Legal · privacy

Privacy Policy

Vectorway is an agent-first LLM gateway. This policy explains what data we process when an agent (or the human operating it) signs in, pays, and uses our APIs.

Effective May 21, 2026CR3 Labs · operator of Vectorwaylegal@vectorway.io

01 Overview

Vectorway (the “Service”) is operated by CR3 Labs (“Vectorway,” “we,” “us”). We provide a per-token LLM gateway with wallet-scoped vector memory. Calls are billed either per request in USDC via the Coinbase x402 protocol, or per request from a prepaid credit balance authenticated with an API key (top-ups in USD via Stripe or in USDC via x402).

Our product is designed for autonomous agents. The minimum identifier we need is an Ethereum wallet address. We do not require an email address, a real name, or a phone number to use the API.

Plain-English summary. We log the wallet that signed in, the API calls it made, and the memories it asked us to store. We do not sell data, we do not train models on your traffic, and we delete what you ask us to delete unless we are legally required to keep it.

02 What we collect

Account & authentication

  • Wallet address. The Ethereum address (EOA or smart-contract account) you authenticate with via Sign-In With Ethereum (SIWE) or Privy.
  • SIWE message + signature. The nonce, issued-at, expiration, and signature used to prove control of the wallet. Stored for replay-protection and audit.
  • API keys. Salted hashes (never plaintext) for keys you mint from the dashboard or via /v1/auth/agent-onboard.
  • Cloudflare Turnstile token. Validated server-side on first sign-up to block automated abuse. The token itself is not stored after verification.

Usage telemetry

  • Per-request: timestamp, route, method, response status, latency, model selected, prompt/response token counts, and the credits debited.
  • Per-key: rolling counters used to enforce rate limits and to render the usage view in the dashboard.
  • Standard web logs: IP address, user-agent, and HTTP method, kept short-term for abuse mitigation and security investigations.

Content you submit

  • Prompts & completions. Sent to the underlying model provider (e.g. Google Gemini) to generate a response. We do not use your prompts or completions to train any model.
  • Memory writes. Anything you persist via the memory endpoints. See Long-term memory below.

Payment metadata

  • x402 / USDC. Transaction hash, paying address, amount, asset, and facilitator response. No card or bank data is involved.
  • Stripe (optional fiat top-ups). Stripe Checkout session id, last four digits of the card, country, and a billing email if you choose to provide one. Stripe is the controller of card data; we never see the full PAN.

Cookies & local storage

We use first-party local storage to keep your wallet session and dashboard preferences. We use cookies set by Privy and Vercel to keep you signed in and to route traffic. We do not use third-party advertising cookies.

03 How we use data

We process the data above to:

  • Authenticate you, mint and validate API keys, and bind credits to your wallet.
  • Route your prompts to the chosen model provider and return the completion.
  • Hand off card payments to Stripe and USDC payments to the Coinbase x402 facilitator, receive their confirmations, and credit your account accordingly. We do not move funds ourselves.
  • Run rate limits, fraud checks, and Turnstile gating on signup.
  • Operate the service: debug failures, restore from backups, and monitor uptime.
  • Comply with applicable law (tax, sanctions screening, lawful requests).

We do not use your prompts, completions, memory contents, or wallet activity to train, fine-tune, or evaluate any machine-learning model.

04 Long-term memory

Vectorway’s value proposition is wallet-scoped, vector-indexed recall across calls. When you use the memory endpoints we store the raw text you submitted (or a short summary of a chat turn, depending on the write mode you select) together with an embedding of that text, scoped to your wallet/API-key namespace.

  • Memory is isolated per account. Another customer cannot read or query into your namespace.
  • You can list, search, and delete entries through the API or the dashboard.
  • Memory is persisted in Redis with TLS in transit and at-rest encryption by the underlying provider.
  • Retention. Each entry has a rolling time-to-live (currently seven (7) days from the last write, set by the operator’s REDIS_MEMORY_TTL_SECONDS configuration). Entries are removed automatically when the TTL elapses; you can also delete an entry explicitly at any time. Treat the memory endpoints as a recall cache, not a system of record.
  • Do not write secrets, PII of other people, or regulated data (HIPAA, PCI primary account numbers, etc.) into memory. The Service is not designed or certified for those categories.

05 Payments & wallets

We do not process payments or hold funds. CR3 Labs does not custody crypto, does not store card data, and does not move money on your behalf. Card payments are processed by Stripe; USDC payments are settled by the Coinbase x402 facilitator and the underlying blockchain. We only see the metadata each of those third parties returns to us, plus the credit balance we keep in our own database.

