Data handling and privacy

We run a routing and metering layer between you and the suppliers who serve your inference. This page covers what passes through, what we store, and what we do not.

Zero data retention

We do not store your prompts or completions. Your requests pass through our routing layer and are served by qualifying suppliers. Neither we nor our suppliers retain the content of your requests or responses. Your data is not used for training, fine-tuning, or any purpose beyond serving the request in front of it.

This applies to every live instrument and to both API surfaces: the Consumption API at https://api.thegrid.ai/v1 and the Anthropic Messages beta at https://messages-beta.api.thegrid.ai/v1. It is the default, not a paid tier or an optional setting.

ZDR covers inference content, not the operational metadata we need to bill, route, and resolve disputes. That data is described next.

We don't retain any inference content

We retain the operational data needed to bill, route, and resolve disputes:

• Retained: timestamps, the instrument used, which supplier served your request, token counts (input and output), time to first token, throughput, error codes, the trade and unit your tokens were drawn from, every order you placed and trade executed on the order book, and account metadata (email, API key hashes, Stripe customer ID, account settings, mode preference).

• Not retained: prompt content, completion content, message history, files or images in requests, and any application-level data in the request or response body.

Payment processing

Stripe handles all payment processing, credit storage, and card management. When you add a payment method or load credits, the transaction goes through Stripe. We hold a reference to your Stripe customer record, not your card number, expiry, or CVC. We do not custody user funds and are not in scope for PCI obligations beyond what Stripe's integration model already covers.

For invoices, billing history, or refunds, check your dashboard or contact support@thegrid.ai.

API key management

You generate and manage API keys at app.thegrid.ai/profile/api-keys. Keys are scoped to your account and revocable from the dashboard at any time. Each key is displayed once at creation, so store it somewhere your team can recover it. We store only a hash, not the key itself. A lost key can be revoked and replaced, not retrieved.

If a key is compromised, revoke it and create a new one. Revocation invalidates the key for both the Consumption API and the Trading API.

The Trading API uses a separate model. Every request is signed with an Ed25519 keypair. You generate the keypair locally, register the public key with us, and sign each request with the private key. The signed payload is the concatenation of the timestamp, HTTP method, request path, and request body. Your private key never leaves your environment.

Additional questions

SOC 2 Type II audit is in progress; the current attestation is available on request via support@thegrid.ai. Other compliance documentation, including DPAs, subprocessor lists, data residency commitments, and breach notification SLAs, is handled case by case. Reach out to support@thegrid.ai with the specific framework or requirement.