Privacy Policy

Last updated: April 2026

1. Introduction

SBproxy ("we," "our," or "us"), operated by Soap Bucket, LLC, a California limited liability company, operates the SBproxy AI & API Gateway at SBproxy.dev and the managed platform at cloud.sbproxy.dev. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

By using our services, you agree to the collection and use of information described in this policy. If you do not agree, please do not use our services.

2. How We Act: Data Controller vs. Data Processor

SBproxy operates in two capacities depending on the data involved:

• Data Controller: For account information, workspace settings, billing data, and platform usage analytics. We determine the purposes and means of processing this data.
• Data Processor: For traffic that passes through your gateway endpoints, including API requests, AI prompts, model responses, and any data routed through your origins. You (the customer) are the data controller for this traffic, and we process it solely to provide the gateway service.

3. Information We Collect

3.1 Information You Provide

• Account Information: Name, email address, and password when you create an account
• Workspace Information: Workspace name, team member details, and role assignments
• Configuration Data: Origin configurations, security block settings, policy definitions, MCP endpoint configurations, and prompt templates
• Payment Information: Billing address and payment method details, processed securely through third-party payment processors
• Communication Data: Messages, feedback, and support requests you send to us
• Authentication Credentials: API keys, JWT signing keys, OAuth client secrets, and bearer tokens you create through the platform. These are stored encrypted and hashed as appropriate.

3.2 Information Collected Automatically

• Usage Data: How you interact with the management dashboard, including pages viewed and features used
• Device Information: IP address, browser type, operating system, and device identifiers
• Log Data: Server logs including access times, error messages, and API request metadata
• Analytics Data: Website usage statistics collected through Google Analytics

3.3 Gateway Traffic Data

When requests pass through your gateway endpoints, we may process:

• Request metadata: HTTP method, path, headers, IP address, and response status codes
• AI Proxy metadata: Model name, provider, token counts, and latency (for cost tracking and routing decisions)
• Cached content: Response bodies stored temporarily according to your caching configuration
• Security logs: WAF events, rate limiting triggers, and authentication outcomes

We do not inspect, log, or store the content of request or response bodies beyond what is necessary to execute your configured actions (proxy, cache, transform, etc.).

3.4 Marketing Communications

When you create an account or subscribe to our services, you are opted into occasional marketing emails about product updates, features, and company announcements. These emails are sent to the email address associated with your account. You may opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link at the bottom of any marketing email
• Logging into your account and adjusting your email preferences
• Emailing us at privacy@soapbucket.com with a request to unsubscribe from marketing communications

Note: Opting out of marketing communications does not affect transactional emails such as billing notifications, security alerts, account updates, or technical support messages.

4. How We Use Your Information

• Provide, operate, and maintain the gateway platform
• Route API and AI traffic according to your configuration
• Execute security policies (WAF, rate limiting, authentication, PII detection)
• Cache and transform responses as configured
• Process payments and manage billing
• Send transactional and technical notices, updates, and support messages
• Send occasional marketing communications about product updates, features, and announcements (with easy opt-out)
• Respond to your questions and support requests
• Improve our services and develop new features
• Monitor and analyze usage trends and platform performance
• Detect, prevent, and address security threats and abuse
• Comply with legal obligations

5. What We Do Not Do

• We do not sell or rent your personal information
• We do not use your AI traffic (prompts, completions, embeddings) to train any machine learning models
• We do not combine one customer's gateway traffic with another customer's data
• We do not permit our service providers to use your data for their own marketing purposes
• SBproxy personnel do not view your routed traffic except when instructed by you, as necessary to resolve support issues, or for security and legal purposes

6. Legal Basis for Processing

We process your personal data based on:

• Contractual necessity: To provide our services under our Terms of Service
• Legitimate interests: To improve our services, ensure security, and prevent fraud
• Consent: For marketing communications and non-essential cookies
• Legal compliance: To meet regulatory requirements

7. Information Sharing and Disclosure

We may share your information in the following circumstances:

7.1 Service Providers (Sub-Processors)

• Cloud infrastructure: Hosting and storage providers
• LLM providers: When you configure AI Proxy routing, your requests are forwarded to the providers you select (e.g., OpenAI, Anthropic, Google). You are responsible for compliance with each provider's terms.
• Analytics: Google Analytics for website usage
• Payment processing: Stripe or other payment processors for billing

We require all sub-processors to maintain appropriate security measures and use your data only for the purposes we specify.

