LogoToRouter Docs
LogoToRouter Docs
HomepageWhat is ToRouter5-minute quickstartCore concepts
Full error code referencePrivacy & data handlingTerms of service
Reference

Privacy & data handling

What ToRouter logs, what it forwards upstream, and how to delete your data.

A short, factual page on how ToRouter handles your data. For binding legal language, see the Terms of Service.

What we store

ToRouter logs request metadata for billing and observability:

  • Time, model, endpoint path, HTTP status
  • Token usage (input / output / cache hits)
  • Latency, retry count, which upstream path served the request
  • Minimal identifiers for billing and troubleshooting (not message bodies)
  • Cost (USD or CNY) for the request

ToRouter does not persist prompt or completion bodies by default. The gateway is a streaming forwarder — request and response bodies pass through memory and are not written to the request log.

Where data lives

  • Durable storage — the request summary listed above, kept for billing and usage analytics.
  • Short-lived cache — temporary data such as rate-limit counters and idempotency guards.
  • Object storage — only if you upload attachments via the images / files flows, retained per the bucket policy.

Data is hosted in the region you signed up under. We do not replicate data across regions.

What goes upstream

When you call a model, your request body is forwarded to the upstream provider that serves it: OpenAI, Anthropic, Google, DeepSeek, Qwen, Moonshot, MiniMax, OpenRouter, etc. Their privacy and data-retention policies apply to that copy. ToRouter does not strip, rewrite, or store the body in the process.

If you need zero-retention guarantees on the upstream side, choose models / accounts that explicitly offer that (e.g. enterprise OpenAI accounts with the zero-retention flag). The fact that ToRouter doesn't store the body doesn't change the upstream's policy.

Authentication & secrets

  • API keys are stored hashed at rest. You see the plaintext once at creation.
  • OAuth tokens for upstream providers are encrypted at rest with a per-deployment key.
  • All API traffic uses TLS.

Deleting your data

  • Rotate a key — /keys → revoke. Historical usage logs remain (for your own records and for billing). Future requests with that key will fail with INVALID_API_KEY.
  • Delete a key's logs — currently not exposed in the UI; contact support.
  • Delete your account — Settings → Account → Delete account. This removes keys, subscriptions, and personal data. Anonymised aggregate billing records are retained for accounting purposes as required by law.

Reporting a security issue

Email security@torouter.ai for vulnerability reports. Don't open public GitHub issues with reproduction details.

Next steps

Terms of service

The binding legal terms.

Production best practices

Key rotation, IP allowlists, spending caps.

Account setup

Email verification, 2FA, account hygiene.

Full error code reference

Gateway error types with HTTP status, meaning, and what to do next.

Terms of service

Pointer to ToRouter's binding terms plus a plain-language summary of the key user obligations.

Table of Contents

What we storeWhere data livesWhat goes upstreamAuthentication & secretsDeleting your dataReporting a security issueNext steps