Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is OpenRouter, Inc.'s privacy policy, covering how the company collects and uses personal data from users of the openrouter.ai website and its AI model routing service. The policy authorizes collection of user Inputs sent through the Service, device identifiers, IP addresses, browsing history, location data, and transaction details, and states that OpenRouter does not control how third-party AI model providers use those Inputs, including for model training. The policy also reserves the right to share personal data with advertising and analytics partners, service providers, and in connection with business transfers such as mergers or acquisitions.
This document is OpenRouter, Inc.'s Privacy Policy, last updated April 15, 2025, governing the collection, use, and disclosure of personal data across the openrouter.ai website, its Service, and third-party applications that link to this policy; the stated legal basis for processing is user consent established by continued use of the Site or Service. The policy authorizes collection of name, email address, mailing address, telephone number, user Inputs to the Service, transaction and Credits purchase details, search queries, IP address, operating system and browser type, location data, browsing history, and cookie-derived behavioral data across third-party sites and over time; the terms also authorize sharing with service providers, business partners, advertising and analytics partners, and in connection with corporate transactions such as mergers or acquisitions. The policy expressly disclaims responsibility for how third-party AI model providers handle user Inputs or Outputs, including for model training purposes, and reserves the right to modify the policy at any time without prior notice for non-material changes, with material changes communicated by email to registered users only. The policy references CCPA rights for California residents, including disclosure, deletion, and opt-out rights, and engages GDPR-relevant concepts such as data subject rights and cross-border data transfers, though specific transfer mechanisms are not detailed; applicability of these frameworks depends on user jurisdiction and the company's classification under each regime. Compliance teams should evaluate the adequacy of consent mechanisms under GDPR given that the policy relies on continued use as a consent signal, and should assess the scope of third-party AI provider data flows given the explicit disclaimer of responsibility for downstream handling of user Inputs.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial2 important changes detected
3 versions captured · Last updated: May 2026
This provision explicitly details automatic data collection of behavioral and device information, significantly expanding transparency about what data is automatically captured beyond just cookies.
This new provision explicitly discloses third-party cookies and cross-site tracking for behavioral purposes, which was previously only vaguely referenced in the general 'Cookies and Cross-Context Behavioral Advertising' provision.
This simplified CCPA provision removes the detailed enumeration of specific rights and instead defers to a separate CCPA privacy notice, potentially obscuring users' specific entitlements.
Removal of detailed CCPA rights enumeration reduces transparency in the main privacy policy about specific California resident protections previously disclosed.
Complete removal of GDPR rights disclosure for EEA and UK users eliminates transparency about statutory data protection rights in the main privacy policy document.
Removal of data retention provisions eliminates transparency about how long personal data is kept and under what circumstances.
Removal of explicit disclosure that user inputs containing personal data are collected eliminates transparency about personal data collection practices related to service usage.
Provision name changed from 'Disclaimer of Responsibility for LLM Provider Handling of User Inputs' to 'Disclaimer of Responsibility for Third-Party AI Provider Data Handling'; content remains identical.
Provision name changed from 'Retroactive Policy Modification Without Prior Notice' to 'Policy Modification Without Prior Notice'; content remains identical.
Language simplified and narrowed: previous version detailed specific scenarios (bankruptcy, receivership, asset transition) and mentioned 'sold or transferred,' while current version uses more general 'share' language and removes references to bankruptcy and service transitions.
Language refined: added 'vendors' and 'agents or contractors,' removed 'advertising services' and 'communicate with users' references, added explicit mention of sharing for 'products, services or promotions' with business partners.
Monitoring
OpenRouter has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle Disclaimer of Responsibility for LLM Provider Handling of User Inputs and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.