batch Prediction Permissions

These permissions are the minimum required to:

  • Create batch prediction jobs using your provided configuration
  • Monitor job status to provide you with progress updates
  • Retrieve results once processing is complete
  • Cancel jobs upon your request to prevent unnecessary resource usage
  • List your current and historical jobs for your reference
  • Delete completed jobs to maintain a clean environment

We implement additional technical safeguards beyond Google's permission system to ensure we access only the specific resources needed for your requested operations. Our application never exercises permissions to view or modify resources unrelated to your batch prediction tasks, even if the role technically allows it.

2. YOUR GOOGLE USER DATA

What Google User Data We Collect

When you authorize AjaxAI to access your Google Cloud Platform (GCP) resources, we collect and store the following limited Google user data:

  • Google Account Email: We store the email address of the Google user who authorized our service to differentiate between multiple authorized users and to provide personalized support.
  • OAuth Credentials: We securely store encrypted OAuth tokens provided by Google to maintain your authorized access to GCP resources. These tokens are always stored in encrypted form and never exposed in plaintext.
  • Session Information: For security purposes, we temporarily store session data during the authorization process to prevent cross-site request forgery (CSRF) attacks.

We explicitly DO NOT collect or store:

  • Personal Google Drive files or content
  • Your Google password
  • Your search history or activity on other Google services
  • Any personal data beyond what is listed above

How We Use Google User Data

AjaxAI uses your Google user data exclusively for the following purposes:

  • Authentication: To verify your identity and maintain secure access to your GCP resources.
  • Service Provision: To make API calls to GCP services on your behalf for batch prediction operations.
  • Billing Authorization: To enable billable operations on your GCP account when you request batch prediction services.
  • User Support: To provide personalized technical support related to your batch prediction jobs.

Google Cloud Permissions We Request

1. Storage Access (devstorage.read_write)

This permission allows us to manage data in your Google Cloud Storage. We implement strict security controls that limit our access exclusively to the specific buckets and objects required for your batch prediction jobs. We never access any storage objects unrelated to your requested operations.

Data Protection Assurance: All data transferred to and from your storage buckets is encrypted in transit using TLS. Our application creates temporary folders with unique identifiers for each job to prevent data leakage between different operations.

2. Cloud Platform Access (cloud-platform)

The cloud-platform scope provides broad access to almost all Google Cloud services in your project. This is a powerful permission that we request because it's necessary for the complete batch prediction workflow. While this permission would technically allow us to access many different services in your Google Cloud project, we commit to using it only for specific Vertex AI operations.

In practice, our application is designed to initialize only the specific API clients needed for batch prediction. We do not and will not use this permission to access unrelated services like Compute Engine, BigQuery, or Cloud SQL, even though the permission would technically allow such access.

We maintain detailed logs of all API calls made using your credentials and provide a transparent dashboard where you can see exactly which services have been accessed and when. This commitment is enforced through our internal policies, regular security audits, and access controls.

Limited Access Assurance: Our application code enforces the principle of least privilege and only accesses the specific resources needed for your requested operations, even though the permission scope is technically broader.

3. Billing Account Access (cloud-billing)

This permission allows us to verify billing status and enable billable operations on your GCP account. When you use AjaxAI, you are authorizing billable events on your Google Cloud Platform account.

Billing Protection Assurance: Our service includes monitoring and alerting systems to prevent unexpected billing charges. We implement safeguards to cancel runaway jobs automatically and provide visibility into resource consumption.

3. HOW WE USE YOUR INFORMATION

We use the information we collect for various purposes, including:

  • Providing, maintaining, and improving our Service
  • Processing transactions and managing your account
  • Making API calls to language model providers on your behalf
  • Communicating with you about your account or our Service
  • Monitoring and analyzing usage patterns and trends
  • Detecting, investigating, and preventing fraudulent transactions and other illegal activities
  • Complying with legal obligations

4. HOW WE SHARE YOUR INFORMATION

4.1 Third-Party Service Providers

We share information with third-party service providers that help us operate and improve our Service, including:

  • Stripe for payment processing
  • OpenReplay for analytics
  • Clerk for authentication
  • Vercel for hosting and development
  • Render for API backend and database hosting
  • RedisCloud for caching and temporary data storage

These service providers are only authorized to use your information as necessary to provide services to us and are required to maintain the confidentiality of your information.

