Edgee Privacy Policy

At Edgee, protecting personal data and ensuring transparency in our processing practices is central to how we build the Edgee Agent Gateway. This Privacy Policy outlines how Edgee Cloud SAS and its U.S. entity Edgee Corporation ("Edgee", "we", "us", or "our") collect, process, and protect personal information in connection with our services.

1. Scope of this Policy

This policy applies to the processing of personal information in the following contexts:

• Customers and Authorized Users: Individuals and organizations who use the Edgee Agent Gateway and manage their organizations, API keys, and configuration via the Edgee console (e.g., developers, engineers, administrators).
• Website Visitors: Individuals who visit our public-facing websites (e.g. edgee.ai).
• Traffic processed on behalf of customers: Prompts and completions transiting the Gateway between coding agents or customer applications and LLM Providers. This processing is governed by our Data Processing Addendum (DPA).

This policy does not apply to our customers' own applications, websites, or services, even when their LLM traffic transits the Edgee Gateway. Customers are solely responsible for implementing their own privacy policies and ensuring compliance with applicable laws when using Edgee's services in connection with their own users.

Edgee's platform and services are not intended for, nor directed toward, individuals under the age of eighteen. We do not knowingly collect or process personal data from minors. If we become aware that such information has been collected, we will delete it without delay.

As Edgee functions as a gateway between coding agents or applications and LLM Providers, certain network records (such as IP addresses) may reflect Edgee infrastructure. Edgee acts solely as a conduit for content and requests controlled by our customers, who remain responsible for the nature and legality of any data transmitted through our platform.

2. What Information We Process

We distinguish between data Edgee processes on behalf of customers (as a processor) and data processed for our own operational purposes (as a controller).

2.1. Data Processed on Behalf of Our Customers

When operating the Gateway, Edgee transmits, routes, and operates on the traffic that customers choose to send through it. Edgee does not actively collect, identify, profile, or track natural persons. The data processed can include:

• Prompt Data and Completion Data (the content sent to and returned by LLM Providers), treated as opaque payload. It is processed in-memory only and is not stored by Edgee, unless the customer expressly enables debug mode (disabled by default, see Section 7 for retention).
• Customer-provided credentials (e.g., LLM Provider API keys used by the Gateway on the customer's behalf), stored encrypted.
• Request and session identifiers generated or supplied by the customer for routing, debugging, and observability purposes.
• Usage and operational metadata (e.g., token counts, model used, latency, timestamps, request/response sizes, error codes, retry and fallback events).
• Network and client metadata (e.g., source IP address with optional truncation, user agent or client identifiers, source application identifiers).
• Configuration data (e.g., routing rules, compression settings, fallback policies, observability settings).

Prompt Data and Completion Data may incidentally contain personal data placed there by the customer or its users. Edgee does not identify or track such individuals and treats this content as opaque payload. The customer is solely responsible for the content of prompts submitted through the Gateway. This processing is governed by the Edgee DPA.

2.2. Data Processed for Our Own Operations

We may process the following limited personal data:

• Account registration data (e.g., name, email, company, authentication identifiers)
• Service usage logs (for support, billing, security, and service improvement)
• Billing data (processed through our payment provider, Stripe)
• Communication data (e.g., email correspondence, support tickets)

3. Legal Basis for Processing

Our processing of personal information is based on the following legal grounds:

• Contractual necessity: When processing is required to fulfill our obligations under a contract, such as account provisioning, gateway operation, billing, and support.
• Legitimate interest: For purposes like fraud prevention, abuse detection, service improvement, and ensuring platform security, provided such interests are not overridden by data subject rights.
• Consent: When required, such as for optional communications or optional cookies on our websites.

When Edgee processes data on its own behalf (as a data controller), we determine and document the applicable legal basis for each processing activity.

However, when Edgee processes data on behalf of its customers (as a data processor), in particular the Prompt Data and Completion Data transiting the Gateway, the customer is the data controller. This means our customers are solely responsible for:

• Selecting a valid legal basis for any personal data contained in the prompts they submit through the Gateway;
• Choosing which LLM Providers receive their traffic and reviewing those providers' terms;
• Configuring Edgee's settings (e.g., debug mode, data residency, privacy controls) in a way that is compliant with their local laws and obligations.

Edgee provides privacy-preserving technical options, but does not make legal determinations on behalf of customers. Improper use or misconfiguration may result in processing that does not meet regulatory requirements.

4. How We Use the Information

We use personal data for specific, clearly defined purposes, depending on whether we are acting as a controller or a processor.

