OpenRouter states it is not responsible for what happens to the text or data you send to AI models through the platform, including whether those models use your inputs for training. Users need to check each AI provider's own terms separately.
This analysis describes what OpenRouter's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy discloses that user Inputs submitted through the OpenRouter service are transmitted to third-party LLM providers whose data practices, including model training use, are outside OpenRouter's control and governed by separate terms not incorporated into this policy.
Users who submit personal, sensitive, or proprietary content through OpenRouter may have that content processed by downstream AI model providers under terms and conditions that differ from OpenRouter's privacy policy, including potential use for model training, depending on each provider's practices.
How other platforms handle this
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Depending on your location, you may have certain rights regarding your personal data, including the right to access, correct, delete, or port your data. EU and UK users may also have the right to object to or restrict certain processing. California residents may have the right to know, delete, corre...
Monitoring
OpenRouter has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We do not control, and are not responsible for, LLMs' handling of your Inputs or Outputs, including for use in their model training. To understand how your Inputs are used by AI models, check the terms of the providers here.— Excerpt from OpenRouter's OpenRouter Privacy Policy
1. REGULATORY LANDSCAPE: For organizations subject to GDPR, this provision raises questions about processor and sub-processor obligations under GDPR Article 28, particularly whether OpenRouter has entered into adequate data processing agreements with downstream LLM providers. CCPA's service provider framework similarly requires contractual restrictions on how shared data is used. Where Inputs contain health information, HIPAA may also be relevant depending on the nature of the data. 2. GOVERNANCE EXPOSURE: High. The provision explicitly disclaims responsibility for downstream provider data practices, creating a gap between OpenRouter's contractual obligations and the actual data processing chain. For enterprise API users submitting third-party personal data, this creates direct compliance exposure if downstream providers use that data in ways inconsistent with the original collection purpose. 3. JURISDICTION FLAGS: EU and UK organizations using the API are most exposed, as GDPR requires documented sub-processor agreements and the ability to audit the full processing chain. California businesses subject to CCPA should confirm that downstream providers operate under service provider agreements with appropriate use restrictions. 4. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request confirmation that OpenRouter has executed data processing agreements with each LLM provider in its routing network, and should review those provider-specific terms referenced in the policy. The clause as drafted does not assert any contractual obligation on providers regarding user data. 5. COMPLIANCE CONSIDERATIONS: Organizations transmitting personal data through the OpenRouter API should conduct a data mapping exercise covering each downstream provider, and should evaluate whether DPAs or equivalent contractual protections are in place. Users handling regulated data categories (health, financial, biometric) should exercise particular caution and assess whether use of the service is consistent with applicable data protection obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy discloses that user Inputs submitted through the OpenRouter service are transmitted to third-party LLM providers whose data practices, including model training use, are outside OpenRouter's control and governed by separate terms not incorporated into this policy.
Users who submit personal, sensitive, or proprietary content through OpenRouter may have that content processed by downstream AI model providers under terms and conditions that differ from OpenRouter's privacy policy, including potential use for model training, depending on each provider's practices.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenRouter.