← Back to app

Privacy Policy

Last updated: April 2026 — Laeka, operating Sherlock.cx

1. Who we are

Sherlock.cx is an API cost intelligence product operated by Laeka. We help developers and teams understand and optimize their AI API spending. Questions or requests can be sent to support@sherlock.cx.

2. Data we collect

  • Account information: email address, provided at signup via Clerk.
  • API usage metadata: model name, token counts, inferred cost, and timestamps — pulled from your connected API provider(s).
  • Payment information: billing details are processed and stored exclusively by Stripe. We never see or store raw card data.
  • API keys: encrypted at rest using AES-256-GCM. Keys are never logged, never exposed in plain text, and never transmitted to third parties.

3. Authentication

Authentication is handled by Clerk(clerk.com), a third-party auth provider. Clerk manages session lifecycle, OAuth flows (Google, GitHub), and secure session cookies. We do not store passwords. Clerk's own privacy policy applies to data processed through their service.

4. How we use your data

  • To display your API usage dashboards and cost breakdowns.
  • To power alerts and budget thresholds you configure.
  • To process payments and manage your subscription via Stripe.
  • To send transactional emails (billing, account notices) — no marketing without consent.

5. Watson AI assistant

Watson is our in-app AI assistant. Conversations with Watson are processed via OpenRouter (routing to Claude / Anthropic models). Messages are sent to the model to generate responses and are not stored permanently beyond your active session. We do not use Watson conversations for training or profiling.

6. Data storage

Your data is stored in Supabase (hosted PostgreSQL, eu-west region by default). Supabase acts as a data processor on our behalf and does not use your data for its own purposes.

7. Cookies

We use only session cookies set by Clerk for authentication. No third-party tracking cookies, no advertising cookies, no analytics fingerprinting.

8. Data retention

Usage logs and account data are retained while your account is active. On account deletion, all associated data is removed via cascade — including usage records, API key references, and alert configurations. Stripe retains billing records as required by financial regulations.

9. We do not sell your data

We do not sell, rent, or share your personal data with third parties for commercial purposes. Ever.

10. Your rights (GDPR)

If you are in the EU or UK, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account and data — available directly in Settings, or by contacting support.
  • Export your data — contact us at support@sherlock.cx.
  • Object to or restrict certain processing.

We will respond to verified requests within 30 days.

11. Security

API keys are encrypted using AES-256-GCM before storage. Access to production infrastructure is restricted and audited. We follow current security best practices and will notify affected users promptly in the event of a data breach.

12. Changes to this policy

We may update this policy as the product evolves. Significant changes will be communicated by email or in-app notice. Continued use after the effective date constitutes acceptance.

13. Contact

For any privacy-related questions, requests, or concerns: support@sherlock.cx