Privacy Policy

This Privacy Policy describes how Inferfly ("Inferfly", "we", "us", or "our") collects, uses, stores, and protects information when you use our managed LLM inference platform, website (inferfly.ai), APIs, dashboards, and related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

Inferfly is a sole proprietorship registered in India. We provide managed GPU inference endpoints for open-source large language models, offering OpenAI-compatible APIs, monitoring, and deployment management to businesses, developers, and researchers.

3.1 Account Information

When you create an Inferfly account, we collect:

• Full name
• Email address
• Company or organisation name (if applicable)
• Country of residence or incorporation
• Password (stored only in hashed form)

3.2 Billing and Payment Information

Payments are processed by our Merchant of Record, Dodo Payments, which handles all payment instrument data (credit/debit cards, UPI, bank transfers), invoicing, tax collection (including Indian GST), and cross-border settlement on our behalf. Inferfly does not directly collect, store, or process your payment card numbers, bank account details, or UPI IDs. We receive from Dodo Payments only the information necessary to associate payments with your account: transaction identifiers, payment status, invoice amounts, billing address, and tax identifiers (e.g., GSTIN) where applicable.

For details on how Dodo Payments handles your payment data, please refer to Dodo Payments' own privacy policy.

3.3 API and Deployment Data

When you use the Service, we collect and process:

• API request metadata: Timestamps, request and response token counts, model identifiers, deployment IDs, HTTP status codes, latency measurements, and rate-limiting counters.
• API keys: We store cryptographic hashes (SHA-256) of your API keys. We do not store your API keys in plaintext after initial generation.
• Deployment configuration: Model selection, GPU type, tensor parallelism settings, quantisation preferences, maximum context length, and scaling parameters you configure.
• Infrastructure telemetry: GPU utilisation, VRAM usage, request throughput, time-to-first-token, inter-token latency, queue depth, and other performance metrics collected via Prometheus and vLLM's metrics endpoints.

3.4 Inference Payloads

We do not log, store, inspect, or train on the content of your inference requests or responses. Prompts and completions pass through our routing infrastructure (Cloudflare Workers) and are forwarded to your dedicated vLLM endpoint. Once the request is served, no copy of the payload is retained by Inferfly.

The sole exception is if you explicitly opt in to a feature that requires payload logging (e.g., a future request logging or evaluation feature), in which case we will obtain your separate, informed consent and clearly disclose the scope and retention period.

3.5 Open WebUI Data (if applicable)

If you purchase a managed Open WebUI instance as an add-on, the chat history, user preferences, and uploaded files within that instance are stored on infrastructure provisioned for your account. Inferfly does not access or process the contents of your Open WebUI instance except as necessary to provide the service (e.g., backups, infrastructure maintenance) or as directed by you.

3.6 Website and Analytics Data

When you visit inferfly.ai, we collect data through cookies and similar technologies, including via Google Analytics (see Section 9 for full details). Subject to your cookie consent preferences, we may collect:

• IP address (anonymised via Google Analytics' IP anonymisation feature)
• Browser type and version
• Operating system
• Device category and screen resolution
• Referring URL and traffic source
• Pages visited and time spent
• Approximate geographic location (country/region level, derived from IP address)
• Cookies and similar identifiers (see Section 9)

3.7 Communications

If you contact us via email, support channels, or forms on the website, we collect the content of those communications along with your contact details, for the purpose of responding to your enquiry.

We use the information described above for the following purposes:

• Providing and operating the Service: Provisioning deployments, routing API requests, authenticating access, enforcing rate limits, and delivering inference responses.
• Billing and invoicing: Coordinating with Dodo Payments to process payments, generate invoices, and manage subscriptions.
• Monitoring and reliability: Collecting infrastructure telemetry to ensure uptime, diagnose performance issues, and optimise resource allocation.
• Usage metering: Tracking token consumption, request counts, and compute hours for accurate billing.
• Security: Detecting and preventing unauthorised access, abuse, fraud, and denial-of-service attacks.
• Communication: Sending transactional emails (account verification, billing receipts, service alerts) and, with your consent, product updates or marketing communications.
• Product improvement: Analysing aggregate, anonymised usage patterns to improve platform reliability, feature prioritisation, and capacity planning. We never use inference payload content for this purpose.
• Legal compliance: Meeting obligations under applicable laws, including responding to lawful requests from authorities.