USDC payments via x402

A wallet address is a pseudonymous public identifier, not an anonymous one. Anyone with the address can inspect its on-chain history. When you pay us in USDC via x402, the transfer happens directly between your wallet and our receiving address on a public blockchain (typically Base or another supported L2) through the Coinbase x402 facilitator. The transaction hash, paying address, amount, and asset are permanently recorded on-chain and we cannot delete them. From the facilitator we receive: transaction hash, paying address, amount, asset, network, and the facilitator’s verification response. We use that to credit your account.

Card / fiat payments via Stripe

Stripe, Inc. is the payment processor and an independent data controller for card transactions. Stripe collects and processes card data, billing address, fraud-screening signals, and (where applicable) tax-identification information under Stripe’s privacy notice. We never see or store your full card number, CVC, or bank credentials. From Stripe we receive only: the Checkout session id, the last four digits of the card, the card brand, the country of issue, the paid amount, and a billing email if you chose to share one. We use that to credit your account and to reconcile our books.

What that means for your data

  • We are not a money services business, money transmitter, exchange, or custodian, and we have no access to your funds at Stripe or to USDC in flight on-chain.
  • If you want a card transaction deleted or corrected at the processor level, contact Stripe; we cannot do that for you.
  • If you sent USDC by mistake, we can attempt a best-effort refund of the on-chain amount minus network fees, but we are bound by what the blockchain and the facilitator allow.

06 Subprocessors

We rely on the following third parties to operate the Service:

  • Vercel — hosting and edge runtime for the dashboard and API routes.
  • Redis Cloud (or self-managed Redis) — primary store for accounts, credits, API-key hashes, and vector memory.
  • Privy — wallet authentication and session management.
  • Google Gemini (and other model providers) — model inference for the routes you call. The selected provider receives only the prompt necessary to generate a response.
  • Coinbase x402 facilitator — verifies and settles USDC payments.
  • Stripe — optional fiat checkout for credit top-ups.
  • Cloudflare Turnstile — bot-resistance challenge on first sign-up.

We update this list when subprocessors change materially. The current list always lives at this URL.

07 Retention

  • Account record. Kept while your wallet has a non-zero credit balance, an active API key, or activity in the last 24 months. After that, it can be archived or deleted at your request.
  • API request logs. Stored as a per-wallet rolling list, currently capped at 2,000 newest events per wallet (operator-tunable via USAGE_LOG_CAP) with a 30-day TTL on the underlying Redis key. Older events fall off the cap or expire automatically; we do not maintain long-term per-request archives beyond that.
  • Credit-movement ledger. Per-wallet rolling list of grants, top-ups, refunds, and debits, capped at 100 newest entries (operator-tunable via REDIS_CREDITS_LEDGER_MAX).
  • Memory entries. Each entry has a rolling time-to-live, currently 7 days from the last write, set by the operator’s REDIS_MEMORY_TTL_SECONDS configuration. Entries are also removed when you delete them explicitly or your account is removed.
  • Payment records. Kept for the period required by tax and accounting law in our operating jurisdiction (typically 7 years).
  • On-chain settlements. Cannot be deleted; they live on the blockchain.

08 Your rights

Depending on where you live (GDPR, UK GDPR, CCPA/CPRA, and similar regimes), you may have the right to access, correct, export, restrict, or delete personal data we hold about you, and to object to certain processing.

Because the primary identifier we hold is a wallet address, the standard way to prove you are the data subject is to sign a verification message with that wallet. Email legal@vectorway.io from any address and we will reply with the message to sign.

We do not sell personal information and we do not share it for cross-context behavioral advertising.

09 Security

  • TLS 1.2+ for all client connections.
  • API keys are hashed before storage; we never display the full key after it is created.
  • Wallet-based auth means we never custody private keys or seed phrases.
  • Server-to-Redis traffic uses TLS where supported by the provider.
  • Secrets and signing keys live in Vercel environment variables; least-privilege roles for backend services.

No system is perfectly secure. If you believe you have found a vulnerability, please email security@vectorway.io with reproduction steps and we will respond promptly.

10 Children

The Service is not directed to children under 13 (or under 16 where local law sets a higher age of consent). We do not knowingly process data from such users. If you believe a child has provided data to us, contact us and we will delete it.

11 Changes

We may update this policy as the Service evolves. Material changes will be reflected in the effective date above and, for logged-in users, surfaced in the dashboard. Your continued use of the Service after a change constitutes acceptance of the revised policy.

12 Contact

Questions, data-subject requests, or complaints: legal@vectorway.io.

Postal address available on request. If you are in the EEA or UK and we cannot resolve your complaint, you may contact your local supervisory authority.