4.2 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of our assets, your information may be transferred as part of that transaction.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

4.4 With Your Consent

We may share your information with third parties when we have your consent to do so.

4.5 Prohibited Uses of Your Data

We are committed to ethical data handling practices. We will NEVER use your data for:

  • Advertising: Your data will never be used for targeted advertising, personalized advertisements, retargeted advertisements, or interest-based advertisements of any kind.
  • Data Sales: We will never sell your data to data brokers, information resellers, or any third parties.
  • Financial Assessment: Your data will never be used for determining credit-worthiness, lending evaluations, or financial profiling.
  • AI Training: We will never use your inputs, prompts, or any other Google user data to train, fine-tune, or improve our own or third-party AI models.
  • Database Creation: We will never compile your data into databases for purposes unrelated to providing our Service.
  • External Research: We will never provide your data to external research organizations without your explicit consent.

Our business model is based solely on providing you with high-quality batch prediction services, not monetizing your data.

5. DATA SECURITY

At AjaxAI, we implement robust security measures to protect your data:

  • Sensitive Data Protection: We take your private data seriously. Sensitive information like system_instructions and prompts are ONLY stored in memory and NEVER written to our permanent database. This in-memory data is automatically purged after twelve hours following job completion, minimizing exposure risk.
  • Credential Security: Your API keys are always encrypted using industry-standard encryption methods in our database. We NEVER store credentials in decoded form, either in permanent storage or during data transmission.
  • Encrypted Transmission: All data transferred between your systems and ours uses TLS encryption to prevent interception.
  • Access Controls: We implement strict role-based access controls, ensuring only authorized personnel can access user data on a need-to-know basis.
  • Regular Security Audits: We conduct periodic security assessments to identify and address potential vulnerabilities.

While we implement reasonable security measures to protect your information from unauthorized access, alteration, disclosure, or destruction, no method of transmission over the Internet or electronic storage is 100% secure, so we cannot guarantee absolute security.

6. OUR GOOGLE DATA HANDLING PRACTICES

At AjaxAI, we're committed to following industry best practices for handling your Google Cloud access credentials and data. Below, we outline our approach to key security aspects:

Practice AreaOur ApproachBenefit to You
Credential StorageAES-256 encryption for stored credentials with secure key managementYour OAuth tokens remain protected even in the unlikely event of a database breach
Permission TransparencyDetailed explanations of each permission scope we request, including specific use casesClear understanding of exactly why each permission is needed and how it will be used
Usage VisibilityAccess logs and dashboard showing credential usageVisibility into when and how your Google Cloud credentials are being used
Access ControlsPolicy-based access limitations and regular access reviewsConsistent application of least-privilege principles to protect your Google account access
Data RetentionClearly defined retention periods with automated data purgingMinimized risk through systematic removal of sensitive data after use
Revocation ProcessStraightforward one-click revocation with confirmationSimple, reliable way to remove access when needed
Security PracticesRegular security reviews of our credential handling proceduresOngoing verification that our security controls remain effective

Our Data Handling Commitments

Permission Usage

While the cloud-platform scope technically allows access to many Google Cloud services, we strictly limit our actual usage to only the specific services required for batch prediction. We do not and will not access:

  • Compute Engine instances
  • BigQuery datasets
  • Cloud SQL databases
  • Cloud Functions
  • IAM settings or other configuration resources

We only use permissions for:

  • Cloud Storage (for input/output files)
  • Vertex AI (for batch prediction jobs)
  • Cloud Billing (for verification only)

Data Processing

We process your data exclusively for performing the batch prediction services you request. We commit to:

  • Never using your data to train our own AI models
  • Never analyzing your data for insights beyond job performance metrics
  • Never sharing your data with third parties

Transparency

We believe you should have visibility into how your credentials are being used. Our dashboard allows you to:

  • See when your credentials were last used
  • Review which Google Cloud services were accessed
  • Understand the purpose of each access event

Our Continuous Improvement Process

We regularly review our security practices against current industry standards. When we identify opportunities to enhance our data protection:

  1. We implement improvements systematically
  2. We communicate significant security enhancements to our users
  3. We update our documentation to reflect our current practices

If you have questions about our data handling practices, please contact security@ajaxai.com.