Depending on your jurisdiction, our legal bases for processing personal data include:

• Performance of a contract: Processing necessary to provide the Service you have subscribed to.
• Legitimate interests: Platform security, fraud prevention, infrastructure optimisation, and aggregate analytics, where these interests are not overridden by your data protection rights.
• Consent: Where required (e.g., marketing communications, optional payload logging features).
• Legal obligation: Where processing is required to comply with applicable law.

We do not sell your personal data, and we do not share personal data for cross-context behavioural advertising. We share information only in the following circumstances:

6.1 Infrastructure and Service Providers

We use the following categories of third-party providers to operate the Service. Each provider receives only the minimum data necessary for its function:

6.2 Legal and Regulatory Disclosures

We may disclose information if required by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of Inferfly, our users, or the public.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

Inferfly's primary infrastructure is hosted in data centres operated by our GPU and cloud providers, which may be located in various regions including the United States, Europe, and India.

• If you have specific data residency requirements (e.g., data must remain within India), please contact us. We offer deployment options on Indian GPU cloud providers to accommodate strict data residency needs.
• Where personal data is transferred across borders, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms recognised under applicable law.

We retain your information for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account data: Retained for the duration of your account and for a reasonable period afterward to comply with legal, tax, and accounting obligations.
• API request metadata and metering data: Retained for up to 90 days in detailed form for billing reconciliation and debugging, and in aggregated/anonymised form for longer periods for capacity planning.
• Infrastructure telemetry: Retained for up to 30 days at full resolution, and in downsampled or aggregated form for up to 12 months.
• Inference payloads: Not retained (see Section 3.4).
• Communications: Retained for as long as necessary to resolve your enquiry, plus a reasonable archival period.

Upon account deletion, we will remove or anonymise your personal data within 90 days, except where retention is required by law.

Our website (inferfly.ai) uses cookies and similar technologies (such as pixel tags and local storage) to operate the site, understand usage patterns, and improve your experience. This section explains what cookies we use, why, and how you can control them.

9.1 Types of Cookies We Use

Essential cookies. These are strictly necessary for the website to function. They handle session management, authentication state, and security features such as CSRF protection. You cannot opt out of essential cookies without impairing core site functionality.

Analytics cookies. We use Google Analytics (provided by Google LLC) to collect anonymised, aggregate data about how visitors interact with our website. Google Analytics uses cookies to gather information such as pages visited, time on site, bounce rate, traffic sources, approximate geographic location (country/region level, derived from IP address), browser type, device category, and screen resolution. We have configured Google Analytics with the following privacy-oriented settings:

• IP anonymisation is enabled, meaning your full IP address is not stored by Google.
• We do not enable Google Signals, User-ID tracking, or any feature that links analytics data to individual Google accounts.
• We do not enable advertising features, remarketing, or demographic/interest reporting within Google Analytics.
• Analytics data is retained for the minimum period supported by Google Analytics configuration settings.

We integrate Google Analytics using Google Consent Mode, which signals your choice to Google before analytics storage is used: analytics storage remains denied until you opt in through our cookie banner, and advertising-related consent types are set to denied to align with our configuration (we do not use GA for ads or remarketing).

Google may process this data on servers located outside your country of residence, including in the United States. For more information on how Google handles data collected through Analytics, refer to Google's Privacy Policy and the Google Analytics data practices documentation.

We do not use advertising cookies, remarketing pixels, or tracking technologies for the purpose of serving ads. Inferfly does not display advertisements on any of its properties and does not participate in advertising networks.

9.2 Cookie Consent

When you first visit inferfly.ai, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies (including analytics cookies). Your preference is stored and respected for subsequent visits.

• If you decline analytics cookies, Google Analytics will not be loaded and no analytics data will be collected from your session.
• You may change your cookie preferences at any time by clearing your browser cookies and revisiting the site, or by using the cookie preferences link in the website footer.

9.3 Global Privacy Control and Do Not Track

If your browser transmits a Global Privacy Control (GPC) signal or similar opt-out preference signal, we will treat it as an opt-out of non-essential cookies, including analytics cookies, to the extent required by applicable law.

We also respect the "Do Not Track" (DNT) browser signal where technically feasible.

9.4 Managing Cookies via Your Browser

Most browsers allow you to block or delete cookies through their settings. Please note that disabling essential cookies may prevent parts of the website from functioning correctly. For instructions on managing cookies, consult your browser's help documentation.

