Privacy Policy — Amperes

Effective 2026-05-25 · Version 1.0 · Stub pending counsel review

What this document is. A working draft of how Amperes AI Inc. (“Amperes”, “we”) handles data on behalf of the people and organizations using our service. This stub will be replaced with a counsel-reviewed version before any production customer signs a master agreement. For the currently-effective signed version of this policy, book a 15-minute call.

1. Who we are

Amperes AI Inc. is a Delaware corporation operating a control-plane proxy for large language model inference. To reach us, book a 15-minute call. All references in this policy to “we”, “us”, or “our” mean Amperes AI Inc.

2. The two kinds of data we handle

The service touches two very different categories of data, and we treat them differently:

2.1 Customer Data (your prompts and your traffic)

When you send a request through the Amperes proxy, the prompt and any tool outputs pass through our infrastructure on the way to your selected upstream provider (OpenAI, Anthropic, AWS Bedrock, etc.). By default we store only a SHA-256 hash of the prompt plus routing metadata (classification result, model chosen, tokens billed, latency, cost). Full prompt text is never persisted unless you explicitly opt in via customer_config.store_full_prompts = true, in which case we retain the first 500 characters in a prompt_preview field for debugging purposes only.

2.2 Account Data (you and your team)

Your business email, name, organization name, billing address, and the bcrypt hashes of your API keys. We also retain audit-log entries for governance and security investigations (admin actions, key rotations, login events).

3. How we use Customer Data

Operating the service. Classify your prompt, score candidate models, forward the request to the chosen upstream, return the response. This is the core function and the data is in-flight only.
Routing improvements. Hashed prompts and outcome metadata feed the per-customer EWMA scorer that learns which models work best for your traffic. The raw prompts never leave the in-flight path.
Drift and anomaly detection. Aggregated metrics (latency, error rate, quality samples) per (provider, model) power the silent-degradation detector. We never share customer prompts in this signal — only the hash and the outcome stats.
Eval and benchmark. A configurable sample of your live traffic (default 0% — strictly opt-in) is re-run against a baseline model and pairwise-judged so you can verify that routing decisions are quality-preserving. You control the sample rate.
Customer support. If you ask us to look at a request by ID, we will surface the routing decision and metadata for that request_id. We do not browse customer traffic without an explicit request from the customer.

4. How we use Account Data

Authenticating API requests via the bcrypt-hashed API key.
Sending you operational email (incidents, scheduled maintenance, security advisories).
Billing and renewal communications under your commercial agreement.
Investigating fraud, abuse, or breach of the Terms of Service.

We do not use Account Data for marketing without your separate opt-in. We do not sell Account Data. We do not share it with third parties except the subprocessors listed in Section 7.

5. Legal bases (GDPR, where applicable)

Performance of a contract — to deliver the routing, governance, and audit features you are paying for.
Legitimate interest — operating the service securely, detecting fraud, preventing abuse, improving accuracy of the routing decisions.
Legal obligation — to respond to lawful requests from government authorities in the jurisdictions where we operate.
Consent — for any optional feature that requires more than the default data handling (e.g. store_full_prompts, live quality sampling above 0%).

6. How long we keep data

Routing decisions and metadata — retained per customer_config.log_retention_days. Default: 90 days. You can shorten this to as low as 1 day or extend up to 7 years for regulated workloads. Anything past the retention window is deleted from primary storage on a daily sweep.
Hashed prompts — same retention as routing decisions.
Full prompt previews (only if opted in) — same retention as routing decisions.
Audit logs — append-only, retained for the contract term plus 90 days, then deleted (or exported to your S3 bucket on the cadence you configured).
Account Data — retained while your account is active and for 12 months after termination to handle disputes, then deleted.
Backups — encrypted SQLite/Postgres snapshots are retained for 30 days, then purged. Backups follow the same retention as primary storage with a maximum 30-day lag.

7. Subprocessors

To operate the service we use the following subprocessors. Each handles a specific function and is bound by a data processing agreement.

