Privacy Policy

Overview

BundleLLM is designed to minimize data collection. We do not store your AI conversations, API keys, or personal information. This policy explains what data flows through our systems and what stays entirely in your browser.

What We Don't Collect

• API keys — Your Provider API keys are stored in your browser's localStorage. They are never sent to BundleLLM servers.
• Conversations — All chat messages go directly from your browser to your AI Provider. We never see, store, or process your conversations.
• Personal information — We do not require account creation. We do not collect names, emails, or other personal data through the SDK.

What Flows Through Our Server

Our OAuth redirect handler (api.bundlellm.com) processes the following during Provider authentication:

• OAuth authorization codes — Temporary codes exchanged for API keys during the OAuth PKCE flow. These are used once and discarded immediately.
• PKCE state tokens — Random tokens stored in server memory for up to 5 minutes to prevent CSRF attacks. They contain no personal data and are deleted after use.
• Server logs — We log request method, path, status code, and timestamp for operational purposes. Logs do not contain API keys, conversation content, or personal identifiers.

After the OAuth exchange completes, the resulting API key is sent directly to your browser via the popup window. It is never stored on our server.

Browser Storage

The BundleLLM SDK stores the following in your browser's localStorage on the Site Owner's domain:

• Provider connection — Which Provider you connected (e.g., "openrouter") and your API key.

This data is stored as plaintext in localStorage. It is accessible to JavaScript running on the Site Owner's domain. You can clear it at any time by clicking "Disconnect" in the SDK widget, or by clearing your browser's site data.

Third-Party Providers

When you connect an AI Provider through BundleLLM, your interactions are governed by that Provider's privacy policy and terms of service. BundleLLM does not control how Providers handle your data, including whether they use your inputs for model training. You are responsible for reviewing your Provider's policies before connecting.

• OpenRouter Privacy Policy · Terms
• Anthropic Privacy Policy · Terms

BundleLLM is not a party to, and is not responsible for, any agreement between you and your Provider. Use of Provider services through BundleLLM does not imply endorsement or authorization by the Provider.

Site Owner Responsibilities

Site Owners who integrate the BundleLLM SDK may collect their own data on their websites. BundleLLM requires Site Owners to maintain their own privacy policy and to not intercept or store End Users' API keys. However, we cannot guarantee Site Owner compliance. End Users should review the privacy practices of each site they use.

Cookies

The BundleLLM SDK does not use cookies. The OAuth redirect handler does not set cookies. The BundleLLM website (bundlellm.com) may use cookies for analytics if implemented in the future, which would be disclosed here.

Children's Privacy

BundleLLM is not intended for use by children under 13. We do not knowingly collect data from children.

Data Retention

We do not retain any user data. OAuth state tokens are held in memory for a maximum of 5 minutes and then deleted. Server logs are retained for up to 30 days for operational purposes and contain no personal information.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date.

Contact

Questions about this policy? Contact us at support@dewey-labs.com.