7.2 Other Circumstances

• Business transfers: In connection with mergers, acquisitions, or asset sales
• Legal requirements: When required by law, court order, or to protect our rights and safety
• With your consent: When you have given explicit consent

7.3 Data Processing Agreements

For enterprise customers or customers subject to GDPR, CCPA, or similar regulations who process personal data through our platform, we offer a standard Data Processing Agreement (DPA). This agreement clarifies the roles of data controller and processor, defines permitted sub-processors, and outlines data protection obligations. To request a DPA, contact us at privacy@soapbucket.com.

7.4 Sub-Processor List

We maintain a list of current sub-processors used in the delivery of our services. See our Sub-Processors page for details. We will notify customers at least 30 days in advance of any material changes to our sub-processor list.

8. Data Security

• Encryption in transit: All traffic encrypted using TLS
• Encryption at rest: Sensitive data (API keys, JWT private keys, OAuth secrets, callback secrets) encrypted at rest
• Credential hashing: API keys, bearer tokens, and passwords securely hashed
• Access controls: Role-based access within workspaces; limited internal access on a need-to-know basis
• Workspace isolation: Customer data is isolated at the workspace level
• Audit logging: All configuration changes and access events are logged

No method of transmission over the internet is 100% secure. While we implement strong security measures, we cannot guarantee absolute security.

8.1 Security Breach Notification

In the event of a confirmed security breach that results in unauthorized access to or disclosure of personal data, we will:

• Notify affected users and customers without undue delay, and in any case no later than 72 hours after confirming the breach (or as otherwise required by applicable law)
• Provide affected individuals with details about the type of personal data compromised, steps we are taking to address the breach, and recommended actions to protect themselves
• For EU/EEA customers, notify the relevant supervisory authority(ies) as required by GDPR
• For California residents, comply with CCPA breach notification requirements

9. Data Retention

• Account data: Retained while your account is active. After account closure, we retain personal information for up to 12 months to comply with legal obligations and resolve disputes, unless a longer retention period is required by law.
• Configuration data: Origin configurations, security blocks, prompt templates, and their version history are retained while your account is active. You may request deletion at any time through your account settings.
• Gateway traffic logs: Request metadata (method, path, headers, status codes, timestamps) is retained for 30 - 90 days depending on your plan tier. Full request/response body logging is only retained as configured by you.
• Cached content: Retained according to the cache TTL (time-to-live) settings you configure. Content is automatically evicted when TTL expires.
• Audit logs: Security and configuration audit logs are retained for a minimum of 12 months for compliance and investigation purposes.
• Analytics data: Website analytics (Google Analytics) are retained according to Google's retention policies (typically 14 months).
• Support and communications: Messages, support tickets, and feedback are retained for up to 24 months unless you request earlier deletion.

10. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to certain types of processing
• Withdraw consent: Where processing is based on consent
• Opt-out: Opt out of the sale of personal information (California residents)

To exercise these rights, contact us at privacy@soapbucket.com. We will respond within 30 days, or as required by applicable law.

10.1 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

10.2 European Economic Area, UK, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation, including the rights listed above. For questions about data processing or to lodge a complaint, you may contact your local supervisory authority.

11. International Data Transfers

Our services are hosted in the United States. If you access our services from outside the US, your information may be transferred to and processed in the United States. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses where applicable.

12. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

13. Cookies

We use cookies and similar technologies to enhance your experience. For detailed information, see our Cookie Policy.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the "Last updated" date, and where appropriate, notifying you by email.

15. Contact Us