7. DATA RETENTION

We retain your information for as long as your account is active or as needed to provide you with our Service. We may also retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Data Deletion Policy

We maintain a strict data deletion policy to protect your privacy:

Automatic Deletion

  • In-memory sensitive data (prompts, instructions) is automatically purged 12 hours after job completion
  • Temporary storage objects are deleted immediately after successful job completion
  • Job metadata is retained for billing and troubleshooting purposes for 90 days, then automatically purged

User-Initiated Deletion

  • You may request immediate deletion of your account and associated data at any time
  • Upon receiving a deletion request, we will:
    • Immediately deactivate your account
    • Delete all in-memory data associated with your account within 1 hour
    • Delete all stored metadata within 72 hours
    • Provide confirmation once deletion is complete

To request deletion, email security@ajaxai.com with the subject "Data Deletion Request"

Deletion Verification

  • Upon request, we can provide certification of data deletion for compliance purposes
  • Our deletion processes are logged and auditable

8. YOUR RIGHTS AND CHOICES

Depending on your location, you may have certain rights regarding your personal information, including:

  • Access: You may request access to the personal information we hold about you.
  • Correction: You may request that we correct inaccurate or incomplete information about you.
  • Deletion: You may request that we delete your personal information.
  • Restriction: You may request that we restrict the processing of your information.
  • Data Portability: You may request a copy of the information you have provided to us in a structured, commonly used, and machine-readable format.
  • Objection: You may object to our processing of your information.

To exercise these rights, please contact us at privacy@ajaxai.com.

9. CHILDREN'S PRIVACY

Our Service is not directed to children under the age of 18, and we do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information as quickly as possible.

10. INTERNATIONAL DATA TRANSFERS

AjaxAI is headquartered in the United States, and we process information on servers located in the United States and other countries where we or our service providers operate.

10.1 Our Approach to International Data Transfers

For our own operations, we take the following approach to international data transfers:

  • We implement reasonable measures to protect data when it's transferred across borders.
  • We rely on appropriate legal mechanisms where required by applicable law.
  • We will inform you about the specific measures we implement upon request.

Please note that third-party service providers we use (such as Clerk, Stripe, Google Cloud, Render, RedisCloud, etc.) may have their own data transfer mechanisms and policies. We recommend reviewing their respective privacy policies for information about how they handle international data transfers.

10.2 Your Rights Related to International Transfers

Regardless of where your data is processed, we ensure you can exercise your data protection rights as described in Section 8. If you have questions or concerns about international transfers, please contact us at privacy@ajaxai.com.

By using our Service, you acknowledge that your information may be transferred to countries with different data protection rules than your country of residence.

11. GOOGLE OAUTH PERMISSIONS USED BY AJAXAI

The table below details each Google Cloud permission scope we request, what it allows us to access, how we use it, and the safeguards we implement to protect your data.

openid

What it Allows

Basic authentication capabilities to verify your identity.

How AjaxAI Uses It

To authenticate your Google account and associate it with your AjaxAI account.

What We Don't Use

We don't use this for tracking across websites or services.

Safeguards

  • Authentication tokens are encrypted at rest
  • Sessions expire after inactivity

https://www.googleapis.com/auth/userinfo.email

What it Allows

Access to your Google account email address.

How AjaxAI Uses It

To identify which Google user authorized our application and to provide personalized support.

What We Don't Use

We don't use this to send marketing emails or share your email with third parties.

Safeguards

  • Email addresses are stored in a secure database
  • Access is restricted to essential personnel

https://www.googleapis.com/auth/devstorage.read_write

BROAD ACCESS

What it Allows

Create, read, update, and delete objects in Google Cloud Storage buckets associated with your account.

This includes potential access to all storage buckets in the authorized project.

