Perchy
Sign inConsole
Legal

Privacy Policy

Effective May 1, 2026

This policy describes the personal data Perchy, Inc. ("Perchy") collects, why we collect it, and how we handle it. It applies to perchy.ai, api.perchy.ai, the customer console, and the host CLI.

1. Who this applies to

This policy applies to (a) developers and businesses using the Services ("Customers"), (b) GPU hosts who connect compute to the marketplace, and (c) end users of Customers' applications whose data may pass through the Services ("End Users"). For End Users, the Customer is the controller of the personal data; Perchy is a processor.

2. Data we collect

Account data

Email address, display name, organization, payment method tokens (Stripe), API key metadata (name, prefix, hash, creation time, last-used time), and security events.

Usage and request data

For each request: model id, lane parameters, request and response sizes, token counts, latency, host region, error codes, IP address, and a tracing id. We store request and response bodies only when required for debugging, and only for the retention windows in §6.

Telemetry

Anonymous web telemetry on perchy.ai (page views, performance metrics) collected with first-party cookies and a privacy-respecting analytics provider. See Cookie Notice.

Host data

For hosts: hardware fingerprint, software version, region, assigned positions, occupancy minutes, and Stripe Connect account metadata required for payouts.

3. How we use data

  • Provide, maintain, and secure the Services and route requests.
  • Bill, accept payment, prevent fraud, and pay hosts.
  • Detect abuse, debug failures, and respond to support requests.
  • Comply with legal obligations and enforce our terms.
  • Send transactional notices (security, billing). Marketing email is opt-in only and includes a one-click unsubscribe.

4. Model training and data minimization

We do not train foundation models on your prompts or outputs. We do not sell your data. Where third-party providers route through Perchy, we use their enterprise endpoints with training disabled where available, and we pass through any provider-specific data-handling commitments.

Premium customers can enable zero-retention mode, in which request and response bodies are not persisted at all. Aggregated, non-identifying metrics (token counts, latency, error rates) are still collected to operate the Services.

5. Sharing and subprocessors

We share data only with vendors who help us deliver the Services under written agreements that meet GDPR Article 28 standards. The current list is published at /legal/subprocessors.

We may disclose data when required by law (subpoena, court order, lawful regulatory request). Where legally permitted, we will notify you before disclosure so you can seek a protective order.

6. Retention

  • Account records: for the life of the account plus seven years for tax records.
  • Request bodies and responses: 30 days, unless zero-retention is enabled.
  • Operational metrics: 13 months (rolling).
  • Security logs: 12 months.
  • Backups: 30 days, encrypted at rest.

7. Security

We use TLS 1.3 in transit and AES-256 at rest. API keys are stored as one-way hashes. Production access is limited to named personnel via SSO with hardware-backed MFA, and access is logged. We test our defenses continuously and engage independent assessors. See the Security Overview for our full posture.

8. International transfers

Perchy is headquartered in the United States. When we transfer personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and the Swiss data protection laws as applicable. A Data Processing Addendum is available at /legal/dpa.

9. Your rights

Depending on where you live you may have rights to:

  • Access, correct, port, or delete your personal data.
  • Object to or restrict certain processing.
  • Withdraw consent for processing where consent is the legal basis.
  • Lodge a complaint with your local data protection authority. EU/EEA users may also contact our EU representative listed in §12.

Submit requests at privacy@perchy.ai. We respond within 30 days and may extend up to 60 days for complex requests. We do not discriminate against you for exercising your rights.

California residents

We do not sell or share personal information for cross-context behavioral advertising. California residents have the rights described above under the CCPA/CPRA. Use the same email above to submit verifiable consumer requests.

10. Children

The Services are not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If we learn that we have, we will delete it promptly.

11. Changes to this policy

We will post material changes at least 15 days before they take effect, with an updated effective date.

12. Contact

Questions, requests, or complaints: privacy@perchy.ai. Postal: Perchy, Inc., Attn: Privacy, 548 Market St, PMB 38421, San Francisco, CA 94104, USA. Our EU representative under GDPR Article 27 is listed in our DPA.