Hlias Staurou, an individual operating from Athens, Greece, is the data controller for personal data processed through the AetherCode Coder API (the "Service").
Contact: hliasstaurou@gmail.com
This Policy explains what data we process, why, on what legal basis, how long we retain it, and your rights under the EU General Data Protection Regulation (GDPR) and Greek Law 4624/2019.
This Policy applies to personal data processed when you:
It does NOT cover data processed by RapidAPI (which handles account registration, authentication, billing, and payment). RapidAPI is a separate data controller with its own privacy policy at rapidapi.com/privacy.
The text of prompts you submit ("messages"), your chosen parameters (model, temperature, max_tokens, etc.), and HTTP headers attached by RapidAPI or by you directly. Prompts may contain personal data if you choose to include it; we ask that you do not submit third-party personal data without a legal basis.
The code and text returned by upstream language-model providers in response to your Input, plus internal metadata such as verification gate results, heal attempts, and timing.
| Purpose | Data used | GDPR legal basis |
|---|---|---|
| Generate and return code in response to your prompt | Input, parameters, headers | Contract performance (Art. 6(1)(b)) |
| Bill you per request (via RapidAPI) | Consumer ID, request count, plan | Contract performance (Art. 6(1)(b)) |
| Operate the ATLAS verifier and HYDRA healer on output | Output (transient) | Contract performance (Art. 6(1)(b)) |
| Detect abuse, rate-limit violations, fraud | Metadata, counts, request patterns | Legitimate interest (Art. 6(1)(f)) |
| Respond to your support emails | Email content, email address | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | As required | Legal obligation (Art. 6(1)(c)) |
| Data | Retention | Where |
|---|---|---|
| Prompt content (Input) | Not persistently stored beyond request lifetime | RAM only |
| Generated code (Output) | Not persistently stored beyond request lifetime (except truncated excerpt in observability trace, 30 days) | Langfuse |
| Metering events (metadata only, no prompt content) | 90 days | Origin server (JSONL) |
| Observability traces (hashed/truncated content) | 30 days | Langfuse |
| Cloudflare edge logs | Per Cloudflare policy | Cloudflare |
| Support emails | 24 months | Email provider |
We retain aggregated, non-identifying statistics (e.g., total monthly requests per provider) indefinitely for capacity planning.
To deliver the Service, we share data with the following processors. Data transferred outside the European Economic Area (EEA) is protected by Standard Contractual Clauses, adequacy decisions, or equivalent safeguards under GDPR Chapter V.
| Processor | Role | Location | What is shared |
|---|---|---|---|
| Cloudflare, Inc. | Edge/CDN, Worker hosting, KV store | Global edge (EU nodes used for EU traffic) | Full request/response, metadata |
| Hetzner Online GmbH | Server hosting (Frankfurt, Germany) | Germany (EEA) | Full request/response, metadata |
| DeepSeek | LLM inference | China | Prompt content, generated code |
| Google (Gemini API) | LLM inference | United States / EU regional | Prompt content, generated code |
| Moonshot AI (Kimi) | LLM inference | China | Prompt content, generated code |
| OpenRouter | LLM inference routing | United States | Prompt content, generated code |
| Langfuse (self-hosted) | Observability | Germany (our server) | Hashed/truncated metadata |
| RapidAPI (Nokia Inc.) | Marketplace, auth, billing | United States | Account data, usage counts |
Important: If you do not want your prompts transmitted to providers outside the EEA (e.g., DeepSeek in China or OpenRouter in the US), do not submit sensitive personal data through the Service. We select the upstream provider automatically based on availability, cost, and quality routing; you cannot currently pin a specific provider.
If you are located in the EU or UK, you have the following rights:
To exercise any of these rights, email hliasstaurou@gmail.com. We respond within 30 days.
We apply the following technical and organizational measures:
No system is perfectly secure. In the event of a personal data breach affecting EU residents and posing a risk to their rights, we will notify the Hellenic DPA within 72 hours as required by GDPR Art. 33.
The Service is intended for developers aged 18 or older. We do not knowingly collect data from children under 16. If you believe a minor has submitted data, contact us and we will delete it.
The Service does not make decisions producing legal or similarly significant effects on you within the meaning of GDPR Art. 22. Automated routing, verification, and healing are operational functions, not decisions about your person.
We may update this Policy. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced at least 30 days in advance by updating this page and, where feasible, via the API listing on RapidAPI.
Questions, complaints, or data-subject requests: hliasstaurou@gmail.com
Data Controller: Hlias Staurou, Athens, Greece