1. Information We Collect
Viapi collects information necessary to provide our API gateway and billing services:
- Account Data: Email address, firm name, billing contact information provided during registration.
- API Usage Data: Request metadata including token counts, model used, provider, latency, and timestamps. We do NOT store request or response content (prompts/completions).
- Billing Data: Usage aggregations, cost calculations, invoice records, and payment status.
- API Keys: Provider API keys are encrypted at rest using AES-256-GCM and decrypted only in-memory during proxy requests.
2. How We Use Your Information
- Proxy API requests to LLM providers on your behalf
- Calculate and track usage costs for billing
- Generate and deliver invoices
- Provide dashboards and usage analytics
- Enforce rate limits and spending caps
- Send budget alerts and notifications
3. Data Security
We employ industry-standard security measures:
- AES-256-GCM encryption for all stored API keys
- HTTPS enforced on all endpoints
- Row-Level Security (RLS) on all database tables for tenant isolation
- HMAC-SHA256 signed webhook deliveries
- Structured logging with automatic redaction of sensitive fields
- Provider API keys are never logged or included in error responses
4. Data Retention
Usage logs are retained for 12 months. Invoices and billing records are retained indefinitely. You may request deletion of your account and associated data at any time by contacting support.
5. Third-Party Services
Viapi integrates with the following third-party services to provide our platform:
- LLM Providers (OpenAI, Anthropic, Google, xAI) — API requests are forwarded using your configured provider keys
- Supabase — Authentication and database hosting
- Resend — Transactional email delivery for invoices and alerts