We implement technical and organisational measures to protect your information, including:

• API key hashing (SHA-256) with no plaintext storage post-generation
• Encryption in transit (TLS) for all API and web traffic
• Network-level isolation of customer deployments
• Role-based access controls for internal systems
• Regular security reviews and infrastructure monitoring via AWS GuardDuty, CloudTrail, and related services

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, please contact us at the details in Section 14. We will respond within the timeframe required by applicable law (typically 30 days).

11.1 India-Specific Rights (Digital Personal Data Protection Act, 2023)

For individuals whose personal data is processed under the Digital Personal Data Protection Act, 2023 (DPDP Act):

• You have the right to access information about the personal data being processed and a summary of processing activities.
• You have the right to correction, completion, and erasure of your personal data.
• You have the right to grievance redressal. Our Grievance Officer (see Section 14) will acknowledge your grievance and resolve it within the timeframes prescribed under the DPDP Act.
• You have the right to nominate another individual to exercise your rights in the event of your death or incapacity.

We will obtain your consent before processing personal data where required under the DPDP Act, and such consent may be withdrawn at any time.

11.2 United States Privacy Rights

The United States does not have a single federal comprehensive privacy law. Instead, privacy is governed by a growing patchwork of state-level legislation. As of 2026, approximately twenty U.S. states have enacted comprehensive consumer privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and laws in states such as Oregon, Texas, Delaware, Maryland, Indiana, Kentucky, Rhode Island, and others.

Applicability. Many of these laws apply only to businesses that meet specific thresholds (e.g., the CCPA generally applies to for-profit businesses with annual gross revenue exceeding approximately $26.6 million, or that buy, sell, or share the personal information of 100,000 or more state residents, or that derive 50% or more of revenue from selling personal information). While Inferfly may not currently meet all such thresholds, we extend the following rights to all U.S.-based users as a matter of good practice and transparency.

Your rights under U.S. state privacy laws. Depending on the state in which you reside, you may have some or all of the following rights:

• Right to know/access: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the business purposes for collection, and the categories of third parties with whom it has been shared.
• Right to delete: Request that we delete personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale or sharing: You have the right to opt out of the "sale" or "sharing" of your personal information as those terms are defined under applicable state law. Inferfly does not sell your personal information. We do not share personal information for cross-context behavioural advertising.
• Right to limit use of sensitive personal information: Where applicable, request that we limit our use of sensitive personal information to what is necessary to provide the Service.
• Right to data portability: Request your personal information in a portable, readily usable format.
• Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

Universal Opt-Out Mechanisms. Multiple U.S. states now require businesses to honour Universal Opt-Out Mechanisms such as the Global Privacy Control (GPC) signal. If your browser or device transmits a GPC or similar opt-out preference signal, we will treat it as a valid opt-out request for the sale or sharing of personal information to the extent required by applicable law.

Authorised agents. In certain states, you may designate an authorised agent to submit privacy requests on your behalf. We may require verification of both the agent's authority and your identity before processing such requests.

Submitting requests. To exercise any of the rights described above, please contact us at privacy@inferfly.ai. We will verify your identity and respond within the timeframe required by applicable law (typically 45 days under CCPA/CPRA, with the possibility of a 45-day extension where necessary).

Categories of personal information collected. For the purposes of the CCPA/CPRA, the categories of personal information we may collect include: identifiers (name, email, IP address), commercial information (transaction and billing records), internet or electronic network activity (API request metadata, website usage data), geolocation data (derived from IP address, at a general level), and professional or employment-related information (company name, role, where provided). We do not collect or process biometric information, and we do not process inference payload content (see Section 3.4).

Disclosure of data practices. In the preceding 12 months:

• We have collected the categories of personal information described in Section 3 of this Privacy Policy.
• We have disclosed personal information to the categories of service providers described in Section 6.1 for the business purposes described in Section 4.
• We have not sold personal information.
• We have not shared personal information for cross-context behavioural advertising.

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete such information.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on our website with a revised "Last updated" date, and where appropriate, by email or in-dashboard notification.

Your continued use of the Service after such changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to raise a grievance, please contact:

Inferfly
Email: privacy@inferfly.ai

Grievance Officer (for DPDP Act purposes):
Email: legal@inferfly.ai

You can also contact us through our general enquiry form.

• Entity: Inferfly, registered in India
• Applicable laws: Information Technology Act, 2000 (India); Digital Personal Data Protection Act, 2023 (India, obligations activating progressively); California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) and other applicable U.S. state comprehensive privacy laws; and applicable data protection laws of other jurisdictions in which our users are located.
• Merchant of Record: Dodo Payments (responsible for payment data processing, tax compliance, and cross-border settlement).