How reAPI collects, uses, and stores your data when you use our AI API aggregator.
2026/05/05
Last updated: May 5, 2026
reAPI ("we", "us", "our") operates a unified API gateway that lets you call third-party AI generation models through a single OpenAI-compatible endpoint. This Privacy Policy explains what we collect, how we use it, and the choices you have.
When you create an account, we record the email address and, for OAuth sign-in, the identity returned by GitHub or Google. For email/password sign-in we store a salted password hash; we never store the raw password.
Payments are processed by Stripe. We do not see or store card numbers or bank details. We retain the Stripe customer ID, the products you purchased, the amount, and an invoice reference so we can show your billing history and reconcile credit balances.
For every API request we record: a request ID, the account or API key that made it, the model invoked, the endpoint, the credit cost, the resulting status, and an error code on failure. We do not retain the request body. Prompts, reference images, masks, and any other content you send through our endpoints are forwarded to the upstream provider and discarded. This is enforced in the gateway code, not just policy.
Outputs returned by upstream providers (images, video, audio) are mirrored to Cloudflare R2 so the URLs you receive remain stable after the upstream provider's CDN link expires. These objects are reachable by anyone with the URL. If you want a generated asset removed, contact us and we will delete it.
See our Cookie Policy. In short: we set a session cookie for authentication, a CSRF cookie for dashboard actions, and (when those features are enabled) cookies for chat support and bot mitigation. We do not use advertising or cross-site tracking cookies.
We use the data above to:
We do not sell your data, and we do not use your prompts or your generated content to train any model.
We share the minimum necessary data with the following service providers:
| Provider | Purpose | Data shared |
|---|---|---|
| Upstream model providers (e.g. OpenAI, ByteDance) | Forwarding generation requests | Request body, for the duration of the task |
| Stripe | Payment processing | Email, name, payment method, billing address |
| Cloudflare (R2 storage and CDN) | Hosting generated content and static assets | Generated images/video/audio under your task ID |
| Resend | Transactional and newsletter email | Email address, message content |
| GitHub / Google | OAuth sign-in | Identity token, email |
We periodically add or replace upstream model providers as the catalog evolves; this list reflects the current set.
| Data | Retained for |
|---|---|
| Account data | Until you delete your account |
| Payment records | 7 years (tax and accounting requirement) |
| API usage metadata (request id, model, credits, status) | 30 days |
| Generated content in R2 | 30 days, unless you delete it sooner |
| Request bodies (prompts, images, masks) | Not retained — discarded after upstream delivery |
You can:
If you reside in the EU, UK, or California, you have additional rights under the GDPR / UK GDPR / CCPA. We will honor lawful access, rectification, and erasure requests.
reAPI is not directed at children under 16. If you believe a child has signed up, contact us and we will remove the account.
If we change how we collect or use your data, we will update this page and email account holders before the change takes effect.
Questions? Reach us at our contact page.