Legal

Privacy Policy

Last updated: June 24, 2026

⚗ Experimental alpha · no payments or payouts yet

Umbra's whole reason to exist is privacy. Your prompts and the model's responses are never logged, never written to disk, and never stored — not by us, and not by the machine owner running the model. This policy explains that guarantee and the limited account data we do keep to run the service.

1. Your prompts and outputs are never retained

When you send a request, it travels encrypted to a provider machine, is decrypted in memory only, used to generate a response, and then zeroized. The content is never persisted to a disk, a log, a database, or an analytics pipeline at any point.

Our coordinator does not store prompt or response content.
The person who owns the provider machine cannot read your prompts — the design assumes the machine owner is adversarial and prevents access through hardware attestation, not a promise.
Because we never keep your prompts or outputs, we cannot produce, sell, share, or hand them over — there is nothing to produce.

2. What we do collect

To operate accounts, metering, and credit, we keep a minimal record:

Account — your email address (and display name, if you provide one). Sign-in is handled by our authentication provider, WorkOS; if you use Google, GitHub, or email + password, WorkOS processes those credentials and we never see your password.
API keys — we show a key's secret once at creation and store only a one-way hash of it.
Usage metering — content-free counts only: the number of requests, input/output token counts, the model used, and the computed cost. No prompt or response text.
Wallet — your credit balance and a ledger of credits and debits (amounts, model, token counts — again, no content).
Operational metadata — request metadata such as IP address and timestamps may be processed transiently for rate-limiting and abuse prevention, and by our infrastructure providers. We do not use it to build advertising or behavioral profiles.

3. Cookies and local storage

A session token (in your browser's local storage) so you stay signed in.
An authentication session cookie set by WorkOS.
Interface preferences (your light/dark theme; whether you dismissed the alpha notice).

We use no advertising and no third-party tracking cookies.

4. Service providers

We rely on a small set of processors, each for a specific function:

WorkOS — authentication and sign-in.
Cloudflare — website hosting, content delivery, and the outbound network tunnel to our backend.
Google Cloud Platform — backend compute (a confidential virtual machine) and durable storage of the account, wallet, and key data described in Section 2 (United States region).
Hugging Face — providers download public, open-weight model files using their own Hugging Face credentials; this does not involve your data.

5. Confidential computing and attestation

Our coordinator runs inside an AMD SEV-SNP confidential VM, and provider hardware is verified through platform attestation. These are the technical mechanisms that keep your prompts private in transit and on the provider machine. You can inspect the live attestation yourself from the console.

6. Where your data is processed

Account and service data is processed in the United States (Google Cloud,us-central1) and via Cloudflare's global edge network. If you use Umbra from outside the US, you consent to processing in the US.

7. Retention

Prompts and outputs: not retained — ever.
Account, wallet, and key data: retained while your account is active.
Umbra is in an experimental alpha; data may occasionally be reset during this period, though we aim to preserve account data.

8. Your choices and rights

You can stop using Umbra at any time and request deletion of your account data by contacting us (self-service account deletion is not yet available during the alpha). Depending on where you live, you may have rights to access, correct, export, or delete your personal data — contact us to exercise them.

9. Children

Umbra is not directed to, and may not be used by, anyone under 18. We do not knowingly collect data from children.

10. Security

We hash credentials and API keys, encrypt data in transit, and run the backend in a confidential VM. No system is perfectly secure, and Umbra is an early-stage alpha service — please keep that in mind.

11. Changes

We may update this policy as the service evolves; the "Last updated" date above reflects the latest version. Material changes will be surfaced in the product.

12. Contact

Questions about privacy? Reach us at[email protected].