Subprocessor	Purpose	Region
Amazon Web Services	Infrastructure hosting (EC2, RDS, S3, CloudWatch, Route53), Bedrock model invocation when selected by the router	us-east-2 (primary), customer-elected region for in-VPC deploys
OpenAI	GPT-family model invocation when selected by the router, embeddings for the complexity classifier	United States
Anthropic	Claude model invocation when selected by the router	United States
Google Cloud (Gemini)	Pairwise eval judge (cross-family — never used for live routing)	United States
GitHub (Microsoft)	Source code hosting	United States
Stripe	Payment processing (only when applicable)	United States

Your allowed_providers setting controls which of OpenAI, Anthropic, Google, and Bedrock the router can use for your traffic. If you set allowed_providers = [bedrock] we will not send your data to OpenAI or Anthropic directly, even though those subprocessor relationships exist for other customers. We will give you 30 days notice via email before adding a new subprocessor.

8. International transfers

The default Amperes deployment runs in AWS us-east-2 (Ohio). Data transfers from outside the United States are governed by the EU Standard Contractual Clauses (SCCs, Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum, both incorporated into our Data Processing Addendum at /dpa. For EU-resident data we offer an in-region deployment in eu-west-1 (Ireland) under our enterprise tier — talk to us.

9. Security

We follow industry-standard practices, not yet formally certified. SOC 2 Type I is in progress (target 2026 Q3). For the current state:

In transit — TLS 1.2+ on every customer-facing endpoint. No plaintext API. Mutual TLS available for in-VPC deployments.
At rest — AWS-managed encryption (AES-256) on EBS volumes, S3 buckets, RDS instances, and SQLite snapshots.
Access controls — IAM with least-privilege, MFA enforced on all administrative accounts, no shared credentials.
API key handling — bcrypt-hashed at rest, no plaintext logs, rotatable per-customer.
Audit logging — every administrative action, every routing decision, every governance event is logged to an append-only table.
Vulnerability management — dependencies pinned in pyproject.toml, Dependabot scanning enabled, production patching within 14 days for high-severity CVEs.
Penetration testing — annual third-party assessment (planned 2026 Q4 — not yet completed).

In the event of a security incident affecting your data, we will notify you within 72 hours of confirming the incident, per Section 6 of our Data Processing Addendum. To report a suspected incident, book an urgent call and we will set up a secure channel.

10. Your rights

Depending on your jurisdiction, you have the right to access, correct, delete, port, restrict, or object to the processing of your personal data. In particular:

Access & portability — request a JSON dump of your Customer Data and Account Data by booking a call. We respond within 30 days.
Correction — update account information from the dashboard or by booking a call.
Deletion — request deletion of your account and all associated data. We delete within 30 days, with the exception of audit-log entries required by Section 6 (which are deleted on their normal cadence).
Restriction & objection — ask us to stop processing data for a specific purpose. We honor this where it is compatible with the Terms of Service.
Complaint — you may lodge a complaint with the supervisory authority in your jurisdiction. We will not retaliate.

US residents under the California Consumer Privacy Act, Colorado, Virginia, Connecticut, and Utah privacy acts have substantively similar rights — same contact, same response window.

11. Children

Amperes is a B2B service. We do not knowingly collect data from anyone under 16 years of age. If you believe we have inadvertently collected such data, contact us and we will delete it.

12. Cookies and tracking on amperes.pro

The marketing site at amperes.pro uses no third-party analytics, no advertising trackers, and no cookies that are not strictly necessary for delivering the page. The product dashboard at dashboard.amperes.pro uses a single session cookie issued by Streamlit for authentication state — no cross-site tracking, no advertising integration.

13. Changes to this policy

Material changes will be announced via email to your account's primary contact at least 30 days before they take effect. Non-material changes (typo fixes, clarifications) are reflected in the version stamp at the top of this page. The previous version remains accessible on our GitHub mirror.

14. Contact

Amperes AI Inc.
All inquiries — book a 15-minute call. Privacy requests, security reports, data-subject access requests, and general questions are all handled through the same intake — we route internally based on what you're asking about.

Privacy Policy.