Privacy Policy
Last Updated: 17 December 2025
MapleAI ("we", "us", or "our") is committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our API service (the "Service").
1. Data Controller
MapleAI acts as the data controller for the personal data collected through our Service. If you have any questions about how we handle your data, you can contact us at:
Email: [email protected]
2. Data We Collect
We follow the principle of data minimization and only collect the minimum amount of data necessary to provide our Service.
A. Data You Provide
Account Data: Username and a securely hashed password. We do not collect your email address, real name, or any other identifying information.
Payment Data: Payment transactions are processed by our payment processors (Stripe, PayPal, CryptAPI). We only store transaction IDs necessary to manage your subscription. We never store credit card numbers, bank details, or cryptocurrency wallet addresses.
B. Data Collected Automatically
API Usage Metadata: We log only the timestamp of API requests for rate limiting purposes. We do not log the content of your prompts, responses, IP addresses, or any other request data.
Session Cookies: We use strictly necessary cookies to maintain your login session. These cookies are essential for the Service to function and cannot be disabled.
C. Data We Do NOT Collect
- Email addresses
- Real names or personal identifiers
- IP addresses (except transiently by Cloudflare for security)
- API request content (prompts and responses)
- Tracking or analytics cookies
- Device fingerprints
3. Lawful Basis for Processing
Under GDPR Article 6, we process your personal data based on the following lawful bases:
Contract Performance (Art. 6(1)(b)): Processing your account data and payment information is necessary to provide you with the Service you have requested.
Legitimate Interest (Art. 6(1)(f)): We process usage metadata to maintain service security, prevent abuse, and enforce rate limits. This processing is necessary for our legitimate interest in operating a secure and fair service.
Legal Obligation (Art. 6(1)(c)): We may retain certain data to comply with legal obligations, such as tax and accounting requirements.
4. How We Process API Requests
This section explains how your AI prompts are handled.
When you make an API request, we act as an intermediary, routing your request to third-party AI providers. Your request content (prompts, text, conversation history) is:
- Processed in-memory only by MapleAI
- Never stored on our servers
- Never logged or retained by us
- Passed directly to the AI provider and returned to you
However, our third-party AI providers may process and retain your data according to their own policies. We use the following providers:
5. Data Sharing
We do not sell your personal data. We only share data with third parties when necessary to provide the Service:
AI Providers: API request content is shared with the providers listed above to generate AI responses.
Payment Processors: Payment data is processed by Stripe, PayPal, and CryptAPI.
Security Provider: Cloudflare provides DDoS protection and may transiently process IP addresses.
Legal Requirements: We may disclose data if required by law, court order, or to protect our legal rights.
6. International Data Transfers
Our servers are located in Germany, within the European Economic Area (EEA). When we transfer data to providers outside the EEA (such as US-based AI providers), we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework certifications
- Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable
7. Data Retention
We retain your data for the minimum period necessary:
Account Data: Retained until you delete your account.
Usage Logs: API request timestamps are retained for 30 days for rate limiting, then automatically deleted.
Payment Records: Transaction IDs are retained for 7 years to comply with tax and accounting laws.
API Request Content: Not retained. Processed in-memory only.
8. Your Rights Under GDPR
As a data subject, you have the following rights under GDPR. You can exercise these rights by contacting us at [email protected] or through your dashboard:
Right of Access (Art. 15): Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16): Request correction of inaccurate data.
Right to Erasure (Art. 17): Request deletion of your account and all associated data. You can do this directly from your dashboard settings.
Right to Restriction (Art. 18): Request that we limit how we process your data.
Right to Data Portability (Art. 20): Request your data in a machine-readable format. You can export your data from your dashboard.
Right to Object (Art. 21): Object to processing based on legitimate interests.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
Right to Lodge a Complaint: If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. For Germany, this is the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI).
9. Cookies
We only use strictly necessary cookies required for the Service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| session | Maintains your login session | Session |
| cf_clearance | Cloudflare security verification | 30 minutes |
We do not use analytics, advertising, or tracking cookies. No consent banner is required for strictly necessary cookies under GDPR.
10. Security Measures
We implement appropriate technical and organizational measures:
- Passwords are hashed using bcrypt
- All connections are encrypted via TLS/HTTPS
- DDoS protection via Cloudflare
- Regular security reviews
- Minimal data collection by design
11. Children's Privacy
Our Service is not directed to children under 13. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of significant changes by posting a notice on our website. Continued use of the Service after changes constitutes acceptance of the updated policy.
13. MapleBot Discord Service
This section applies only to the MapleBot Discord bot. MapleBot is a completely separate service from the MapleAI API, with different data handling practices.
Data We Collect (MapleBot Only)
Unlike the MapleAI API, MapleBot stores your conversations. When you use MapleBot, we collect:
- Discord User ID - To identify your conversations
- Conversation History - Your messages and AI responses are stored to enable persistent conversations
- Model Preferences - Your selected AI model
- System Prompts - Custom prompts you configure
- Server IDs - Discord servers where you use the bot
Data Retention (MapleBot)
MapleBot conversation data is stored indefinitely to provide persistent conversation history. You can delete your data at any time using the bot's reset commands, or by contacting us with your Discord User ID.
Ban Lists
We maintain lists of banned Discord User IDs and Server IDs to enforce our Acceptable Use Policy. If banned, your Discord ID is stored in our ban list.
No Connection to MapleAI API
MapleBot data is completely separate from the MapleAI API. Your MapleBot conversations are not linked to any MapleAI API account, and the API's no-logging policy does not apply to MapleBot.
14. Contact Us
For any privacy-related questions, requests, or complaints, contact us at:
Email: [email protected]
We aim to respond to all requests within 30 days, as required by GDPR.