Privacy Policy

Last updated: April 2, 2026

Overview

Kestrel ("we", "us", "our") operates the usekestrel.io website and the Kestrel API service. This policy explains how we collect, use, and protect your information.

Information We Collect

Account information: When you sign up, we collect your email address and name via GitHub or Google OAuth. We do not store your OAuth passwords.

Provider API keys: When you create a Kestrel API key, you provide your LLM provider API keys (OpenAI, Anthropic, etc.). These are encrypted at rest using AES-256 encryption and are only decrypted in memory to forward your requests.

Usage data: We record metadata about each API request: model requested, model used, token counts, and costs. This data powers your analytics dashboard and our billing.

Waitlist: If you join our waitlist, we collect your email address.

Information We Do NOT Collect

• We do not log, store, or read your prompt content or model responses
• We do not use your data to train any models
• We do not sell your data to third parties

How We Use Your Information

• To provide the Kestrel routing and caching service
• To calculate your usage, savings, and billing
• To display analytics on your dashboard
• To send you transactional emails (key creation, billing)
• To improve our routing algorithms using aggregate, anonymized usage patterns

Data Storage and Security

• Provider API keys are encrypted at rest with AES-256 (Fernet)
• All traffic is encrypted in transit via TLS/HTTPS
• Data is stored in managed PostgreSQL and Redis instances
• Semantic cache data is stored in Qdrant with per-customer isolation
• We use Railway (infrastructure), Vercel (frontend), and Qdrant Cloud (cache) as service providers

Third-Party Services

We use the following third-party services to operate Kestrel:

• Stripe — payment processing
• Resend — transactional email
• Railway — infrastructure hosting
• Vercel — frontend hosting
• Qdrant Cloud — vector database for semantic cache
• GitHub / Google — OAuth authentication

Data Retention

Usage records are retained for the duration of your account. Cached responses expire based on your configured TTL (default 24 hours). If you delete your account, we will delete your data within 30 days.

Your Rights

• You can revoke any API key instantly from the dashboard
• You can request export of your usage data (CSV export on dashboard)
• You can request deletion of your account and data by emailing us

Cookies

We use a single session cookie (kestrel_session) for dashboard authentication. We do not use tracking cookies or analytics cookies on the landing page.

Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or a notice on our website.

Contact

If you have questions about this privacy policy, contact us at support@usekestrel.io.