When Edgee Acts as a Processor (on behalf of Customers):

We process Gateway traffic exclusively for the purposes defined and controlled by our customers, such as:

• Routing LLM requests to the LLM Providers designated by the customer's configuration
• Applying token compression and prompt optimization when enabled by the customer
• Enforcing reliability features (retries, fallback, rerouting, rate limiting)
• Providing observability, usage reporting, and cost tracking based on operational metadata only
• Temporarily storing debugged prompts and completions where the customer expressly enables debug mode

We never use customer prompts, completions, or usage metadata to train or fine-tune any model, and never use Gateway traffic for our own purposes beyond service provision.

When Edgee Acts as a Controller (for its own operations):

We process data in order to:

• Provide, maintain, and optimize Edgee services
• Monitor platform performance and usage
• Prevent fraud, abuse, and ensure service security
• Provide support, communicate with customers, and administer accounts

Edgee does not:

• Use personal data for advertising, behavioral profiling, or commercial monetization
• Sell or rent personal data to third parties

All processing activities are limited to what is necessary, proportionate, and aligned with applicable data protection regulations.

5. Data Sharing

We may share data with:

• Sub-processors strictly required to operate the platform (e.g., infrastructure providers)
• LLM Providers selected by the customer through Gateway configuration, which receive the prompts routed to them and process them under their own data processing terms
• Stripe, our payment provider, for billing purposes

Edgee currently engages the following infrastructure subprocessors to help deliver its services:

• AWS (Amazon Web Services): Infrastructure hosting and computing
• Google Cloud Platform: Infrastructure and storage services
• Fastly: Edge delivery infrastructure
• Vercel: Front-end hosting and deployment platform
• ClickHouse: Analytics-oriented database

We ensure each subprocessor is subject to strict data protection obligations through appropriate contractual safeguards. For updates or detailed documentation, please visit our Trust Center.

6. International Data Transfers

Operational data (logs, usage metadata, configuration) is processed and stored within the European Union by default. Where international transfers are necessary, for example, when a customer routes traffic to LLM Providers located outside the EU/EEA, or when a subprocessor operates outside the EU, we rely on:

• Standard Contractual Clauses (SCCs): Contractual provisions approved by the European Commission that ensure adequate data protection safeguards. These SCCs are available to our customers and their data protection officers upon request.
• Adequacy decisions: Where the European Commission has determined that a non-EU country ensures an adequate level of data protection (e.g., the UK, Switzerland, or under the EU-U.S. Data Privacy Framework), we may rely on that status to facilitate compliant transfers.
• Organizational and technical safeguards: These include encryption of personal data in transit and at rest, strict access controls, tenant isolation, and robust auditing policies. For a more detailed overview of our security measures, please refer to our Trust Center.

7. Data Retention

We retain personal data only as long as necessary:

• Prompts and completions (default): not stored by Edgee; processed in-memory only for the time strictly necessary to route the request and return the response
• Prompts and completions (debug mode enabled by the customer): retained for up to 30 days, then automatically deleted
• Usage and operational metadata (e.g., token counts, latency, model used, request identifiers, error codes): retained for up to 25 months
• Account and billing records: for the duration of the customer relationship, plus legal retention obligations

8. Your Rights

Depending on your location, you may have the right to:

• Access, rectify, or erase your data
• Object to processing or request restriction
• Data portability
• Lodge a complaint with a data protection authority

Requests can be submitted to: privacy@edgee.ai

If your personal data was included in a prompt submitted by an Edgee customer, please contact that customer directly: Edgee acts as a data processor and generally cannot identify the individuals whose data may be incidentally contained in Gateway traffic. However, if you submit a rights request to Edgee and we can reasonably identify the associated customer, we will forward your request to the relevant data controller, where appropriate. In all cases, the primary responsibility for handling data subject rights rests with the Edgee customer acting as data controller.

9. Security Measures

Edgee employs a comprehensive set of security controls to ensure the confidentiality, integrity, and availability of personal data processed through our platform. Our security program is aligned with industry best practices and SOC 2 Type II requirements.

• Encryption: TLS 1.2 or higher for data in transit; AES-256 for data at rest.
• No prompt storage by default: Prompts and completions are not stored unless the customer expressly enables debug mode.
• Credential protection: Customer-provided API keys and credentials are stored encrypted and isolated.
• Access controls: All system access is role-based, logged, and tightly scoped to least privilege, with isolated tenant processing.
• Auditing and monitoring: We maintain audit trails, run regular vulnerability testing and dependency scanning, and operate incident response procedures.

For a detailed breakdown of our technical and organizational measures, please refer to our Trust Center.

10. Customer Responsibility

Edgee provides tools and configurations to support compliance, but our customers are responsible for:

• The content of prompts submitted through the Gateway, including any personal data they contain
• Determining the applicable legal basis for that data as data controller
• Selecting LLM Providers and reviewing their data processing terms
• Configuring debug mode, data residency, and privacy controls appropriately

11. Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will communicate them prominently on our website. In addition, customers will be required to review and accept the updated Privacy Policy upon their next login to the Edgee dashboard in order to continue using our services.

12. Contact