How AjaxAI Uses It

We use this ONLY to:

  • Upload your input data for batch prediction
  • Create temporary storage for predictions
  • Download prediction results
  • Delete temporary files after processing

What We Don't Use

We do not access:

  • Any storage buckets unrelated to your batch jobs
  • Historical data from previous jobs unless requested
  • Any other objects in your GCP project

Safeguards

  • Job-specific folder paths with randomized IDs
  • Automatic cleanup routines
  • Programmatic restrictions to only access job-related paths
  • Regular access audits

https://www.googleapis.com/auth/cloud-platform

VERY BROAD ACCESS

What it Allows

View and manage all resources across Google Cloud Platform services.

This scope theoretically allows access to virtually all GCP services in your project including Compute, BigQuery, Cloud SQL, and more.

How AjaxAI Uses It

We use this ONLY to:

  • Create and manage Vertex AI batch prediction jobs
  • Monitor job status
  • Handle job failures
  • Retrieve prediction results
  • Access model resources

What We Don't Use

We do not and will not use this broad permission to:

  • Access your Compute Engine instances
  • Query your BigQuery datasets
  • Connect to your Cloud SQL databases
  • Modify your Cloud Functions
  • Change IAM settings

Though the permission technically allows these actions, our internal policies, code design, and audit processes strictly prohibit such access.

Safeguards

  • Our application is designed to only initialize clients for Vertex AI and Storage services
  • Detailed access logging
  • Regular security reviews
  • Transparent usage dashboard
  • Clear internal policies

https://www.googleapis.com/auth/cloud-billing

SENSITIVE ACCESS

What it Allows

View and manage your Google Cloud Platform billing accounts.

This scope theoretically allows viewing billing history and modifying billing account settings.

How AjaxAI Uses It

We use this ONLY to:

  • Verify billing account status before creating billable operations
  • Enable cost allocation for batch prediction jobs
  • Apply appropriate budget controls

What We Don't Use

We do not:

  • View your billing history
  • Change your billing settings
  • Add or remove payment methods
  • Export your billing data

Safeguards

  • Programmatically limited to status verification only
  • No manual access to billing information
  • No persistence of billing account details

Understanding the Broad Nature of cloud-platform Permission

The https://www.googleapis.com/auth/cloud-platform scope is Google's broadest permission scope, and we want to be fully transparent about what this means:

What This Permission Could Theoretically Allow

Without our self-imposed restrictions, this permission scope could theoretically allow an application to:

  1. Access any service in your Google Cloud project
  2. Create, modify, or delete resources
  3. Read data from any accessible database or storage
  4. Deploy or modify code and applications
  5. Change permissions and access controls
  6. View sensitive configuration information

Our Commitment to Limited Use

Despite requesting this broad permission, AjaxAI implements multiple technical and organizational controls to ensure we only use the minimum access required:

  1. Code-Level Restrictions: Our application code only initializes clients for Vertex AI and Cloud Storage services.
  2. API Endpoint Limitations: We programmatically restrict which API endpoints our service can call, even though the permission scope would allow more.
  3. Audit Logging: All API calls made using your credentials are logged and regularly reviewed.
  4. Principle of Least Privilege: Even though we request broad access, our internal systems are designed to use the minimum permissions needed for each specific operation.
  5. Regular Security Reviews: Our access patterns are regularly audited to ensure we're not expanding our use of permissions.

If you have concerns about granting this broad permission, please contact us at security@ajaxai.com for more information about our security practices.

12. CHANGES TO THIS PRIVACY POLICY

We may modify this Privacy Policy to reflect changes in our practices or for legal, regulatory, or operational reasons. If we make material changes:

Advance Notice

We will notify you at least 30 days before the changes take effect via:

  • Email to the address associated with your account
  • Prominent notice on our website
  • In-app notification in our dashboard

Change Summary

Our notification will include a summary of significant changes and their potential impact on your privacy.

Previous Versions

We will maintain an archive of previous privacy policies accessible at ajaxai.com/privacy/archive for your reference.

Consent Options

For significant changes that materially affect how we handle your data, we will request your affirmative consent before applying these changes to your account.

Opt-Out Rights

If you do not agree with material changes, you will have the option to close your account and request data deletion before the new terms take effect.

Your continued use of our Service after the effective date of any modified Privacy Policy constitutes your acceptance of such modifications.

13. CONTACT US

If you have any questions about this Privacy Policy, please contact us at privacy@ajaxai.com. For data deletion requests or security concerns, please email security@ajaxai.com.